Re: SACL again
From: JohnB (john_b@msn.com)
Date: 10/04/02
- Next message: x y: "Re: netstat results"
- Previous message: Kerry Liles: "Re: Password Protected Screensavers"
- In reply to: jbanek: "Re: SACL again"
- Next in thread: jbanek: "Re: SACL again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "JohnB" <john_b@msn.com> Date: Fri, 4 Oct 2002 11:06:14 -0400
Eric,
This a sample of code that is able to set SACLs but as I mensioned in
prvious post is having problems with inheritance.
Dim FolderPath
Set objLocator = CreateObject("wbemscripting.swbemlocator")
Set objServices = objLocator.ConnectServer("")
objServices.security_.privileges.AddAsString("SeSecurityPrivilege")
set objDiskSet = objServices.execquery( "select Name from win32_logicaldisk
where filesystem='NTFS' and description = 'Local Fixed Disk'")
if objDiskSet.count = 0 then
wscript.echo "No NTFS drive found"
wscript.quit
end if
for each obj in objDiskSet
FolderPath = obj.name & "\Test56"
exit for
next
Set objSecDescriptor =
GetObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Securi
tyDescriptor").Spawninstance_()
' works but clears inheritance on files
objSecDescriptor.ControlFlags = 33812
' not working
' objSecDescriptor.ControlFlags = 35860
set ACE1 = SetACE(1179817, _
3, _
0, _
SetTrustee(NULL, _
"Everyone", _
Array(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0,
0)))
set ACE2 = SetACE(2032127, _
3, _
0, _
SetTrustee(NULL, _
"Administrators", _
Array(1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)))
objSecDescriptor.DACL = Array( ACE1, ACE2)
' ======================= section to add SACL
set ACE9 = SetACE(851968, _
195, _
2, _
SetTrustee(NULL, "Everyone", Array(1, 1, 0, 0, 0, 0,
0, 1, 0, 0, 0, 0)))
set ACE10 = SetACE(131519, _
131, _
2, _
SetTrustee(NULL, "Everyone", Array(1, 1, 0, 0, 0, 0,
0, 1, 0, 0, 0, 0)))
objSecDescriptor.SACL = Array(ACE9, ACE10)
' ======================= end section to add SACL
set obj = objServices.get( "win32_directory='" & FolderPath & "'" )
Set objClass = objServices.Get("Win32_directory")
Set objInParam =
obj.Methods_("ChangeSecurityPermissions").inParameters.SpawnInstance_()
objInParam.Option = 4 ''DACL
objInParam.Option = 8 ''SACL
objInParam.SecurityDescriptor = objSecDescriptor
Set objOutParams = obj.ExecMethod_("ChangeSecurityPermissions", objInParam)
if objOutParams.ReturnValue = 0 then
wscript.echo "Pass: Win32_directory.ChangeSecurityPermissions() "
else
wscript.echo "Fail: Win32_directory.ChangeSecurityPermissions() ret = " &
objOutParams.ReturnValue
end if
Function SetTrustee(strDomain, strName, SID)
set objTrustee =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Truste
e").Spawninstance_
objTrustee.Domain = strDomain
objTrustee.Name = strName
objTrustee.SID = SID
set SetTrustee = objTrustee
End Function
Function SetACE(AccessMask, AceFlags, AceType, objTrustee)
set objACE =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Ace").
Spawninstance_
objACE.AccessMask = AccessMask
objACE.AceFlags = AceFlags
objACE.AceType = AceType
objACE.Trustee = objTrustee
set SetACE = objACE
End Function
I know is not original and it is a mess but this is something I play with
for now.
Regards,
John
"jbanek" <jbanek@email.msn.com> wrote in message
news:e#L$kk2aCHA.1732@tkmsftngp11...
> Hi Eric,
>
> Thanks for your help. I will try your suggestion but I am having doubts
> about ADSI
> being the right tool for the job. This is what I found in "Windows
Scripting
> Solutions"
> magazine from July 2000:
>
> "ADsSecurity.dll doesn't currently support the System Access Control List
> (SACL). Nor is it likely to in the future for two reasons:
> ADsSecurity.dll is part of the ADSI SDK Resource Kit. As such, it's not
part
> of the OS and not officially supported.
