Ladies and Gents, I am proud to announce that it is working!!! Perfectly too I might add. I wanna thank all of you who helped me trough this quest, I couln't have done it without you. It works like a f00kin charm. To show my grattitude I'll paste the working code:
Code:
;##################################################### Script #########################################################
$sec = CreateObject("ADsSecurity")
$textusr = "DOMAIN\testuser"
$userdir = "\\PC-DOMAIN-XP-4\d$\TEST"
$filenm = $userdir
$permspart = "add(" + $textusr + ":R)+add(Administrators:F)"
;-- Replace ACL on single file or folder-------
ChangeAcls($filenm, $permspart, "EDIT", "FOLDER")
;############################################### Functions ##########################################################
FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = &1
$ADS_ACEFLAG_INHERIT_ACE = &2
$ADS_ACEFLAG_SUB_NEW = &9
$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
; For Each $ace in $sd.DiscretionaryACL
; ? "Name="$ACE.Trustee
; ? "Type="$ACE.AceType
; ? "Mask="$ACE.AccessMask
; Next
$dacl = $sd.DiscretionaryACL
;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace($existingace)
NEXT
ENDIF
;break up Perms into individual actions
$cmdarray=split($perms,"+")
For $x = 0 to Ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
EndIf
$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]
; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF
$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)
IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)
ELSE
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, &0)
ENDIF
ENDIF
NEXT
; FOR EACH $ace IN $dacl
; ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
; IF instr(ucase($ace.trustee),"NT AUTHORITY\")
; $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee,"\"))
; $ace.trustee=newtrustee
; ENDIF
; NEXT
; cleanup
$dacl=""
ENDFUNCTION
FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$ADS_RIGHT_GENERIC_READ = &80000000
$ADS_RIGHT_GENERIC_EXECUTE = &20000000
$ADS_RIGHT_GENERIC_WRITE = &40000000
$ADS_RIGHT_DELETE = &10000
$ADS_RIGHT_GENERIC_ALL = &10000000
$ADS_RIGHT_WRITE_DAC = &40000
$ADS_RIGHT_WRITE_OWNER = &80000
$ADS_ACEFLAG_UNKNOWN = &1
$ADS_ACEFLAG_INHERITED_ACE = &10
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee
$case = ucase($maskvar)
SELECT
; specified rights so far only include FC & R. Could be expanded though
CASE ($case = "F")
$ace.AccessMask = $ADS_RIGHT_GENERIC_ALL
CASE ($case = "C")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_WRITE + $ADS_RIGHT_GENERIC_EXECUTE + $ADS_RIGHT_DELETE
CASE ($case = "R")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_EXECUTE
CASE ($case = "E")
$ace.AccessMask = $ADS_RIGHT_GENERIC_EXECUTE
ENDSELECT
$ace.AceFlags = $aceflags
$dacl.AddAce($ace)
$sd.DiscretionaryAcl = $dacl
$sec.SetSecurityDescriptor($sd)
ENDFUNCTION
