Page 1 of 3 123>
Topic Options
#110382 - 2003-12-15 08:07 PM Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
Hey all,

I've done some investigating into settings directory ownership through WMI rather than FSO. There is very little VB type code out there, and none in the SDK. Specifically, the MS Technet scripting site skips right over these objects??? Anyone want to help out on this?
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110383 - 2003-12-15 08:16 PM Re: Using WMI to set ownership
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
See for example NEWS: ownership of files and direcotry or NEWS: Re: TakeOwnerShip: Attn Scott McNairy
_________________________
There are two types of vessels, submarines and targets.

Top
#110384 - 2003-12-15 08:23 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
Hmmm... What's starting to scare me is that most of the code I've seen offers methods to "take" ownership rahter than "assign" it to another user... This project may quickly go belly up.
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110385 - 2003-12-15 08:28 PM Re: Using WMI to set ownership
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I have an EXE to recursively set ownership on directories and files. It is not currently posted to my web site as I have not tested it extensively. I could email a copy to you if you want to give it whirl.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#110386 - 2003-12-15 08:32 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
Howard, I'm going to keep that in mind. I wanted to stay away from subinacl and xcacls, etc. in favor of using COM. We'll see where this leads and punt if necessary.
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110387 - 2003-12-15 08:34 PM Re: Using WMI to set ownership
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Does not use subinacl, xcalcs, etc. This is pure Perl and Win32 API.

Usage: SetOwner c:\directoryA domain\user

_________________________
Home page: http://www.kixhelp.com/hb/

Top
#110388 - 2003-12-15 09:56 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
I've found something. MSDN link to vbs code What, I'm not sure yet. I can decipher everything, I'm assuming this is bitwise, but have no idea how it's generated:

Code:
 wmiAce.AccessMask = 131072




Edited by jtokach (2003-12-15 09:59 PM)
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110389 - 2003-12-15 10:08 PM Re: Using WMI to set ownership
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
This should help: Win32_ACE
_________________________
There are two types of vessels, submarines and targets.

Top
#110390 - 2003-12-15 10:54 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
Indeed!

Here's where I'm at. The line 18 and 27 conversions from VBS don't seem to be working properly. Does the syntax need to follow different guidelines in kix?

Code:
 Break On
; Connect to WMI and get the file security object for the testfolder directory
$wmiFileSecSetting = GetObject ("winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\temp'")

; Use the Win32_LogicalFileSecuritySetting Caption property to create a simple header before
; dumping the discretionary access control list (DACL).

? "Caption: " $wmiFileSecSetting.Caption
? "ControlFlags: " $wmiFileSecSetting.ControlFlags
? "Description: " $wmiFileSecSetting.Description
? "OwnerPermissions: " $wmiFileSecSetting.OwnerPermissions
? "Path: " $wmiFileSecSetting.Path
? "SettingID: " $wmiFileSecSetting.SettingID
?
?

; Obtain existing security descriptor for folder
$wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor)
If @error <> 0
? "GetSecurityDescriptor failed" + @crlf + @Error + @crlf + @SError
Exit
Else
? "GetSecurityDescriptor suceeded"
?
EndIf

$wmiOwner = wmiSecurityDescriptor.Owner

? "Win32_SecurityDescriptor"
? "------------------------"
? "Owner Name: " $wmiOwner.Name
? "Owner SIDString: " $wmiOwner.SIDString
? "Owner Domain: " $wmiOwner.Domain

_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110391 - 2003-12-15 11:11 PM Re: Using WMI to set ownership
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/setsecuritydescriptor_method_in_class_win32_logicalfilesecuritysetting.asp staest that in
Quote:

uint32 GetSecurityDescriptor(
Win32_SecurityDescriptor Descriptor
);





Descriptor is actually
Quote:

Descriptor
[out] Expression that resolves to an instance of Win32_SecurityDescriptor


which mean that the return parameter is actually in wmiSecurityDescriptor, thus this should be a variable and I am not sure whether Kixtart even supports this way of returning parametrs, which seems to be ByVal instead of ByRef. So, might not be doable.
_________________________
There are two types of vessels, submarines and targets.

Top
#110392 - 2003-12-15 11:28 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
Yeah, this is pretty much out of my league. Shawn or Chris can you guys confirm?

