#154982 - 2006-01-10 02:42 PM
ACL Scripting without use of external programs (BLOG)
|
Arend_
MM club member
Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
|
Here's a script I've written, I've gathered all MS's VB scripts on scripting ACL's and written this. This script has 2 improvements over AdsSecurity.dll 1. It doesn't need AdsSecurity.dll 2. It handles inheritance properly.
Although microsoft also claims thats with IADsSecurityUtility there is no need for ReOrdering anymore, I beg to differ. When using this script on a remote computer it sets the permissions correctly but after using the script, create a subfolder and open the properties tab on the permissions and you will get the notice that the order is not correct.
Update: inheritance works correctly if the parent's list of ACL's are in the correct order.
However I still feel that this is the best utility to use since it sets permissions easier and better the calcs,xcacls,SetACL and AdsSecurity.dll besides it is incorporated in Windows XP and higher (unfortunately not on Windows 2000).
Anyway without further ado, here's the code: Code:
;ACLControl() ;By Arend Pronk
Debug Off Break On Dim $iRC $iRC=SetOption('Explicit','on') $iRC=SetOption('NoVarsInStrings','on') $iRC=SetOption('WrapAtEOL','on')
Function ACLControl($cmd, $object, Optional $Trustee, Optional $perms) Dim $ADS_RIGHT_DELETE, $ADS_RIGHT_READ_CONTROL, $ADS_RIGHT_WRITE_DAC Dim $ADS_RIGHT_WRITE_OWNER, $ADS_RIGHT_SYNCHRONIZE, $ADS_RIGHT_ACCESS_SYSTEM_SECURITY Dim $ADS_RIGHT_GENERIC_READ, $ADS_RIGHT_GENERIC_WRITE, $ADS_RIGHT_GENERIC_EXECUTE Dim $ADS_RIGHT_GENERIC_ALL, $ADS_RIGHT_DS_CREATE_CHILD, $ADS_RIGHT_DS_DELETE_CHILD Dim $ADS_RIGHT_ACTRL_DS_LIST, $ADS_RIGHT_DS_SELF, $ADS_RIGHT_DS_READ_PROP Dim $ADS_RIGHT_DS_WRITE_PROP, $ADS_RIGHT_DS_DELETE_TREE, $ADS_RIGHT_DS_LIST_OBJECT Dim $ADS_RIGHT_DS_CONTROL_ACCESS, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACETYPE_ACCESS_DENIED Dim $ADS_ACETYPE_SYSTEM_AUDIT, $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, $ADS_ACETYPE_ACCESS_DENIED_OBJECT Dim $ADS_ACETYPE_SYSTEM_AUDIT_OBJECT, $ADS_ACEFLAG_UNKNOWN, $ADS_ACEFLAG_INHERIT_ACE Dim $ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE, $ADS_ACEFLAG_INHERIT_ONLY_ACE, $ADS_ACEFLAG_SUB_NEW Dim $ADS_ACEFLAG_INHERITED_ACE, $ADS_ACEFLAG_VALID_INHERIT_FLAGS, $ADS_ACEFLAG_SUCCESSFUL_ACCESS Dim $ADS_ACEFLAG_FAILED_ACCESS, $ADS_FLAG_OBJECT_TYPE_PRESENT, $ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT Dim $ADS_PATH_FILE, $ADS_PATH_FILESHARE, $ADS_PATH_REGISTRY Dim $ADS_SD_FORMAT_IID, $ADS_SD_FORMAT_RAW, $ADS_SD_FORMAT_HEXSTRING ; ; Define the ADS_RIGHTS_ENUM values. ; $ADS_RIGHT_DELETE = &10000 $ADS_RIGHT_READ_CONTROL = &20000 $ADS_RIGHT_WRITE_DAC = &40000 $ADS_RIGHT_WRITE_OWNER = &80000 $ADS_RIGHT_SYNCHRONIZE = &100000 $ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &1000000 $ADS_RIGHT_GENERIC_READ = &80000000 $ADS_RIGHT_GENERIC_WRITE = &40000000 $ADS_RIGHT_GENERIC_EXECUTE = &20000000 $ADS_RIGHT_GENERIC_ALL = &10000000 $ADS_RIGHT_DS_CREATE_CHILD = &1 $ADS_RIGHT_DS_DELETE_CHILD = &2 $ADS_RIGHT_ACTRL_DS_LIST = &4 $ADS_RIGHT_DS_SELF = &8 $ADS_RIGHT_DS_READ_PROP = &10 $ADS_RIGHT_DS_WRITE_PROP = &20 $ADS_RIGHT_DS_DELETE_TREE = &40 $ADS_RIGHT_DS_LIST_OBJECT = &80 $ADS_RIGHT_DS_CONTROL_ACCESS = &100 ; ; Ace Type definitions ; $ADS_ACETYPE_ACCESS_ALLOWED = &0 $ADS_ACETYPE_ACCESS_DENIED = &1 $ADS_ACETYPE_SYSTEM_AUDIT = &2 $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &5 $ADS_ACETYPE_ACCESS_DENIED_OBJECT = &6 $ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &7 ; ; Ace Flag Constants ; $ADS_ACEFLAG_UNKNOWN = &1 $ADS_ACEFLAG_INHERIT_ACE = &2 $ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &4 $ADS_ACEFLAG_INHERIT_ONLY_ACE = &8 $ADS_ACEFLAG_SUB_NEW = &9 $ADS_ACEFLAG_INHERITED_ACE = &10 $ADS_ACEFLAG_VALID_INHERIT_FLAGS = &1F $ADS_ACEFLAG_SUCCESSFUL_ACCESS = &40 $ADS_ACEFLAG_FAILED_ACCESS = &80 ; ; Flags constants for AD objects ; $ADS_FLAG_OBJECT_TYPE_PRESENT = &1 $ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &2 ; ; IADsSecurityUtility Constants ; $ADS_PATH_FILE = 1 $ADS_PATH_FILESHARE = 2 $ADS_PATH_REGISTRY = 3 ; ; ADS_SD_FORMAT_ENUM ; $ADS_SD_FORMAT_IID = 1 $ADS_SD_FORMAT_RAW = 2 $ADS_SD_FORMAT_HEXSTRING = 3
Dim $Ace, $oAce, $oSD, $oDacl, $oADsSecurityUtility
$oADsSecurityUtility = CreateObject("ADsSecurityUtility") If @error <> 0 ;couln't create the object, your OS must be lower then XP. Exit @error EndIf $oSD = $oADsSecurityUtility.GetSecurityDescriptor($object, $ADS_PATH_FILE, $ADS_SD_FORMAT_IID) $oDacl = $oSD.DiscretionaryAcl
Select CASE $cmd = "SHOW" For Each $Ace In $oDacl ? "Trustee: " + $Ace.Trustee ? "Flags: " + $Ace.AceFlags ? "AccessMask: " + $Ace.AccessMask ? "Type: " + $Ace.AceType + @CRLF Next CASE $cmd = "ADD" If $trustee <> "" $oAce = CreateObject("AccessControlEntry") $oAce.Trustee = $Trustee Select CASE $perms = "FULL" $oAce.AccessMask = $ADS_RIGHT_GENERIC_ALL CASE $perms = "READ" $oAce.AccessMask = $ADS_RIGHT_GENERIC_READ CASE $perms = "READWRITE" $oAce.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_WRITE CASE $perms = "RWEX" $oAce.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_WRITE + $ADS_RIGHT_GENERIC_EXECUTE CASE 1 ;Perms were not properly specified defaulting to READ $oAce.AccessMask = $ADS_RIGHT_GENERIC_READ ENDSELECT $oAce.AceType = $ADS_ACETYPE_ACCESS_ALLOWED $oAce.AceFlags = $ADS_ACEFLAG_INHERIT_ACE + 1 $oDacl.AddAce($oAce) $oSD.DiscretionaryAcl = $oDacl $oADsSecurityUtility.SetSecurityDescriptor($object, $ADS_PATH_FILE, $oSD, $ADS_SD_FORMAT_IID) If @error <> 0 Exit @error EndIf Else ;no trustee specified... Exit 1 EndIf CASE $cmd = "DEL" If $trustee <> "" For Each $Ace in $oDacl If $Ace.trustee = $trustee $oDacl.RemoveAce($Ace) EndIf Next $oSD.DiscretionaryAcl = $oDacl $oADsSecurityUtility.SetSecurityDescriptor($object, $ADS_PATH_FILE, $oSD, $ADS_SD_FORMAT_IID) If @error <> 0 Exit @error EndIf Else Exit 1 EndIf CASE 1 ;no proper command specified... Exit 1 EndSelect $oAce = "" $oDacl = "" $oSD = "" $oADsSecurityUtility = "" EndFunction
ACLControl("ADD","\\Server\share$\folder","Domain\testuser","FULL") ACLControl("SHOW","\\Server\share$\folder") ACLControl("DEL","\\Server\share$\folder","Domain\testuser")
[update] Changes many parts of the code. It works properly now, inheritance and all, problem resided in the server shares I tested the ACL order wasn't correct in the first place. This UDF isn't a miracle worker, when ACL's are proper in the first place this UDF will work properly. If not then it will not. I've tested this setting permissions on other workstations in my domain like "\\PC-1\c$\temp" and that worked without problem.
