#58268 - 2001-08-16 04:49 AM
Kent: Review a WSH script - Part Deux
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Kent,Thought I would start a new thread ... This is were we're at. With your forgiveness, I striped your script down and did a bit of reformatting (the download toasted the script) ... Notes: 1) Just provide the details @ the top 2) I'm testing this on a non-network connected Windows 2000 box - I haven't tested on a real remote server 3) I disabled the initial deletion of all the ACE's 'cause this tended to screw things if the script failed ... Hope this helps the cause : code:
break on$ofs = CreateObject("Scripting.FileSystemObject") $sec = CreateObject("ADsSecurity") $textusr = "bryce" ; username $textshare = "tassie" ; machine $textsharen = "$textusr$$" ; sharename $usershare = "$textusr" ; $userdir = "f:\users\$textusr" ; path ;=== ; Create folder ;=== if not exist($userdir) ?"Creating folder..." md "$userdir" else ?"Folder already exits..." endif ;=== ; Create share ;=== $fservobj = GetObject("WinNT://"+ $textshare +"/lanmanserver") $newshare = $fservobj.create("fileshare",$textsharen) if $newshare ?"Creating share ..." $newshare.path = $userdir $newshare.setinfo $newshare=0 else ?"Share already exists..." endif ;=== ; Set ACLs ;=== $filenm = $userdir $permspart = "add($textusr:f)+add(Administrator:f)+add(Guest:f)" ;-- Replace ACL on single file or folder------- if $ofs.fileexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FILE") else if $ofs.folderexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER") endif endif exit $ofs=0 exit FUNCTION ChangeAcls($file,$perms,$redit,$ffolder) ;- Edit ACLS of specified file ----- $ADS_ACETYPE_ACCESS_ALLOWED = 0 $ADS_ACETYPE_ACCESS_DENIED = 1 $ADS_ACEFLAG_INHERIT_ACE = 2 $ADS_ACEFLAG_SUB_NEW = 9 $sd = $sec.GetSecurityDescriptor("FILE://$file") $dacl = $sd.discretionaryacl ;=== ;if flagged Replace then remove all existing aces from dacl first ;=== IF ucase($redit)="REPLACE" FOR EACH $existingace IN $dacl ; $dacl.removeace($existingace) ; temp removed NEXT ENDIF ;break up Perms into individual actions $cmdarray=split($perms,"+") FOR $x=0 TO ubound($cmdarray) $tmpvar1=$cmdarray[$x] IF ucase(left($tmpvar1,3))="DEL" $aclaction="DEL" ELSE $aclaction="ADD" ENDIF $tmpcmdvar=left($tmpvar1,len($tmpvar1)-1) $tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4) $cmdparts=split($tmpcmdvar,":") $namevar=$cmdparts[0] $rightvar=$cmdparts[1] ; if flagged edit, delete ACE;s belonging to user about to add an ace for IF ucase($redit)="EDIT" FOR EACH $existingAce IN $dacl $trusteevar=$existingAce.trustee IF instr($trusteeVar,"\") $trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\")) ELSE $trunamevar=$trusteevar ENDIF $uctrunamevar=ucase($trunamevar) $ucnamevar=ucase($namevar) IF $uctrunamevar=$ucnamevar $dacl.removeace($existingace) ENDIF NEXT ENDIF ; if action is to del ace then following clause skips addace IF $aclaction="ADD" IF ucase($ffolder)="FOLDER" ; folders require 2 aces for user (to do with inheritance) addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW) addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE) ELSE addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED,0) ENDIF ENDIF NEXT FOR EACH $ace IN $dacl ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl IF instr(ucase($ace.trustee),"NT AUTHORITY\") $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\")) $ace.trustee=$newtrustee ENDIF NEXT ; final sets and cleanup $sd.discretionaryacl = $dacl $sec.setsecuritydescriptor($sd) $sd=0 $dacl=0 $sec=0 ENDFUNCTION FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags) ; add ace to the specified dacl $RIGHT_READ = &80000000 $RIGHT_EXECUTE = &20000000 $RIGHT_WRITE = &40000000 $RIGHT_DELETE = &10000 $RIGHT_FULL = &10000000 $RIGHT_CHANGE_PERMS = &40000 $RIGHT_TAKE_OWNERSHIP = &80000 $ace = CreateObject("AccessControlEntry") $ace.trustee = $trustee $maskvar = ucase($maskvar) SELECT CASE $maskvar="F" $ace.accessmask = $RIGHT_FULL CASE $maskvar="C" $ace.accessmask = $RIGHT_READ | $RIGHT_WRITE | $RIGHT_EXECUTE | $RIGHT_DELETE CASE $maskvar="R" $ace.accessmask = $RIGHT_READ | $RIGHT_EXECUTE ENDSELECT $ace.acetype = $acetype $ace.aceflags = $aceflags $dacl.addace($ace) $ace=0 ENDFUNCTION function Left($ExpC,$ExpN) $Left=substr($ExpC,1,$ExpN) endfunction function Right($ExpC,$ExpN) $Right=substr($ExpC,len($ExpC)-$ExpN+1,$ExpN) endfunction
[p.s. I ripped the right()and left() functions from ScriptLogic - Brian - thank-you my friend !]
