Page 1 of 2 12>
Topic Options
#154982 - 2006-01-10 02:42 PM ACL Scripting without use of external programs (BLOG)
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Here's a script I've written, I've gathered all MS's VB scripts on scripting ACL's and written this.
This script has 2 improvements over AdsSecurity.dll
1. It doesn't need AdsSecurity.dll
2. It handles inheritance properly.

Although microsoft also claims thats with IADsSecurityUtility there is no need for ReOrdering anymore, I beg to differ. When using this script on a remote computer it sets the permissions correctly but after using the script, create a subfolder and open the properties tab on the permissions and you will get the notice that the order is not correct.

Update: inheritance works correctly if the parent's list of ACL's are in the correct order.

However I still feel that this is the best utility to use since it sets permissions easier and better the calcs,xcacls,SetACL and AdsSecurity.dll
besides it is incorporated in Windows XP and higher (unfortunately not on Windows 2000).

Anyway without further ado, here's the code:
Code:

;ACLControl()
;By Arend Pronk

Debug Off
Break On
Dim $iRC
$iRC=SetOption('Explicit','on')
$iRC=SetOption('NoVarsInStrings','on')
$iRC=SetOption('WrapAtEOL','on')

Function ACLControl($cmd, $object, Optional $Trustee, Optional $perms)
Dim $ADS_RIGHT_DELETE, $ADS_RIGHT_READ_CONTROL, $ADS_RIGHT_WRITE_DAC
Dim $ADS_RIGHT_WRITE_OWNER, $ADS_RIGHT_SYNCHRONIZE, $ADS_RIGHT_ACCESS_SYSTEM_SECURITY
Dim $ADS_RIGHT_GENERIC_READ, $ADS_RIGHT_GENERIC_WRITE, $ADS_RIGHT_GENERIC_EXECUTE
Dim $ADS_RIGHT_GENERIC_ALL, $ADS_RIGHT_DS_CREATE_CHILD, $ADS_RIGHT_DS_DELETE_CHILD
Dim $ADS_RIGHT_ACTRL_DS_LIST, $ADS_RIGHT_DS_SELF, $ADS_RIGHT_DS_READ_PROP
Dim $ADS_RIGHT_DS_WRITE_PROP, $ADS_RIGHT_DS_DELETE_TREE, $ADS_RIGHT_DS_LIST_OBJECT
Dim $ADS_RIGHT_DS_CONTROL_ACCESS, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACETYPE_ACCESS_DENIED
Dim $ADS_ACETYPE_SYSTEM_AUDIT, $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, $ADS_ACETYPE_ACCESS_DENIED_OBJECT
Dim $ADS_ACETYPE_SYSTEM_AUDIT_OBJECT, $ADS_ACEFLAG_UNKNOWN, $ADS_ACEFLAG_INHERIT_ACE
Dim $ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE, $ADS_ACEFLAG_INHERIT_ONLY_ACE, $ADS_ACEFLAG_SUB_NEW
Dim $ADS_ACEFLAG_INHERITED_ACE, $ADS_ACEFLAG_VALID_INHERIT_FLAGS, $ADS_ACEFLAG_SUCCESSFUL_ACCESS
Dim $ADS_ACEFLAG_FAILED_ACCESS, $ADS_FLAG_OBJECT_TYPE_PRESENT, $ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
Dim $ADS_PATH_FILE, $ADS_PATH_FILESHARE, $ADS_PATH_REGISTRY
Dim $ADS_SD_FORMAT_IID, $ADS_SD_FORMAT_RAW, $ADS_SD_FORMAT_HEXSTRING
;
; Define the ADS_RIGHTS_ENUM values.
;
$ADS_RIGHT_DELETE = &10000
$ADS_RIGHT_READ_CONTROL = &20000
$ADS_RIGHT_WRITE_DAC = &40000
$ADS_RIGHT_WRITE_OWNER = &80000
$ADS_RIGHT_SYNCHRONIZE = &100000
$ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &1000000
$ADS_RIGHT_GENERIC_READ = &80000000
$ADS_RIGHT_GENERIC_WRITE = &40000000
$ADS_RIGHT_GENERIC_EXECUTE = &20000000
$ADS_RIGHT_GENERIC_ALL = &10000000
$ADS_RIGHT_DS_CREATE_CHILD = &1
$ADS_RIGHT_DS_DELETE_CHILD = &2
$ADS_RIGHT_ACTRL_DS_LIST = &4
$ADS_RIGHT_DS_SELF = &8
$ADS_RIGHT_DS_READ_PROP = &10
$ADS_RIGHT_DS_WRITE_PROP = &20
$ADS_RIGHT_DS_DELETE_TREE = &40
$ADS_RIGHT_DS_LIST_OBJECT = &80
$ADS_RIGHT_DS_CONTROL_ACCESS = &100
;
; Ace Type definitions
;
$ADS_ACETYPE_ACCESS_ALLOWED = &0
$ADS_ACETYPE_ACCESS_DENIED = &1
$ADS_ACETYPE_SYSTEM_AUDIT = &2
$ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &5
$ADS_ACETYPE_ACCESS_DENIED_OBJECT = &6
$ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &7
;
; Ace Flag Constants
;
$ADS_ACEFLAG_UNKNOWN = &1
$ADS_ACEFLAG_INHERIT_ACE = &2
$ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &4
$ADS_ACEFLAG_INHERIT_ONLY_ACE = &8
$ADS_ACEFLAG_SUB_NEW = &9
$ADS_ACEFLAG_INHERITED_ACE = &10
$ADS_ACEFLAG_VALID_INHERIT_FLAGS = &1F
$ADS_ACEFLAG_SUCCESSFUL_ACCESS = &40
$ADS_ACEFLAG_FAILED_ACCESS = &80
;
; Flags constants for AD objects
;
$ADS_FLAG_OBJECT_TYPE_PRESENT = &1
$ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &2
;
; IADsSecurityUtility Constants
;
$ADS_PATH_FILE = 1
$ADS_PATH_FILESHARE = 2
$ADS_PATH_REGISTRY = 3
;
; ADS_SD_FORMAT_ENUM
;
$ADS_SD_FORMAT_IID = 1
$ADS_SD_FORMAT_RAW = 2
$ADS_SD_FORMAT_HEXSTRING = 3