On another note, got this from the SDK. There seems to be many other ways to call methods. But, like I said, this is trial and error for me with little logic and less understanding of why. Tell me if you can see anything in here worth following up on.

Code:
'*******************************************************************
' Name : CreateShare.vbs
'
' Purpose : This example creates a new share and sets the
' security descriptor for the new share.
'********************************************************************

'*** Connect to WMI and set security settings. ******
'*** You should substitute the name of the remote system for "\\myserver" ***
Set objservices = GetObject("WINMGMTS:" _
& "{impersonationLevel=impersonate,(Security)}" _
& "!\\myserver\ROOT\CIMV2")

'*** Get the Win32_SecurityDescriptor class and spawn a new instance ****
Set objclass = objservices.Get("Win32_SecurityDescriptor")
Set objSecDescriptor = objclass.SpawnInstance_()

'****** Prepare the security descriptor for the new share ******
objSecDescriptor.Properties_.Item("ControlFlags") = 4
Set ACE1 = SetACE(objservices, 2032127, _
3, _
0, _
SetTrustee(objservices, "myserver", _
"user1", _
Array(1, 5, 0, 0, 0, 0, 0, 5, 21, _
0, 0, 0, 160, 101, 207, 126, _
120, 75, 155, 95, 231, 124, _
135, 112, 119, 238, 0, 0)))

Set ACE2 = SetACE(objservices, 2032127, _
3, _
0, _
SetTrustee(objservices, Null, _
"EVERYONE", _
Array(1, 1, 0, 0, 0, 0, 0, 1, 0, _
0, 0, 0)))


objSecDescriptor.Properties_.Item("DACL") = Array(ACE1, ACE2)


'************************ Create the new share *********************

Set objShare = objservices.Get("Win32_Share")
Set objInParam = objShare.Methods_("Create").InParameters.SpawnInstance_()
objInParam.Properties_.Item("Access") = objSecDescriptor
objInParam.Properties_.Item("Description") = "New share created by WMI script"
objInParam.Properties_.Item("Name") = "NewShare"
objInParam.Properties_.Item("Path") = "C:\temp"
objInParam.Properties_.Item("Type") = 0

'objInParam.Properties_.item("MaximumAllowed") = 10 'optional - default is 'max allowed'
'objInParam.Properties_.item("Password") = "Password" 'optional - default is no password


'************************ Execute the method **********************
Set objOutParams = objShare.ExecMethod_("Create", objInParam)
If objOutParams.ReturnValue = 0 Then
wscript.echo "Share created successfully"
Else
If objOutParams.ReturnValue = 22 Then
wscript.echo "Share may already exist"
Else
wscript.echo "Unable to create share, return value was : " _
& objOutParams.ReturnValue
End If
End If

'************************* HELPER FUNCTIONS *********************
Function SetTrustee(objservices, strDomain, strName, SID)
Set objTrustee = objservices.Get("Win32_Trustee").SpawnInstance_
objTrustee.Domain = strDomain
objTrustee.Name = strName
objTrustee.Properties_.Item("SID") = SID
Set SetTrustee = objTrustee
End Function

Function SetACE(objservices, AccessMask, AceFlags, AceType, objTrustee)
Set objAce = objservices.Get("Win32_Ace").SpawnInstance_
objAce.Properties_.Item("AccessMask") = AccessMask
objAce.Properties_.Item("AceFlags") = AceFlags
objAce.Properties_.Item("AceType") = AceType
objAce.Properties_.Item("Trustee") = objTrustee
Set SetACE = objAce
End Function
'******************************************************************



_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110393 - 2003-12-16 03:23 AM Re: Using WMI to set ownership
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
You might want to search the BBS for this. I think we had a discussion of rewriting the "set acls" VBS code that Microsoft made available with KiXtart code.
_________________________
There are two types of vessels, submarines and targets.

Top
#110394 - 2003-12-16 01:56 PM Re: Using WMI to set ownership
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
This line here:

$wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor)

is a Kixtart killer - was reading-up on this on MSDN and the GetSecurityDescriptor method takes a single [out] parameter. afaik Kixtart doesn't support this. I tried faking it by passing an initialized security descriptor object to it - no worky (although it didn't complain about it either).

