SACL using WMI.

From: jbanek (jbanek@email.msn.com)
Date: 10/10/02

• Next message: joe leone: "Computer certificates L2TP"
• Previous message: Michael NeSmith: "Displaying warning banners with ftp"
• Next in thread: Ivan Brugiolo [MS]: "Re: SACL using WMI."
• Reply: Ivan Brugiolo [MS]: "Re: SACL using WMI."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "jbanek" <jbanek@email.msn.com>
Date: Wed, 9 Oct 2002 20:42:27 -0400

I used WMI with ChangeSecurityPermissions and was able to add SACL to my
test folder.
I am still having problems with inheritance and setting ControlFlags on
SecurityDescriptor, it just will not take my settings. For some reason I am
not able to set SE_SACL_AUTO_INHERITED
on the root folder (at least this is what my other script and SubInACL
utility are saying) but using Explorer
the "Allow inherited..." checkbox on auditing tab is checked.
In addition on every file in folder and subfolders my script disables
inheritance and sets audit for "This objects and child objects" instead of
"This Object" (strange if we talk about files).
By the way it is surprising that I am making all these crazy changes and
Windows is not complaining at all.

Dim FolderPath

Set objLocator = CreateObject("wbemscripting.swbemlocator")
Set objServices = objLocator.ConnectServer("")
objServices.security_.privileges.AddAsString("SeSecurityPrivilege")

set objDiskSet = objServices.execquery( "select Name from win32_logicaldisk
where filesystem='NTFS' and description = 'Local Fixed Disk'")
if objDiskSet.count = 0 then
   wscript.echo "No NTFS drive found"
   wscript.quit
end if

for each obj in objDiskSet
   FolderPath = obj.name & "\Test56"
   exit for
next

Set objSecDescriptor =
GetObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Securi
tyDescriptor").Spawninstance_()

' works but clears inheritance on files
objSecDescriptor.ControlFlags = 33812

' not working
' objSecDescriptor.ControlFlags = 35860

 set ACE1 = SetACE(1179817, _
                        3, _
                         0, _
                         SetTrustee(NULL, _
                                   "Everyone", _
                                   Array(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0,
0)))

 set ACE2 = SetACE(2032127, _
                         3, _
                         0, _
                         SetTrustee(NULL, _
                                    "Administrators", _

Array(1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)))

 objSecDescriptor.DACL = Array( ACE1, ACE2)

' ======================= section to add SACL

set ACE9 = SetACE(851968, _
                     195, _
                       2, _
                       SetTrustee(NULL, "Everyone", Array(1, 1, 0, 0, 0, 0,
0, 1, 0, 0, 0, 0)))

set ACE10 = SetACE(131519, _
                      131, _
                        2, _
                        SetTrustee(NULL, "Everyone", Array(1, 1, 0, 0, 0, 0,
0, 1, 0, 0, 0, 0)))

objSecDescriptor.SACL = Array(ACE9, ACE10)

' ======================= end section to add SACL

set obj = objServices.get( "win32_directory='" & FolderPath & "'" )

Set objClass = objServices.Get("Win32_directory")
Set objInParam =
obj.Methods_("ChangeSecurityPermissions").inParameters.SpawnInstance_()

'' objInParam.Option = 4 ''DACL
objInParam.Option = 8 ''SACL
objInParam.SecurityDescriptor = objSecDescriptor

Set objOutParams = obj.ExecMethod_("ChangeSecurityPermissions", objInParam)

if objOutParams.ReturnValue = 0 then
   wscript.echo "Pass: Win32_directory.ChangeSecurityPermissions() "
 else
   wscript.echo "Fail: Win32_directory.ChangeSecurityPermissions() ret = " &
objOutParams.ReturnValue
end if

Function SetTrustee(strDomain, strName, SID)
     set objTrustee =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Truste
e").Spawninstance_
  objTrustee.Domain = strDomain
  objTrustee.Name = strName
  objTrustee.SID = SID
     set SetTrustee = objTrustee
End Function

Function SetACE(AccessMask, AceFlags, AceType, objTrustee)
     set objACE =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Ace").
Spawninstance_
  objACE.AccessMask = AccessMask
  objACE.AceFlags = AceFlags
  objACE.AceType = AceType
  objACE.Trustee = objTrustee
     set SetACE = objACE
End Function

I know is not original and it is a mess but this is something I play with
for now.

Regards,
John

• Next message: joe leone: "Computer certificates L2TP"
• Previous message: Michael NeSmith: "Displaying warning banners with ftp"
• Next in thread: Ivan Brugiolo [MS]: "Re: SACL using WMI."
• Reply: Ivan Brugiolo [MS]: "Re: SACL using WMI."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Show folder Inheritance via script ... I'm far from being an expert on folder security and inheritance. ... Determine if a trustee's permission on a folder are the same permission as ... (microsoft.public.scripting.vbscript) Re: Inheriting a Form within the same project ... > related to my ignorance about namespaces and location of the source code ... > the new Inherted form and using the inheritance browser. ... > public Class formnew: TestApp.baseform ... > I tried and tried until I copied my project to the root folder of the ... (microsoft.public.dotnet.languages.csharp) Re: programmatically change permissions on folder in windows? ... as seen in the Adv / Edit drill-in, then the new ACE ... if inheritance is blocked at some ... > programmatically change permissions on folder in windows ... > Then folder> security> Advanced> Permissions> Replace permission entries ... (microsoft.public.win2000.security) Re: Need help with Shared drives and permissions ... If you check a sub folder and see that it is inheriting ... that inherits permissions from a parent folder and add a user or group. ... I turn off inheritance. ... (microsoft.public.windows.server.general)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint