Re: SACL again

From: jbanek (jbanek@email.msn.com)
Date: 10/04/02 

From: "jbanek" <jbanek@email.msn.com>
Date: Fri, 4 Oct 2002 01:52:36 -0400

Hi Eric,

Thanks for your help. I will try your suggestion but I am having doubts
about ADSI
being the right tool for the job. This is what I found in "Windows Scripting
Solutions"
magazine from July 2000:

"ADsSecurity.dll doesn't currently support the System Access Control List
(SACL). Nor is it likely to in the future for two reasons:
ADsSecurity.dll is part of the ADSI SDK Resource Kit. As such, it's not part
of the OS and not officially supported.
Windows Management Instrumentation (WMI) already has the Security Provider,
which lets you get and set security descriptors (including SACL) for file
and directory objects. This Security Provider appears to be Microsoft's
recommended solution for tasks of this nature."

Today, or I should say yesterday ( is 1:30 AM) I used WMI with
ChangeSecurityPermissions and was able to add SACL to my test folder.
I am still having problems with inheritance and setting ControlFlags on
SecurityDescriptor, it just will not take my settings. For some reason I am
not able to set SE_SACL_AUTO_INHERITED
on the root folder (at least this is what my other script and SubInACL
utility are saying) but using Explorer
the "Allow inherited..." checkbox on auditing tab is checked.
In addition on every file in folder and subfolders my script disables
inheritance and sets audit for "This objects and child objects" instead of
"This Object" (strange if we talk about files).
Anyway, I left my laptop at work so I can not post nothing right now but
look for the code in few hours.
By the way it is surprising that I am making all these crazy changes and
Windows is not complaining at all.

John

"Eric Fitzgerald [MS]" <ericf@online.microsoft.com> wrote in message
news:3d9d05b7$1@news.microsoft.com...
> Hey John,
>
> 1. You should set the security mask first to request SACL info:
> oADsSecurity.SecurityMask = 8 ' ADS_SECURITY_INFO_SACL
>
> 2. To read the SACL, you must have the SE_SECURITY_PRIVILEGE enabled (aka
> SE_SECURITY_NAME). I don't know if you can do this in VBS.
>
> 3. You had the wrong syntax for GetSecurityDescriptor, try this:
> Set sd1 = oADsSecurity.GetSecurityDescriptor("d:\temp\test3.txt", 1, 1)
>
> Here is another suggestion from our dev team:
> Use the supported IADsSecurityUtility interface as opposed to the
interface
> from the Resource Kit utility ADSSecutiry.dll. By default
> IADsSecurityUtility sets SecurityMask to Owner, Group and DACL. You need
to
> change the security mask to include SACL, then set SD.sytemACL to point to
> the new sacl and then call SetSecurityDescriptor. You are mixing oacl and
> osacl in your example.
>
> Eric
>
>
> "jbanek" <jbanek@email.msn.com> wrote in message
> news:#lJAaq9ZCHA.1888@tkmsftngp12...
> > I am trying to set SACL on folder c:\test3. Script below runs, there is
no
> > error but SACL is not set.
> > Values for Ace.Flags and AccessMask are taken from first setting SACL on
> > directory
> > and then just list all properties using different script.
> > What am i doing wrong?
> >
> > set fsoObject=CreateObject("Scripting.FileSystemObject")
> > set oADsSecurity = CreateObject("ADsSecurity")
> > set oTargetSD = oADsSecurity.GetSecurityDescriptor("file://c:\test3")
> > set oSacl = oTargetSD.SystemAcl
> > set oAcl = createobject("AccessControlList")
> > oAcl.AceCount = 1
> > oAcl.AclRevision = 4
> > set oAce = CreateObject("AccessControlEntry")
> > oAce.Trustee = "BUILTIN\Administrators"
> > oAce.AceType = 2
> > oAce.AccessMask = 851968
> > oAce.AceFlags = 195
> > 'If I use statement belove I will get an error that oSacl object does
not
> > exist, which is OK because by default SACL is not set.
> > ' oSacl.AddAce oAce
> > oacl.AddAce oAce
> > oTargetSD.SystemAcl = oacl
> > oADsSecurity.SetSecurityDescriptor oTargetSD
> >
> > Regards,
> > John
> >
> >
>
>

Relevant Pages

  • Re: SACL again
    ... prvious post is having problems with inheritance. ... > Windows Management Instrumentation already has the Security ... > which lets you get and set security descriptors (including SACL) for file ... > on the root folder (at least this is what my other script and SubInACL ...
    (microsoft.public.win2000.security)
  • Re: Access Rights to See DACLs in ADAM
    ... you submit a bug report for the "Access Security Security" right in ADAM, ... DACLs do not control access to a SACL. ... as an ADAM administrator but with no Windows Admin privileges). ... account is not a local administrator account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access Rights to See DACLs in ADAM
    ... Thanks, Dmitri and Lee. ... you submit a bug report for the "Access Security Security" right in ADAM, ... DACLs do not control access to a SACL. ... account is not a local administrator account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Audit file/folder access
    ... Log I got were all for temporary file created by Word/Excell etc... ... The system will not audit any object access unless there is a SACL ... but they won't do anything until the security policy to enable ...
    (microsoft.public.windows.server.security)
  • Re: DC Policy: just want to audit files, not set security
    ... >> the audit SACL does not impact the inheritance settings ... >> You may need to carefully duplicate the access security ...
    (microsoft.public.windows.server.security)
Quantcast