Added improvements over the last version, this will be the final version for now it works with all commands and i'll post it to the UDF's as is. Next version will have Share Permissions. [/update]
Edited by apronk (2006-05-03 03:37 PM)
|
Top
|
|
|
|
#154983 - 2006-01-10 09:31 PM
Re: ACL Scripting without use of external programs
|
Lonkero
KiX Master Guru
Registered: 2001-06-05
Posts: 22346
Loc: OK
|
|
Top
|
|
|
|
#154986 - 2006-01-12 06:39 PM
Re: ACL Scripting without use of external programs
|
Arend_
MM club member
Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
|
Thx Shawn
Story so far: 1. The code itself is sound, although a W.I.P. function, The ace's attibutes are currently set so FOLDER permissios are (attemptingly) correctly set. I'll worry about FIle and Registry perms later. 2. The problem resides in the Ace Flags, they are correctly done on the local computer (even if you called it like "\\MyPc\share$\folder) on which you execute the script, but on a remote computer in the same domain the inheritance is wrong. 3. Apparantly extensive knowledge of Ace Flags are needed, if you test this code and you are trying to get this to work, my advice is to UN register AdsSecurity.dll if you have it registered to avoid conflicts. 4. If this is resolved we could have the first fully working UDF for NTFS Security scripting
|
Top
|
|
|
|
#154990 - 2006-01-12 07:55 PM
Re: ACL Scripting without use of external programs
|
Arend_
MM club member
Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
|
Shawn: 1. Shouln't be a problem. 2. The script will only work on XP/2003 since the IADSSecurityUtility is only implemented on those OS's so 2000 won't work if you're on 2000.
NTDOC: Thats ok, thanks for you're advice ill have a look at the FLags in XCACLS.VBS
|
Top
|
|
|
|
#154992 - 2006-01-12 08:12 PM
Re: ACL Scripting without use of external programs
|
Arend_
MM club member
Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
|
I know my UDP processing arguements is rather primitive at the moment, but please try to use it exactly as it is mentioned like this: Code:
ACLControl("ADD","\\Server01\share$\test02","Domain\user","FULL") ACLControl("ADD","\\Server01\share$\test02","Domain\user","RECURSE")
|
Top
|
|
|
|
#154997 - 2006-01-16 08:57 PM
Re: ACL Scripting without use of external programs
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11623
Loc: CA
|
Well I'm not sure if you've seen these documents or not so I'll post the links. As far as reordering not being needed I don't see how that can be unless they're claiming that they somehow check and fix that automatically within the DLL which is difficult to believe.
access control entry (ACE) An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.
discretionary access control list (DACL) An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
ACE Inheritance Rules http://msdn.microsoft.com/library/defaul...tance_rules.asp
Order of ACEs in a DACL http://msdn.microsoft.com/library/defaul...s_in_a_dacl.asp
Automatic Propagation of Inheritable ACEs http://msdn.microsoft.com/library/defaul...itable_aces.asp
|
Top
|
|
|
|
#154999 - 2006-01-17 09:05 AM
Re: ACL Scripting without use of external programs
|
Arend_
MM club member
Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
|
NTDOC: thx for the links, from what I gather the inheritance order isn't set correctly and can only be properly done with "SetEntriesInAcl" which cannot be used in a Low Level programming language.
kdyer: indeed, I've tried this a year ago, remember I translated your unworking version of ChangeACLs to a working version ChangeACLS http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=131714&page=0&fpart=all&vc=1
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 329 anonymous users online.
|
|
|