|
Top
|
|
|
|
#58269 - 2001-08-16 10:30 AM
Re: Kent: Review a WSH script - Part Deux
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11623
Loc: CA
|
Shawn/Kent,Once you get the SHARE stuff nailed down, how about the other items? i.e. Can it be made to create user accounts from scratch and do all the normal things required? Add the user to User Manager, Set his options for his account, Create the folder for sharing Share the folder, Apply SHARE permissions Apply NTFS permissions If it can not all be done then how about doing what can be done with this and then calling NET for othe items? Not sure I can/would be that much help on the coding side (Lonkero - are you up to it?) but I sure would like a good "FREE", automated TURN-KEY User Account creation tool. Thanks... And a special thanks to Kent for helping me with a string manipulation problem today.
|
Top
|
|
|
|
#58270 - 2001-08-16 11:01 AM
Re: Kent: Review a WSH script - Part Deux
|
Lonkero
KiX Master Guru
Registered: 2001-06-05
Posts: 22346
Loc: OK
|
hmm... I haven't been looking at this thread so intensively, but now it starts look intresting... especially when shawn got the share permission stuff coded...NTDOC, you are right when you say that we need them too, but I would want to see every of these stuffs in different udf's. maybe collected to one udf too, but sometimes we need only one of these. like, when you are creating a new user, the homedrive will have NTFS permission for fullcontrol everyone. when the share will have user:f and admin:f or admin:r (admin can access the drive from elsewhere, so here isn't needed.) hmm. anyways, if creating user account and with it homeshare, then should also e-mail account be created. these are the three categories. if collected to one, it'll be one huge (too huge) script. what you guys think?
_________________________
!download KiXnet
|
Top
|
|
|
|
#58271 - 2001-08-16 08:15 PM
Re: Kent: Review a WSH script - Part Deux
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Shawn,Well it's looking pretty good, but still is not setting perms. I like your code better, a simple conversion from VBS did not cut it. I hope it was ok to add in some functionality.. code:
BREAK ON IF 0 = InStr(@kix, "4.") ; Check to see if KIX 4.x is being used ? "Kix 4.00 is required - Sorry." SLEEP 2 EXIT ENDIF
$ofs = CreateObject("Scripting.FileSystemObject") $sec = CreateObject("ADsSecurity")
IF $sec ; Check to see if ADSSECURITY.DLL is registered ; Capture the name of the person you are working with COLOR g+/n ? "Enter the userid of the person - jdoe" COLOR w+/n ? GETS $textusr IF $textusr = "" COLOR r+/n ? "No UserID input provided. Stopping script now." COLOR w+/n SLEEP 2 EXIT ENDIF ; Capture the name of the server are you adding the share to COLOR g+/n ? "Enter the server - server" COLOR w+/n ? GETS $textshare IF $textshare = "" COLOR r+/n ? "No Server Name input provided. Stopping script now." COLOR w+/n SLEEP 2 EXIT ENDIF ;;$usershare = "$textusr" ;
; Path for user folders $usershare = "\\" + $textshare + "\d$\users" ;;$userdir = "f:\users\$textusr" ; path
