' -------------------------------------------------------------------------
'       From the book Inside Active Directory, ISBN 0-201-61621-1
'       Copyright (C) 2002 by Addison-Wesley
'       Script by Sakari Kouti (see http://www.kouti.com)
' You have a royalty-free right to use, modify, reproduce and distribute
' this script (and/or any modified version) in any way you find useful,
' provided that you agree that Addison-Wesley or Sakari Kouti has no
' warranty, obligations or liability for the script. If you modify
' the script, you must retain this copyright notice.
' -------------------------------------------------------------------------
Option Explicit

Const ADS_SD_CONTROL_SE_DACL_PROTECTED = &H1000

Dim objDSE, objConnection, objCommand, objRecordset, i

Set objDSE = GetObject("LDAP://rootDSE")

Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open

Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 500

objCommand.CommandText = _
	"<LDAP://" & objDSE.Get("defaultNamingContext") & ">" & _
	";(!(showInAdvancedViewOnly=TRUE))" & _
	";distinguishedName" & _
	";SubTree"

Set objRecordset = objCommand.Execute

If Not objRecordset.EOF Then
	i = 0
	While Not objRecordset.EOF
		Call ShowBlocked(i, objRecordset.Fields("distinguishedName"))
		objRecordset.MoveNext
	Wend
Else
	WScript.Echo "No objects to check"
End if

objRecordset.Close
objConnection.Close

Sub ShowBlocked(i, strObjectDN)
	Dim objADObject, objSecDesc, intSDControl

	Set objADObject = GetObject("LDAP://" & strObjectDN)
	Set objSecDesc = objADObject.Get("ntSecurityDescriptor")
	intSDControl = objSecDesc.Control

	If intSDControl And ADS_SD_CONTROL_SE_DACL_PROTECTED Then
		i = i + 1
		WScript.Echo "Blocked " & i & ": " & strObjectDN
	End If
End Sub