Page 1 of 1 1
Topic Options
#88770 - 2002-10-18 06:47 PM Reading share perm info with WMI
Breaker Offline
Hey THIS is FUN
*****

Registered: 2001-06-15
Posts: 268
Loc: Yorkshire, England
OK, I've been banging my head on this for a couple of hours and its time to humble myself before the board and ask for help.

I am trying simply to read the share permissions on each of the shares on my servers (more auditing type stuff requested by boss) and I am trying to do it with WMI.

Trouble is, all the examples I can find on the web are trying to set permissions - I just want to read them!

Basically I'm trying to use the GetSecurityDescriptor() method and then pick it apart into its constituent ACEs, which I can then decipher. I want to wrap it in a function so that I can call it easily from my main script, and possibly offer it up to the big wide world afterwards as well.

Here's what I'm working with so far - commenting out is pretty random as I've added and removed lines this afternoon:

code:
Function SharePerms($sharename,optional $computer)
Dim $share,$objWMI,$secdesc,$dacls
If Not $computer
$computer = @WKSTA
Endif
$objWMI = GetObject("winmgmts:{impersonationlevel=impersonate}!//" + $computer)
$share = $objWMI.ExecQuery("select* from win32_logicalsharesecuritysetting
where name='" + $sharename + "';")
$secdesc = $share.getsecuritydescriptor()
;$Dacls = $secdesc.DACL
? @ERROR + " - " + @SERROR Get $x
;For Each $Dacl In $Dacls
; $tname = $dacl.trustee
; $name = $tname.name
; $access = $dacl.accessmask
; ? $name + " " + $access
;Next
$assoc = $objWMI.ExecQuery("associators of {win32_logicalsharesecuritysetting.name='"
+ $sharename + "'} where assocclass = win32_logicalshareaccess")
For Each $sid In $assoc
$name = $sid.accountname
? $name
Next
Endfunction

The "ASSOCIATORS OF" WQL query at the end works and gives me the correct ACE name info, but tells me nothing of the actual rights each of those users/groups has on the share.

The GetSecurityDescriptor() method is failing and giving me the error code -2147352570. I'm using Kix 4.02. I've tried

code:
$x = $share.GetSecurityDescriptor($secdesc) 

...as well, with the same result. It seems that the $secdesc variable is not getting populated at all.

Any ideas? Has anyone else played with this functionality in WMI? Are there any other ways to do this?

Thanks in advance for any advice. [Confused]

-Breaker

[ 18. October 2002, 18:48: Message edited by: Breaker ]
_________________________
================================================
Breaker


Top
#88771 - 2002-10-18 08:27 PM Re: Reading share perm info with WMI
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I think the reason you can't find any sample scripts that READ share perms through WMI is because its not supported (crazy eh?) ... you can create them and set them, cant read them. (based on what I see anyways ... I swear that me and Bryce actually got something going on this ... i see if I can ping him later on)

The I thought ADsSecurity might be the bomb here ... but it supports NTFS file permissions, not share permissions (arggh)

Then I thought I found something on the net that does exactly what your after. Its called

Audit Share Permissions & Sub Dirs

Audit NTFS Permissions for all shares and child directories for a specified server. Output is saved to a file. AUDITSHAREPERMS.VBS

So i think - woot ! - Breaker could just do a quick vbs to kix conversion and off you go. Well I must say, I was sorely disappointed. I was studying the script to how it worked but I couldn't find any WMI code in the script that actually read the share perms ... I was just about to give up when a small one liner at the bottom of the script caught my eye:

code:
c=wshell.Run("cmd /c " & "cacls " & CHR(34) & item.Path & CHR(34) & " >>" & sServer & "-S.txt",0,True)

Yup - you read it right - it shells-out to calcs and thats only for file perms I think ... correct me if im wrong but this script doesn't even list the share perms !!! heres the script:

Audit Share Permissions & Sub Dirs

Anyways, I still think ADsSecurity is your best bet ... might want to drill down on that ... its a seperate DLL that is not part of ADSI 2.5, Its needs to be copied into your system and register. Good luck.

-Shawn

[ 18. October 2002, 20:29: Message edited by: Shawn ]

Top
#88772 - 2002-10-18 08:35 PM Re: Reading share perm info with WMI
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Not sure if this is what you want, but I could add a Perms Dumper to Win32Admin.DLL.

I hadn't moved forward with the ACL stuff because I still have a great deal of basic admin stuff to add first.

Let me know if you would like a quick and dirty "DACL Dumper".
_________________________
Home page: http://www.kixhelp.com/hb/

Top
Page 1 of 1 1


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 329 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.05 seconds in which 0.023 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org