; Now let's create a variable to work with - \\SERVER\users\jdoe ; Directory to save $userdir = "\\"+ $textshare + "\d$\users\" + $textusr $usersd = "d:\users\$textusr" $textsharen = "$textusr$$" ; sharename ;=== ; Create folder ;=== IF NOT exist($userdir) ?"Creating folder..." MD "$userdir" ELSE ?"Folder already exits..." ENDIF ;=== ; Create share ;=== $fservobj = GetObject("WinNT://$textshare/lanmanserver") $newshare = $fservobj.create("fileshare",$textsharen) IF $newshare ?"Creating share ..." $newshare.path = $usersd $newshare.setinfo $newshare=0 ELSE ?"Share already exists..." ENDIF ;=== ; Set ACLs ;=== $filenm = $usersd $permspart = "add($textusr:c)+add(Administrator:f)+add(Guest:f)" ;-- Replace ACL on single file or folder------- IF $ofs.fileexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FILE") ELSE IF $ofs.folderexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER") ENDIF ENDIF EXIT $ofs=0 EXIT FUNCTION ChangeAcls($file,$perms,$redit,$ffolder) ;- Edit ACLS of specified file ----- $ads_acetype_access_allowed = 0 $ads_acetype_access_denied = 1 $ads_aceflag_inherit_ace = 2 $ads_aceflag_sub_new = 9 $sd = $sec.getsecuritydescriptor("FILE://$file") $dacl = $sd.discretionaryacl ;=== ;if flagged Replace then remove all existing aces from dacl first ;=== IF ucase($redit)="REPLACE" FOR EACH $existingace IN $dacl ; $dacl.removeace($existingace) ; temp removed NEXT ENDIF ;break up Perms into individual actions $cmdarray=split($perms,"+") FOR $x=0 TO ubound($cmdarray) $tmpvar1=$cmdarray[$x] IF ucase(left($tmpvar1,3))="DEL" $aclaction="DEL" ELSE $aclaction="ADD" ENDIF $tmpcmdvar=left($tmpvar1,len($tmpvar1)-1) $tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4) $cmdparts=split($tmpcmdvar,":") $namevar=$cmdparts[0] $rightvar=$cmdparts[1] ; if flagged edit, delete ACE;s belonging to user about to add an ace for IF ucase($redit)="EDIT" FOR EACH $existingace IN $dacl $trusteevar=$existingace.trustee IF instr($trusteevar,"\") $trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\")) ELSE $trunamevar=$trusteevar ENDIF $uctrunamevar=ucase($trunamevar) $ucnamevar=ucase($namevar) IF $uctrunamevar=$ucnamevar $dacl.removeace($existingace) ENDIF NEXT ENDIF ; if action is to del ace then following clause skips addace IF $aclaction="ADD" IF ucase($ffolder)="FOLDER" ; folders require 2 aces for user (to do with inheritance) addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_sub_new) addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_inherit_ace) ELSE addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed,0) ENDIF ENDIF NEXT FOR EACH $ace IN $dacl ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl IF instr(ucase($ace.trustee),"NT AUTHORITY\") $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\")) $ace.trustee=$newtrustee ENDIF NEXT ; final sets and cleanup $sd.discretionaryacl = $dacl $sec.setsecuritydescriptor($sd) $sd=0 $dacl=0 $sec=0 ENDFUNCTION FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags) ; add ace to the specified dacl $right_read = &80000000 $right_execute = &20000000 $right_write = &40000000 $right_delete = &10000 $right_full = &10000000 $right_change_perms = &40000 $right_take_ownership = &80000 $ace = CreateObject("AccessControlEntry") $ace.trustee = $trustee $maskvar = ucase($maskvar) SELECT CASE $maskvar="F" $ace.accessmask = $right_full CASE $maskvar="C" $ace.accessmask = $right_read | $right_write | $right_execute | $right_delete CASE $maskvar="R" $ace.accessmask = $right_read | $right_execute ENDSELECT $ace.acetype = $acetype $ace.aceflags = $aceflags $dacl.addace($ace) $ace=0 ENDFUNCTION FUNCTION Left($expc,$expn) $left=substr($expc,1,$expn) ENDFUNCTION FUNCTION Right($expc,$expn) $right=substr($expc,len($expc)-$expn+1,$expn) ENDFUNCTION ELSE COLOR r+/n ?"ADsSecurity not installed on this machine" COLOR w+/n SLEEP 2 EXIT ENDIF EXIT
Thanks! - Kent
|
Top
|
|
|
|
#58272 - 2001-08-16 09:24 PM
Re: Kent: Review a WSH script - Part Deux
|
Anonymous
Anonymous
Unregistered
|