Dim $Ace, $oAce, $oSD, $oDacl, $oADsSecurityUtility

$oADsSecurityUtility = CreateObject("ADsSecurityUtility")
If @error <> 0
;couln't create the object, your OS must be lower then XP.
Exit @error
EndIf
$oSD = $oADsSecurityUtility.GetSecurityDescriptor($object, $ADS_PATH_FILE, $ADS_SD_FORMAT_IID)
$oDacl = $oSD.DiscretionaryAcl

Select
CASE $cmd = "SHOW"
For Each $Ace In $oDacl
? "Trustee: " + $Ace.Trustee
? "Flags: " + $Ace.AceFlags
? "AccessMask: " + $Ace.AccessMask
? "Type: " + $Ace.AceType + @CRLF
Next
CASE $cmd = "ADD"
If $trustee <> ""
$oAce = CreateObject("AccessControlEntry")
$oAce.Trustee = $Trustee
Select
CASE $perms = "FULL"
$oAce.AccessMask = $ADS_RIGHT_GENERIC_ALL
CASE $perms = "READ"
$oAce.AccessMask = $ADS_RIGHT_GENERIC_READ
CASE $perms = "READWRITE"
$oAce.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_WRITE
CASE $perms = "RWEX"
$oAce.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_WRITE + $ADS_RIGHT_GENERIC_EXECUTE
CASE 1
;Perms were not properly specified defaulting to READ
$oAce.AccessMask = $ADS_RIGHT_GENERIC_READ
ENDSELECT
$oAce.AceType = $ADS_ACETYPE_ACCESS_ALLOWED
$oAce.AceFlags = $ADS_ACEFLAG_INHERIT_ACE + 1
$oDacl.AddAce($oAce)
$oSD.DiscretionaryAcl = $oDacl
$oADsSecurityUtility.SetSecurityDescriptor($object, $ADS_PATH_FILE, $oSD, $ADS_SD_FORMAT_IID)
If @error <> 0
Exit @error
EndIf
Else
;no trustee specified...
Exit 1
EndIf
CASE $cmd = "DEL"
If $trustee <> ""
For Each $Ace in $oDacl
If $Ace.trustee = $trustee
$oDacl.RemoveAce($Ace)
EndIf
Next
$oSD.DiscretionaryAcl = $oDacl
$oADsSecurityUtility.SetSecurityDescriptor($object, $ADS_PATH_FILE, $oSD, $ADS_SD_FORMAT_IID)
If @error <> 0
Exit @error
EndIf
Else
Exit 1
EndIf
CASE 1
;no proper command specified...
Exit 1
EndSelect
$oAce = ""
$oDacl = ""
$oSD = ""
$oADsSecurityUtility = ""
EndFunction

ACLControl("ADD","\\Server\share$\folder","Domain\testuser","FULL")
ACLControl("SHOW","\\Server\share$\folder")
ACLControl("DEL","\\Server\share$\folder","Domain\testuser")



[update]
Changes many parts of the code.
It works properly now, inheritance and all, problem resided in the server shares I tested the ACL order wasn't correct in the first place. This UDF isn't a miracle worker, when ACL's are proper in the first place this UDF will work properly. If not then it will not. I've tested this setting permissions on other workstations in my domain like "\\PC-1\c$\temp" and that worked without problem.