Top
#110395 - 2003-12-16 05:02 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
I'm on a never say die kick. From the SDK:
Quote:


GetSecurityDescriptor(Descriptor)
This method gets the properties and embedded objects of a descriptor object that you provide as a input parameter. If the method is successful, you can examine the properties of the descriptor object to determine the specific security settings for the file.





Now come on. By definition, shouldn't I be able to pass a variable that receives the new object???
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110396 - 2003-12-16 05:24 PM Re: Using WMI to set ownership
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Nope.

The results of GetSecurityDescriptor(Descriptor) is in Descriptor.
Code:

rc = GetSecurityDescriptor(Descriptor)


Thus, you have to pass a variable into the GetSecurityDescriptor() function as a ByRef in order for the function to return the results in Descriptor. KiXtart does not support this type of passing variables into COM objects, it only supports the ByVal passing, which essentially copies the value into the function. The ByRef passes the reference to the value into the function which gives the function the ability to update said reference so that once the funciton exits the referenced variable contaisn the new value.

We already requested a couple of times to include ByRef passing as this would enable you to pass e.g. three parameters into a funciton and have the function return with updated values in these three variables. This would save the kludge of using arrays to return multiple parameters out of a UDF.
Code:

; demo code
$a=1
$b=2
$c=3
? $a
? $b
? $c
$rc=byreffun($a, %b, $c)
? $a
? $b
? $c
function byreffun(ByRef $var1, ByRef $var2, ByRef $var3)
$var1='aaa'
$var2='bbb'
$var3='ccc'
endfunction


The output of this script would beCode:

1
2
3
aaa
bbb
ccc




Edited by sealeopard (2003-12-16 05:25 PM)
_________________________
There are two types of vessels, submarines and targets.

Top
#110397 - 2003-12-16 05:51 PM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
My C is sketchy at best but this sounds like a pointer.

I was hoping that a function could be called as Descriptor that would receive the object. Such as:
Code:
 

$rt=$wmiFileSecSetting.GetSecurityDescriptor(CreateObject("Win32_SecurityDescriptor.$foo"))



Really grasping at straws here as you can see.
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110398 - 2003-12-16 06:25 PM Re: Using WMI to set ownership
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Yes, it's like passing a pointer instead of a value in C.

And no, your code won't work as KiXtart just does not support it.
_________________________
There are two types of vessels, submarines and targets.

Top
#110399 - 2003-12-16 06:40 PM Re: Using WMI to set ownership
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Jim - here's the code I was playing with last night. Basically trying to create an "blank" instance of Win32_SecurityDescriptor and passing that to the function. You can tell that an object was indeed created. And when one queries the ControlFlags property it returns success (but I guess since its not a real instance of a security descriptor (ie a blank one) that no flags are present. If you substitute a bad property name, you do get an error - so definitetly talking to a real object here. But the passing out from GetSecurityDescriptor still doesn't work. tbh - don't think OUT parms work this way. If this was an IN/OUT parm it would probably work.


Code:

Break On

$wmiFileSecSetting = GetObject ("winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\temp'")

$wmiSecurityDescriptor = GetObject ("winmgmts:Win32_SecurityDescriptor")

?"GetObject = " + @SERROR

if $wmiSecurityDescriptor

? "ControlFlags=" + $wmiSecurityDescriptor.ControlFlags

? "QueryControlFlags = " + @SERROR

endif

$= $wmiFileSecSetting.GetSecurityDescriptor( $wmiSecurityDescriptor )

? "GetSecurityDescriptor = " + @SERROR



Top
#110400 - 2003-12-17 12:07 AM Re: Using WMI to set ownership
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
Shawn, why doesn't this work???

Code:

$Class = $wmiFileSecSetting.Get("Win32_SecurityDescriptor")
$wmiSecurityDescriptor = $Class.SpawnInstance_()

_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#110401 - 2003-12-17 01:39 AM Re: Using WMI to set ownership
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I just traversed the inheritance tree from Win32_LogicalFileSecuritySetting that inherits from Win32_SecuritySetting which inherits from CIM_Setting but I see no support for reflection here with this class, like using get and put. But then again, I could be totally off base here.

-Shawn

Top
Page 1 of 3 123>


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 248 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.081 seconds in which 0.03 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org