Hi I was working on a similar script. However, mine uses the resource kit command line tools subinacl and rmtshare since they do exactly what I want them to do (lazy me). However, net user does not do exactly what I want--I can't point it at a specific domain or NT box. So I am asking for help with using ADSI instead. I have the VB code in there, but I can't figure out the syntax to make kix run it. I have the two lines that do not work commented out. code:
break on cls$HomeDrive="H:" $Computer="DCI41889" $Drive="D" $Path="\homes\" $Domain="DCI41889" WHILE 1 $UserID=Input("User ID") If LEN($UserID)<2 QUIT Endif $UserObj=getobject("WinNT://"+$Domain+"/"+$Userid+",user") If @ERROR=0 $UNC="\\"+$Computer+"\"+$Drive+"$"+$Path+$UserID If not EXIST($UNC) md $UNC ? "Made directory" Else ? $UNC+" directory already exists" EndIf $Share="\\"+$Computer+"\"+$UserID+"$" If not EXIST($Share) SHELL "rmtshare.exe "+$Share+"="+$Drive+":"+$Path+$UserID+" /grant everyone:c" ? $Share+" Has been shared" Else ? $Share+" Share already exists" EndIf SHELL "subinacl.exe /noverbose /subdir "+$UNC+" /grant="+$Domain+"\"+$Userid+"=C" SHELL "net user "+$UserID+" /homedir:"+$Share+" /domain" ; UserObj.put "HomeDirectory", $Share ; UserObj.put "HomeDirDrive", $HomeDrive ; UserObj.SetInfo UserObj="" Else ? "User ID not found in "+$Domain EndIf LOOP Function Input($Prompt) DO ? $Prompt+":" GETS $Input UNTIL $Input EndFunction
|
Top
|
|
|
|
#58273 - 2001-08-17 06:20 AM
Re: Kent: Review a WSH script - Part Deux
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Kent,Try this - changed the permission masks from hex to decimal ... the formatting is all screwed-up plus you'll have to change the share pointers back to your specifics ... code:
BREAK ONIF 0 = InStr(@kix, "4.") ; Check to see if KIX 4.x is being used ? "Kix 4.00 is required - Sorry." SLEEP 2 EXIT ENDIF $ofs = CreateObject("Scripting.FileSystemObject") $sec = CreateObject("ADsSecurity") IF $sec ; Check to see if ADSSECURITY.DLL is registered ; Capture the name of the person you are working with COLOR g+/n ? "Enter the userid of the person - jdoe" COLOR w+/n ? GETS $textusr IF $textusr = "" COLOR r+/n ? "No UserID input provided. Stopping script now." COLOR w+/n SLEEP 2 EXIT ENDIF ; Capture the name of the server are you adding the share to COLOR g+/n ? "Enter the server - server" COLOR w+/n ? GETS $textshare IF $textshare = "" COLOR r+/n ? "No Server Name input provided. Stopping script now." COLOR w+/n SLEEP 2 EXIT ENDIF ;;$usershare = "$textusr" ; ; Path for user folders $usershare = "\\" + $textshare + "\d$\users" ;;$userdir = "f:\users\$textusr" ; path ; Now let's create a variable to work with - \\SERVER\users\jdoe ; Directory to save $userdir = "f:\users\" + $textusr $usersd = "f:\users\$textusr" $textsharen = "$textusr$$" ; sharename ;=== ; Create folder ;=== IF NOT exist($userdir) ?"Creating folder..." MD "$userdir" ELSE ?"Folder already exits..." ENDIF ;=== ; Create share ;=== $fservobj = GetObject("WinNT://$textshare/lanmanserver") $newshare = $fservobj.create("fileshare",$textsharen) IF $newshare ?"Creating share ..." $newshare.path = $usersd $newshare.setinfo $newshare=0 ELSE ?"Share already exists..." ENDIF ;=== ; Set ACLs ;=== $filenm = $usersd $permspart = "add($textusr:c)+add(Administrator:f)+add(Guest:f)" ;-- Replace ACL on single file or folder------- IF $ofs.fileexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FILE") ELSE IF $ofs.folderexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER") ENDIF ENDIF EXIT $ofs=0 EXIT ;=== ; support functions ;===
