Re: SACL using WMI.

From: Ivan Brugiolo [MS] (ivanbrug@online.microsoft.com)
Date: 10/10/02 

From: "Ivan Brugiolo [MS]" <ivanbrug@online.microsoft.com>
Date: Thu, 10 Oct 2002 00:27:54 -0700

That flag is used only to call SetNamedSecurityInfo
with UNPROTECTED_DACL_SECURITY_INFORMATION. 

--
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"jbanek" <jbanek@email.msn.com> wrote in message
news:#N06JT$bCHA.1424@tkmsftngp12...
> I used WMI with ChangeSecurityPermissions and was able to add SACL to my
> test folder.
> I am still having problems with inheritance and setting ControlFlags on
> SecurityDescriptor, it just will not take my settings. For some reason I
am
> not able to set SE_SACL_AUTO_INHERITED
> on the root folder (at least this is what my other script and SubInACL
> utility are saying) but using Explorer
> the "Allow inherited..." checkbox on auditing tab is checked.
> In addition on every file in folder and subfolders my script disables
> inheritance and sets audit for "This objects and child objects" instead of
> "This Object" (strange if we talk about files).
> By the way it is surprising that I am making all these crazy changes and
> Windows is not complaining at all.
>
>
>
> Dim FolderPath
>
> Set objLocator = CreateObject("wbemscripting.swbemlocator")
> Set objServices = objLocator.ConnectServer("")
> objServices.security_.privileges.AddAsString("SeSecurityPrivilege")
>
> set objDiskSet = objServices.execquery( "select Name from
win32_logicaldisk
> where filesystem='NTFS' and description = 'Local Fixed Disk'")
> if objDiskSet.count = 0 then
>    wscript.echo "No NTFS drive found"
>    wscript.quit
> end if
>
> for each obj in objDiskSet
>    FolderPath = obj.name & "\Test56"
>    exit for
> next
>
>
> Set objSecDescriptor =
>
GetObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Securi
> tyDescriptor").Spawninstance_()
>
> ' works but clears inheritance on files
> objSecDescriptor.ControlFlags =  33812
>
> ' not working
> ' objSecDescriptor.ControlFlags =  35860
>
>
>  set ACE1 = SetACE(1179817, _
>                         3, _
>                          0, _
>                          SetTrustee(NULL, _
>                                    "Everyone", _
>                                    Array(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0,
> 0)))
>
>  set ACE2 = SetACE(2032127, _
>                          3, _
>                          0, _
>                          SetTrustee(NULL, _
>                                     "Administrators", _
>
> Array(1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)))
>
>  objSecDescriptor.DACL = Array( ACE1, ACE2)
>
>
> ' ======================= section to add SACL
>
> set ACE9 = SetACE(851968, _
>                      195, _
>                        2, _
>                        SetTrustee(NULL, "Everyone", Array(1, 1, 0, 0, 0,
0,
> 0, 1, 0, 0, 0, 0)))
>
>
> set ACE10 = SetACE(131519, _
>                       131, _
>                         2, _
>                         SetTrustee(NULL, "Everyone", Array(1, 1, 0, 0, 0,
0,
> 0, 1, 0, 0, 0, 0)))
>
>
> objSecDescriptor.SACL = Array(ACE9, ACE10)
>
> ' ======================= end section to add SACL
>
>
> set obj = objServices.get( "win32_directory='" & FolderPath & "'" )
>
> Set objClass = objServices.Get("Win32_directory")
> Set objInParam =
> obj.Methods_("ChangeSecurityPermissions").inParameters.SpawnInstance_()
>
> '' objInParam.Option = 4 ''DACL
> objInParam.Option = 8 ''SACL
> objInParam.SecurityDescriptor = objSecDescriptor
>
> Set objOutParams = obj.ExecMethod_("ChangeSecurityPermissions",
objInParam)
>
> if objOutParams.ReturnValue = 0 then
>    wscript.echo "Pass: Win32_directory.ChangeSecurityPermissions() "
>  else
>    wscript.echo "Fail: Win32_directory.ChangeSecurityPermissions() ret = "
&
> objOutParams.ReturnValue
> end if
>
>
>
> Function SetTrustee(strDomain, strName, SID)
>      set objTrustee =
>
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Truste
> e").Spawninstance_
>   objTrustee.Domain = strDomain
>   objTrustee.Name = strName
>   objTrustee.SID = SID
>      set SetTrustee = objTrustee
> End Function
>
>
>
> Function SetACE(AccessMask, AceFlags, AceType, objTrustee)
>      set objACE =
>
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Ace").
> Spawninstance_
>   objACE.AccessMask = AccessMask
>   objACE.AceFlags = AceFlags
>   objACE.AceType = AceType
>   objACE.Trustee = objTrustee
>      set SetACE = objACE
> End Function
>
> I know is not original and it is a mess but this is something I play with
> for now.
>
> Regards,
> John
>
>
>

Relevant Pages

  • Re: How to get rid of "duration", "dimension", "quality" columns in explorer
    ... I've written a script that will apply all the view customizations you can set to all of a folder's ... You can select a folder & configure its view settings, then those are set to be inherited by all ... non-grouped view to be the default inheritance for My Computer, then return My Computer to its ...
    (microsoft.public.windowsxp.customize)
  • Re: Help needed with folders
    ... I've written a script that will apply all the view customizations you ... You can select a folder & configure its view settings, ... non-grouped view to be the default inheritance for My Computer, ...
    (microsoft.public.windowsxp.customize)
  • Re: SACL using WMI.
    ... Any idea what is causing "Allow inheritable audit ... >> I am still having problems with inheritance and setting ControlFlags on ... >> on the root folder (at least this is what my other script and SubInACL ... >> set SetTrustee = objTrustee ...
    (microsoft.public.win2000.security)
  • Re: Permanently disable "Filmstrip" view?
    ... I've written a script that will apply all the view customizations you can ... You can select a folder & configure its view settings, ... subfolders ... non-grouped view to be the default inheritance for My Computer, ...
    (microsoft.public.windowsxp.customize)
  • Re: Special folder - removing special nature?
    ... file & the script itself. ... You can select a folder & configure its view settings, then those are set to be inherited by all ... subfolders. ... non-grouped view to be the default inheritance for My Computer, then return My Computer to its ...
    (microsoft.public.windowsxp.customize)