> Windows Management Instrumentation (WMI) already has the Security
Provider,
> which lets you get and set security descriptors (including SACL) for file
> and directory objects. This Security Provider appears to be Microsoft's
> recommended solution for tasks of this nature."
>
> Today, or I should say yesterday ( is 1:30 AM) I used WMI with
> ChangeSecurityPermissions and was able to add SACL to my test folder.
> I am still having problems with inheritance and setting ControlFlags on
> SecurityDescriptor, it just will not take my settings. For some reason I
am
> not able to set SE_SACL_AUTO_INHERITED
> on the root folder (at least this is what my other script and SubInACL
> utility are saying) but using Explorer
> the "Allow inherited..." checkbox on auditing tab is checked.
> In addition on every file in folder and subfolders my script disables
> inheritance and sets audit for "This objects and child objects" instead of
> "This Object" (strange if we talk about files).
> Anyway, I left my laptop at work so I can not post nothing right now but
> look for the code in few hours.
> By the way it is surprising that I am making all these crazy changes and
> Windows is not complaining at all.
>
> John
>
>
> "Eric Fitzgerald [MS]" <ericf@online.microsoft.com> wrote in message
> news:3d9d05b7$1@news.microsoft.com...
> > Hey John,
> >
> > 1. You should set the security mask first to request SACL info:
> > oADsSecurity.SecurityMask = 8 ' ADS_SECURITY_INFO_SACL
> >
> > 2. To read the SACL, you must have the SE_SECURITY_PRIVILEGE enabled
(aka
> > SE_SECURITY_NAME). I don't know if you can do this in VBS.
> >
> > 3. You had the wrong syntax for GetSecurityDescriptor, try this:
> > Set sd1 = oADsSecurity.GetSecurityDescriptor("d:\temp\test3.txt", 1, 1)
> >
> > Here is another suggestion from our dev team:
> > Use the supported IADsSecurityUtility interface as opposed to the
> interface
> > from the Resource Kit utility ADSSecutiry.dll. By default
> > IADsSecurityUtility sets SecurityMask to Owner, Group and DACL. You need
> to
> > change the security mask to include SACL, then set SD.sytemACL to point
to
> > the new sacl and then call SetSecurityDescriptor. You are mixing oacl
and
> > osacl in your example.
> >
> > Eric
> >
> >
> > "jbanek" <jbanek@email.msn.com> wrote in message
> > news:#lJAaq9ZCHA.1888@tkmsftngp12...
> > > I am trying to set SACL on folder c:\test3. Script below runs, there
is
> no
> > > error but SACL is not set.
> > > Values for Ace.Flags and AccessMask are taken from first setting SACL
on
> > > directory
> > > and then just list all properties using different script.
> > > What am i doing wrong?
> > >
> > > set fsoObject=CreateObject("Scripting.FileSystemObject")
> > > set oADsSecurity = CreateObject("ADsSecurity")
> > > set oTargetSD = oADsSecurity.GetSecurityDescriptor("file://c:\test3")
> > > set oSacl = oTargetSD.SystemAcl
> > > set oAcl = createobject("AccessControlList")
> > > oAcl.AceCount = 1
> > > oAcl.AclRevision = 4
> > > set oAce = CreateObject("AccessControlEntry")
> > > oAce.Trustee = "BUILTIN\Administrators"
> > > oAce.AceType = 2
> > > oAce.AccessMask = 851968
> > > oAce.AceFlags = 195
> > > 'If I use statement belove I will get an error that oSacl object does
> not
> > > exist, which is OK because by default SACL is not set.
> > > ' oSacl.AddAce oAce
> > > oacl.AddAce oAce
> > > oTargetSD.SystemAcl = oacl
> > > oADsSecurity.SetSecurityDescriptor oTargetSD
> > >
> > > Regards,
> > > John
> > >
> > >
> >
> >
>
>
- Next message: x y: "Re: netstat results"
- Previous message: Kerry Liles: "Re: Password Protected Screensavers"
- In reply to: jbanek: "Re: SACL again"
- Next in thread: jbanek: "Re: SACL again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