FUNCTION ChangeAcls($file,$perms,$redit,$ffolder) ;- Edit ACLS of specified file ----- $ads_acetype_access_allowed = 0 $ads_acetype_access_denied = 1 $ads_aceflag_inherit_ace = 2 $ads_aceflag_sub_new = 9 $sd = $sec.getsecuritydescriptor("FILE://$file") $dacl = $sd.discretionaryacl ;=== ;if flagged Replace then remove all existing aces from dacl first ;=== IF ucase($redit)="REPLACE" FOR EACH $existingace IN $dacl ; $dacl.removeace($existingace) ; temp removed NEXT ENDIF ;break up Perms into individual actions $cmdarray=split($perms,"+") FOR $x=0 TO ubound($cmdarray) $tmpvar1=$cmdarray[$x] IF ucase(left($tmpvar1,3))="DEL" $aclaction="DEL" ELSE $aclaction="ADD" ENDIF $tmpcmdvar=left($tmpvar1,len($tmpvar1)-1) $tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4) $cmdparts=split($tmpcmdvar,":") $namevar=$cmdparts[0] $rightvar=$cmdparts[1] ; if flagged edit, delete ACE;s belonging to user about to add an ace for IF ucase($redit)="EDIT" FOR EACH $existingace IN $dacl $trusteevar=$existingace.trustee IF instr($trusteevar,"\") $trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\")) ELSE $trunamevar=$trusteevar ENDIF $uctrunamevar=ucase($trunamevar) $ucnamevar=ucase($namevar) IF $uctrunamevar=$ucnamevar $dacl.removeace($existingace) ENDIF NEXT ENDIF ; if action is to del ace then following clause skips addace IF $aclaction="ADD" IF ucase($ffolder)="FOLDER" ; folders require 2 aces for user (to do with inheritance) addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_sub_new) addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_inherit_ace) ELSE addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed,0) ENDIF ENDIF NEXT FOR EACH $ace IN $dacl ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl IF instr(ucase($ace.trustee),"NT AUTHORITY\") $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\")) $ace.trustee=$newtrustee ENDIF NEXT ; final sets and cleanup $sd.discretionaryacl = $dacl $sec.setsecuritydescriptor($sd) $sd=0 $dacl=0 $sec=0 ENDFUNCTION FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags) ; add ace to the specified dacl $right_read = 2147483648 $right_execute = 536870912 $right_write = 1073741824 $right_delete = 65536 $right_full = 268435456 $right_change_perms = 262144 $right_take_ownership = 524288 $ace = CreateObject("AccessControlEntry") $ace.trustee = $trustee $maskvar = ucase($maskvar) SELECT CASE $maskvar="F" $ace.accessmask = $right_full CASE $maskvar="C" $ace.accessmask = $right_read + $right_write + $right_execute + $right_delete CASE $maskvar="R" $ace.accessmask = $right_read + $right_execute ENDSELECT $ace.acetype = $acetype $ace.aceflags = $aceflags $dacl.addace($ace) $ace=0 ENDFUNCTION FUNCTION Left($expc,$expn) $left=substr($expc,1,$expn) ENDFUNCTION FUNCTION Right($expc,$expn) $right=substr($expc,len($expc)-$expn+1,$expn) ENDFUNCTION ELSE COLOR r+/n ?"ADsSecurity not installed on this machine" COLOR w+/n SLEEP 2 EXIT ENDIF EXIT
-Shawn
|
Top
|
|
|
|
#58276 - 2001-08-21 04:37 PM
Re: Kent: Review a WSH script - Part Deux
|
mvdw
Starting to like KiXtart
Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
|
kdyer/shawn,i noticed that in the SDK in the examples of the acl editing there is a setinfo statement on the object you are changing the acl of. right at the end after the setsecuritydescriptor statement. i am still writing other code and have not had the chance to test anything but reading the script i noticed it was missing this statement... hope it helps... regards, MvdW [ 21 August 2001: Message edited by: mvdw ]
_________________________
rgrds,
Maarten
|
Top
|
|
|
|
#58277 - 2001-08-21 09:06 PM
Re: Kent: Review a WSH script - Part Deux
|
mvdw
Starting to like KiXtart
Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
|
Sorry guys, that was nonsense...i think i have it now, that is i can edit NTFS permissions, but i have not made nice loops and functions out of it. That;; smainly because i have slightly different needs in my script...it has the double entries for a folder and also.. you'll see. i got this to work though : code:
$sec = CreateObject("ADsSecurity") $sd = $sec.getsecuritydescriptor("FILE://$homedir") $dacl = $sd.discretionaryacl FOR EACH $entry IN $dacl $dacl.removeace($entry) NEXT ;Add the domain admins with full control and the user with fullcontrol ( i know this is stupid, but that's what the ;standard is at the idiots who pay me my salary) if you want change perms, set the accessmask to 1245631 in the Ace with aceflags set to 2 and ;set the accessmask to -536805376 on the Ace that has aceflags set to 9... (this was done by trial and lots of error) $ace1 = CreateObject("AccessControlEntry") $Ace1.AccessMask = 2032127 ;full control $Ace1.AceType = 0 ;allowed $Ace1.AceFlags = 2 ;inheritable $Ace1.Trustee = getsid("WinNT://$domain/domain admins,group") $ace2 = CreateObject("AccessControlEntry") $Ace2.AccessMask = 268435456 ;full control $Ace2.AceType = 0 ;allowed $Ace2.AceFlags = 9 ;inheritable $Ace2.Trustee = getsid("WinNT://$domain/domain admins,group") $ace3 = CreateObject("AccessControlEntry") $Ace3.AccessMask = 2032127 ;full control $Ace3.AceType = 0 ;allowed $Ace3.AceFlags = 2 ;inheritable $Ace3.Trustee = getsid("WinNT://$domain/$username,user") $ace4 = CreateObject("AccessControlEntry") $Ace4.AccessMask = 268435456 ;full control $Ace4.AceType = 0 ;allowed $Ace4.AceFlags = 9 ;inheritable $Ace4.Trustee = getsid("WinNT://$domain/$username,user") $dacl.addace($ace1) $dacl.addace($ace2) $dacl.addace($ace3) $dacl.addace($ace4) $sd.discretionaryacl = $dacl $sec.setsecuritydescriptor($sd) $sd = 0
apart from the enumeration of the accessmask which is quite easily taken by manually setting the perms you like and just list them with a little script, the problem was that i only got it to work if the trustee was given as the SID (there we go...) of the user/group. i have adapted Shawn's getrid function to make the getsid function.. code:
Function getsid($adspath)dim $adssid,$object,$sac,$sa,$sareverse,$textsid $obj = getobject("$adspath") $adssid = createobject("adssid") $adssid.setas(5,"$adspath") ; put ADsPath in $hex = $adssid.getas(1) ; take SIDstring out $sac = val(substr($hex,3,2)) $textsid = "S-" + val(substr($hex,1,2)) + "-" + val(substr($hex,5,12)) for $x = 1 to $sac $sa = substr($hex,(9 + $x * 8),8) $sareverse = val("&"+substr($sa,7,2)+substr($sa,5,2)+substr($sa,3,2)+substr($sa,1,2)) $textsid = $textsid + "-" + $sareverse next $getsid = $textsid endfunction
i have tried other types of the sid but i can only get it to work with this one.. BUT NOW... another problem, i have set the NTFS perms on the folder but i also want to set Share permissions. i have tried the following script : code:
break on$object = getobject("WinNT://wcws020/LanmanServer/D") $sec = CreateObject("ADsSecurity") ? $object.name ? $object.description ? $object.path $sd = $sec.getsecuritydescriptor("WinNT://wcws020/LanmanServer/D") $dacl = $sd.discretionaryacl FOR EACH $e IN $dacl ? $e.trustee + " " + $e.Accessmask + " " + $e.acetype + " " + $e.aceflags NEXT ? "finito" get $k exit
WCWS020 is the workstation (remote) and D is the sharename. it does properly show me the path, name and description but it generates a script error at : $dacl = $sd.discretionaryacl unknown command it says... but to the best of my knowledge, all the objects have a Discretionary acl and it workes liek a charm on files/folders. ANY IDEAS ?? Thanx, MvdW
