i think i have it now, that is i can edit NTFS permissions, but i have not made nice loops and functions out of it. That;; smainly because i have slightly different needs in my script...it has the double entries for a folder and also.. you'll see.

i got this to work though :

code:

---

 
$sec = CreateObject("ADsSecurity")
$sd = $sec.getsecuritydescriptor("FILE://$homedir")
$dacl = $sd.discretionaryacl
	FOR EACH $entry IN $dacl
		$dacl.removeace($entry)
	NEXT
;Add the domain admins with full control and the user with fullcontrol ( i know this is stupid, but that's what the
;standard is at the idiots who pay me my salary) if you want change perms, set the accessmask to 1245631 in the Ace with aceflags set to 2 and
;set the accessmask to -536805376 on the Ace that has aceflags set to 9... (this was done by trial and lots of error)
$ace1 = CreateObject("AccessControlEntry")
$Ace1.AccessMask = 2032127 ;full control
$Ace1.AceType = 0 ;allowed
$Ace1.AceFlags = 2 ;inheritable
$Ace1.Trustee = getsid("WinNT://$domain/domain admins,group")
$ace2 = CreateObject("AccessControlEntry")
$Ace2.AccessMask = 268435456 ;full control
$Ace2.AceType = 0 ;allowed
$Ace2.AceFlags = 9 ;inheritable
$Ace2.Trustee = getsid("WinNT://$domain/domain admins,group")
$ace3 = CreateObject("AccessControlEntry")
$Ace3.AccessMask = 2032127 ;full control
$Ace3.AceType = 0 ;allowed
$Ace3.AceFlags = 2 ;inheritable
$Ace3.Trustee = getsid("WinNT://$domain/$username,user")
$ace4 = CreateObject("AccessControlEntry")
$Ace4.AccessMask = 268435456 ;full control
$Ace4.AceType = 0 ;allowed
$Ace4.AceFlags = 9 ;inheritable
$Ace4.Trustee = getsid("WinNT://$domain/$username,user")
 
$dacl.addace($ace1)
$dacl.addace($ace2)
$dacl.addace($ace3)
$dacl.addace($ace4)
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor($sd)
$sd = 0

 

---

apart from the enumeration of the accessmask which is quite easily taken by manually setting the perms you like and just list them with a little script, the problem was that i only got it to work if the trustee was given as the SID (there we go...) of the user/group. i have adapted Shawn's getrid function to make the getsid function..

code:

---

 
Function getsid($adspath)
dim $adssid,$object,$sac,$sa,$sareverse,$textsid
$obj = getobject("$adspath")
$adssid = createobject("adssid")
$adssid.setas(5,"$adspath") ; put ADsPath in
$hex = $adssid.getas(1) ; take SIDstring out
$sac = val(substr($hex,3,2))
$textsid = "S-" + val(substr($hex,1,2)) + "-" + val(substr($hex,5,12))
for $x = 1 to $sac
	$sa = substr($hex,(9 + $x * 8),8)
	$sareverse = val("&"+substr($sa,7,2)+substr($sa,5,2)+substr($sa,3,2)+substr($sa,1,2))
	$textsid = $textsid + "-" + $sareverse
next
$getsid = $textsid
endfunction
 

---

i have tried other types of the sid but i can only get it to work with this one..

BUT NOW... another problem, i have set the NTFS perms on the folder but i also want to set Share permissions. i have tried the following script :

code:

---

 
break on
$object = getobject("WinNT://wcws020/LanmanServer/D")
$sec = CreateObject("ADsSecurity")
? $object.name
? $object.description
? $object.path
$sd = $sec.getsecuritydescriptor("WinNT://wcws020/LanmanServer/D")
$dacl = $sd.discretionaryacl
	FOR EACH $e IN $dacl
		? $e.trustee + " " + $e.Accessmask + " " + $e.acetype + " " + $e.aceflags
	NEXT

? "finito"
get $k
exit

 

---

WCWS020 is the workstation (remote) and D is the sharename. it does properly show me the path, name and description but it generates a script error at :

$dacl = $sd.discretionaryacl

unknown command it says... but to the best of my knowledge, all the objects have a Discretionary acl and it workes liek a charm on files/folders.

ANY IDEAS ??

Thanx,
MvdW