def AllowAccessToScpProperties( accountSAM, # Service account to allow access. scpObject, # The IADs SCP object. schemaIDGUIDs= # Attributes to allow write-access to. ( "{28630eb8-41d5-11d1-a9c1-0000f80367c1}", # serviceDNSName # serviceBindingInformation "{b7b1311c-b82e-11d0-afee-0000f80367c1}", )): # If no service account is specified, service runs under LocalSystem. # So allow access to the computer account of the service's host. if accountSAM: trustee = accountSAM else: # Get the SAM account name of the computer object for the server. trustee = win32api.GetComputerObjectName(win32con.NameSamCompatible) # Get the nTSecurityDescriptor attribute attribute = "nTSecurityDescriptor" sd = getattr(scpObject, attribute) acl = sd.DiscretionaryAcl for sguid in schemaIDGUIDs: ace = Dispatch(adsi.CLSID_AccessControlEntry) # Set the properties of the ACE. # Allow read and write access to the property. ace.AccessMask = ADS_RIGHT_DS_READ_PROP | ADS_RIGHT_DS_WRITE_PROP # Set the trustee, which is either the service account or the # host computer account. ace.Trustee = trustee # Set the ACE type. ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT # Set AceFlags to zero because ACE is not inheritable. ace.AceFlags = 0 # Set Flags to indicate an ACE that protects a specified object. ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT # Set ObjectType to the schemaIDGUID of the attribute. ace.ObjectType = sguid # Add the ACEs to the DACL. acl.AddAce(ace) # Write the modified DACL back to the security descriptor. sd.DiscretionaryAcl = acl # Write the ntSecurityDescriptor property to the property cache. setattr(scpObject, attribute, sd) # SetInfo updates the SCP object in the directory. scpObject.SetInfo() logger.info("Set security on object for account '%s'" % (trustee, ))
def AllowAccessToScpProperties( accountSAM, #Service account to allow access. scpObject, # The IADs SCP object. schemaIDGUIDs = # Attributes to allow write-access to. ("{28630eb8-41d5-11d1-a9c1-0000f80367c1}", # serviceDNSName "{b7b1311c-b82e-11d0-afee-0000f80367c1}", # serviceBindingInformation ) ): # If no service account is specified, service runs under LocalSystem. # So allow access to the computer account of the service's host. if accountSAM: trustee = accountSAM else: # Get the SAM account name of the computer object for the server. trustee = win32api.GetComputerObjectName(win32con.NameSamCompatible) # Get the nTSecurityDescriptor attribute attribute = "nTSecurityDescriptor" sd = getattr(scpObject, attribute) acl = sd.DiscretionaryAcl for sguid in schemaIDGUIDs: ace = Dispatch(adsi.CLSID_AccessControlEntry) # Set the properties of the ACE. # Allow read and write access to the property. ace.AccessMask = ADS_RIGHT_DS_READ_PROP | ADS_RIGHT_DS_WRITE_PROP # Set the trustee, which is either the service account or the # host computer account. ace.Trustee = trustee # Set the ACE type. ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT # Set AceFlags to zero because ACE is not inheritable. ace.AceFlags = 0 # Set Flags to indicate an ACE that protects a specified object. ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT # Set ObjectType to the schemaIDGUID of the attribute. ace.ObjectType = sguid # Add the ACEs to the DACL. acl.AddAce(ace) # Write the modified DACL back to the security descriptor. sd.DiscretionaryAcl = acl # Write the ntSecurityDescriptor property to the property cache. setattr(scpObject, attribute, sd) # SetInfo updates the SCP object in the directory. scpObject.SetInfo() logger.info("Set security on object for account '%s'" % (trustee,))