_________________________
rgrds,
Maarten
|
Top
|
|
|
|
#58278 - 2001-08-22 03:20 PM
Re: Kent: Review a WSH script - Part Deux
|
mvdw
Starting to like KiXtart
Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
|
Hmmzzz,still not working, i have found some hints. one at http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=7991&Key=Visual%20InterDev Where it says : You can set share permissions with WMI's Win32_Share, Win32_SecurityDescriptor, Win32_ACE, and Win32_Trustee classes and also at : http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadssecurityutility_getsecuritydescriptor.asp where it says some interesting things. It is mentioned that the accessmask which can normally be used to set what to retrieve (fileter on sacl, dacl, user or group information cannot be used on a fileshare. This would indicate that the secdescriptor for a fileshare is fundamentally different and probably needs a different way of interaction/syntax. It also says you need to specify them parameters when setting the securitydescriptor of a fileshare. i have already tried several ways to get it to work but i am not secceedung nor can i find any example script on the net where fileshare ACLs are manipulated.
I think i am staring too long at the moment, so if anybody has a fresh idea.. regards, MvdW
_________________________
rgrds,
Maarten
|
Top
|
|
|
|
#58279 - 2001-08-22 03:52 PM
Re: Kent: Review a WSH script - Part Deux
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
m,Check out Part I of this thread (first post, second page) ... OFF TOPIC - Shawn can you review a WSH script for me? I coded a routine to set NTFS share permissions using WMI ... and like I said - it was very painful because there's no information out there ... As well - the target server needs to have WMI installed. Windows 2000 servers come standard with WMI - NT servers need the retro WMI install ... bummer ! The failure to set share permissions in ADSI is - I believe - a fundamental limitation of the WinNT service provider interface. ADsSecurity helps - but it's not the silver bullet - should delve more to see if this is true ? Check out the code - it is worthwhile to persue a WMI solution ? -Shawn By the way - I see you wrote a routine to do a little SID recontructive surgery (GetSID) ? Very slick and well done. If anything - (I/we) are learning quite a bit about NT internals ... [ 22 August 2001: Message edited by: Shawn ]
|
Top
|
|
|
|
#58280 - 2001-08-22 07:09 PM
Re: Kent: Review a WSH script - Part Deux
|
mvdw
Starting to like KiXtart
Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
|
Shawn,you can definitely say we are learning more and more about what's underneath in NT. i will check out the share permissions through WMI tomorrow (still don't have internet at home.. in two months i'm moving so then i'll probably be flooding the board ;-) It's a shame i need to implement WMI on the servers first. i'll probably implement it on several customers and some of them, are w2k but a bunch are still nt 4 and usually when i opt for new additions like this development starts nagging (we have some fundamental differences in opinion.. .. but that's just for one of the customers. Is WMI tough install or just a couple of registered dll's ?? -- The saga never ends..
Ciao, MvdW ps are you also noticing that the one thing that is hard to code is often the thing that has absolutely no info on the web/example scripts.. or is that by definition ?