Added improvements over the last version, this will be the final version for now it works with all commands and i'll post it to the UDF's as is.
Next version will have Share Permissions.
[/update]


Edited by apronk (2006-05-03 03:37 PM)

Top
#154983 - 2006-01-10 09:31 PM Re: ACL Scripting without use of external programs
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
linking to the "original" thread:
http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Board=UBB13&Number=154513
_________________________
!

download KiXnet

Top
#154984 - 2006-01-12 08:50 AM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Most of us know that there are several ways to use programming/scripting to set NTFS security details on files and folders such as cacls.exe, xcacls.exe, xcacls.vbs, AdsSecurity.dll and the most recent (incorporated in XP and 2003) ADsSecurityUtility.

I chose ADsSecurityUtility after the problems with the above mentioned. This by far works best imo. The only problem I have in the order of inherited aces. I'll tell you first when the problem occurs. It occurs when you select a folder on a remote computer in the network even a folder on the server for instance: \\Server01\Share$\folder. It doesn't occur when you do in on your own computer in the network for instance \\LocalXP\c$\folder. The permissions on the Set folder are in perfect order (well perfect...) but once set, and you create a subfolder and look at the permissions on it they are out of order (windows says so)

The code itself is very sound. The only thing I need to know is the correct AceFlags to set permissions so the problems does NOT occur on \\Server01\Share\folder.
Can anyone please help me out ?

[edit] Removed the code, I'll post the changes in the first post. [/edit]


Edited by apronk (2006-02-23 02:40 PM)

Top
#154985 - 2006-01-12 05:44 PM Re: ACL Scripting without use of external programs
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
This is one of the more interesting threads I've seen in a while. Following along with much interest - currently setting myself to test and (hopefully) follow along .
Top
#154986 - 2006-01-12 06:39 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Thx Shawn

Story so far:
1. The code itself is sound, although a W.I.P. function,
The ace's attibutes are currently set so FOLDER permissios are (attemptingly) correctly set. I'll worry about FIle and Registry perms later.
2. The problem resides in the Ace Flags, they are correctly done on the local computer (even if you called it like "\\MyPc\share$\folder) on which you execute the script, but on a remote computer in the same domain the inheritance is wrong.
3. Apparantly extensive knowledge of Ace Flags are needed, if you test this code and you are trying to get this to work, my advice is to UN register AdsSecurity.dll if you have it registered to avoid conflicts.
4. If this is resolved we could have the first fully working UDF for NTFS Security scripting

Top
#154987 - 2006-01-12 07:04 PM Re: ACL Scripting without use of external programs
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
well tbh - I'm having trouble getting it to work right now. I dont have a server to use so I setup a share on a remote workstation (that shouldn't be an issue ja?).

Made a couple of changes to your function for my own benefit.

1) Removed the MessageBox output and just slapped in some ? "..." type console messages.

2) Currently my $oADsSecurityUtility.SetSecurityDescriptor call is failing with the ubiquitous COM "unspecified error" right now. However, your UDF is not trapping this and ends up just returning an errorlevel 0 (i know this is a wip though) ...

Still plugging away.

Top
#154988 - 2006-01-12 07:07 PM Re: ACL Scripting without use of external programs
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Hi Arend,

I'd like to help out, but this process actually can be quite time consuming as I'm sure you've seen, and I'm working on too many other projects at the moment to take on something like this.

However, don't forget that XCACLS.VBS (Though large in size) does work properly so you might be able to review that code to help determine where you might be going wrong.

If I get a bit of free time I'll try to dig into it a little bit and help out further.

Good luck guy.
 

Top
#154989 - 2006-01-12 07:09 PM Re: ACL Scripting without use of external programs
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Ron - can we MSN tonight and hopefully you can give me the scoop on how to set this up properly ja.
Top
#154990 - 2006-01-12 07:55 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Shawn:
1. Shouln't be a problem.
2. The script will only work on XP/2003 since the IADSSecurityUtility is only implemented on those OS's so 2000 won't work if you're on 2000.

NTDOC:
Thats ok, thanks for you're advice ill have a look at the FLags in XCACLS.VBS

Top
#154991 - 2006-01-12 07:59 PM Re: ACL Scripting without use of external programs
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I'm going XP PRO -> XP PRO
Top
#154992 - 2006-01-12 08:12 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
I know my UDP processing arguements is rather primitive at the moment, but please try to use it exactly as it is mentioned like this:
Code:

ACLControl("ADD","\\Server01\share$\test02","Domain\user","FULL")
ACLControl("ADD","\\Server01\share$\test02","Domain\user","RECURSE")


Top
#154993 - 2006-01-13 08:32 AM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Shawn, maybe your Activeds.dll isn't registered. (It comes standard in XP and 2003)
Top
#154994 - 2006-01-13 09:08 AM Re: ACL Scripting without use of external programs
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
shawn is purely XP guy, so don't think that's the case.
_________________________
!

download KiXnet

Top
#154995 - 2006-01-13 02:06 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
could you retrieve the $oADsSecurityUtility.SetSecurityDescriptor errornumber ?
I had it a few times in the beginning with AdsSecurity.dll, error was something like -2124324. Which means that the Ace you're trying to add can't be found.

Top
#154996 - 2006-01-16 04:03 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
I've read trough the XCACLS.VBS code at first I wanted to translate it but reading half way trough I lost interest in that since it's too much code for what it does imo. Besides I think it takes a different approach to what im trying to do. I'm still trying to figure it out and as soon as I find something I'll post it here.
Top
#154997 - 2006-01-16 08:57 PM Re: ACL Scripting without use of external programs
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Well I'm not sure if you've seen these documents or not so I'll post the links. As far as reordering not being needed I don't see how that can be unless they're claiming that they somehow check and fix that automatically within the DLL which is difficult to believe.


access control entry
(ACE) An entry in an access control list (ACL). An ACE contains a set of access rights and a
security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.

discretionary access control list
(DACL) An access control list that is controlled by the owner of an object and that specifies the
access particular users or groups can have to the object.

ACE Inheritance Rules
http://msdn.microsoft.com/library/defaul...tance_rules.asp

Order of ACEs in a DACL
http://msdn.microsoft.com/library/defaul...s_in_a_dacl.asp

Automatic Propagation of Inheritable ACEs
http://msdn.microsoft.com/library/defaul...itable_aces.asp

 

Top
#154998 - 2006-01-17 08:48 AM Re: ACL Scripting without use of external programs
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
I knew we have discussed this topic before.. Maybe not to this degree. But, I do know that I have talked about this with Shawn before.

Kent: Review a WSH script - Part Deux

Re: OFF TOPIC - Shawn can you review a WSH script for me?

And... We can find where it all comes from too -
Apply File And Directory Permissions... ( Vbscript )

Kent


Edited by kdyer (2006-01-17 08:51 AM)
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#154999 - 2006-01-17 09:05 AM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
NTDOC: thx for the links, from what I gather the inheritance order isn't set correctly and can only be properly done with "SetEntriesInAcl" which cannot be used in a Low Level programming language.

kdyer: indeed, I've tried this a year ago, remember I translated your unworking version of ChangeACLs to a working version
ChangeACLS
http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=131714&page=0&fpart=all&vc=1

Top
#155000 - 2006-02-21 03:54 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Small update: I can confirm now that with IADsSecurity adding an Ace to an existing Dacl will have the order of aces set correctly. However the order is not pushed down the chain, eventho you can script it so it pushes the permissions to every subfile and folder the problem begins when a new folder is created after the permissions are set.

I still cannot figure out why this is happening. In the GUI of windows security there is the option to have every file created after the setting of the permissions to inherit the perms and order. However I cannot find this option in IADsSecurity or AdsSecurity as of yet. This is the last option we need, if this is figured out the finally permissions can be safely scripted.

Nonetheless permisions can be perfectly scripted with the above code (although not yet completed) on files since tehre are no inheritance rules on that.

Top
#155001 - 2006-02-23 02:45 PM Re: ACL Scripting without use of external programs
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Small Update 2: Updated the code some, Select for too much if's. Added better error handling.
[edit]
Small Update 3: After spending yet a few hours on this, I can confirm the problem resides in the AceFlags. I've tried numerious combinations and continue to test this.
[/edit]


Edited by apronk (2006-02-23 05:45 PM)

Top
Page 1 of 2 12>


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 329 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.074 seconds in which 0.025 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org