_________________________
rgrds,
Maarten
|
Top
|
|
|
|
#58283 - 2001-08-23 03:26 AM
Re: Kent: Review a WSH script - Part Deux
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Shawn,I must be totally asleep. Anyway, please find the script below with comments. Let me know what you think? Are we getting anywhere with WMI/WBEM on this? As you may notice, I went back to your initial conversion of this. code:
BREAK ON $wshshell = CreateObject("WScript.Shell") $ofs = CreateObject("Scripting.FileSystemObject") $sec = CreateObject("ADsSecurity") $textusr = "kdyer" ; userid $textshare = "server" ; machine $textsharen = "$textusr$$" ; sharename $usershare = "$textusr" ; userid $usersd = "\\$textshare\d$\users\$textusr" ; Admin path across the WAN $userdir = "d:\users\$textusr" ; Local path on server ;=== ; Create folder ;=== ; -- Since we are playing around with Objects, let's try this with a WSCRIPT type command ; -- Uh doesn't work.. :-( ;IF NOT $ofs.folderexists($usersd) ; ?"Creating folder..." ; $ofs.createfolder $usersd ;ELSE ; ?"Folder already exits..." ;ENDIF IF NOT exist($usersd) ?"Creating folder..." ;md "$userdir" MD "$usersd" ELSE ?"Folder already exits..." ENDIF ;=== ; Create share ;=== $fservobj = GetObject("WinNT://"+ $textshare +"/lanmanserver") $newshare = $fservobj.create("fileshare",$textsharen) IF $newshare ?"Creating share ..." $newshare.path = $userdir $newshare.setinfo $newshare=0 ELSE ?"Share already exists..." ENDIF ;=== ; Set ACLs ;=== $filenm = $usersd ;$filenm = $userdir $permspart = "add($textusr:c)+add(domain admins:F)+add(Administrators:F)+del(everyone:F)" ;-- Replace ACL on single file or folder------- IF $ofs.fileexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FILE") ELSE IF $ofs.folderexists($filenm) ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER") ENDIF ENDIF EXIT $ofs=0 EXIT FUNCTION ChangeAcls($file,$perms,$redit,$ffolder) ; -- Let's do some debugging ;?$file + " file" ;?$perms + " perms" ;?$redit + " redit" ;?$ffolder + " ffolder" ;sleep 2 ;gets $x ;- Edit ACLS of specified file ----- $ads_acetype_access_allowed = 0 $ads_acetype_access_denied = 1 $ads_aceflag_inherit_ace = 2 $ads_aceflag_sub_new = 9 $sd = $sec.getsecuritydescriptor("FILE://$file") $dacl = $sd.discretionaryacl ;=== ;if flagged Replace then remove all existing aces from dacl first ;=== IF ucase($redit)="REPLACE" FOR EACH $existingace IN $dacl $dacl.removeace($existingace) ; temp removed - Needed for removal of user(s) NEXT ENDIF ;break up Perms into individual actions $cmdarray=split($perms,"+") FOR $x=0 TO ubound($cmdarray) $tmpvar1=$cmdarray[$x] IF ucase(left($tmpvar1,3))="DEL" $aclaction="DEL" ELSE $aclaction="ADD" ENDIF $tmpcmdvar=left($tmpvar1,len($tmpvar1)-1) $tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4) $cmdparts=split($tmpcmdvar,":") $namevar=$cmdparts[0] $rightvar=$cmdparts[1] ; if flagged edit, delete ACE;s belonging to user about to add an ace for IF ucase($redit)="EDIT" FOR EACH $existingace IN $dacl $trusteevar=$existingace.trustee IF instr($trusteevar,"\") $trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\")) ELSE $trunamevar=$trusteevar ENDIF $uctrunamevar=ucase($trunamevar) $ucnamevar=ucase($namevar) IF $uctrunamevar=$ucnamevar $dacl.removeace($existingace) ENDIF NEXT ENDIF ; if action is to del ace then following clause skips addace IF $aclaction="ADD" IF ucase($ffolder)="FOLDER" ; folders require 2 aces for user (to do with inheritance) addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_sub_new) addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_inherit_ace) ELSE addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed,0) ENDIF ENDIF NEXT FOR EACH $ace IN $dacl ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl IF instr(ucase($ace.trustee),"NT AUTHORITY\") $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\")) $ace.trustee=$newtrustee ENDIF NEXT ; final sets and cleanup $sd.discretionaryacl = $dacl $sec.setsecuritydescriptor($sd) $sd=0 $dacl=0 $sec=0 ENDFUNCTION FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags) ; add ace to the specified dacl $right_read = 2147483648 ; -- Converted to DEC from HEX - Thanks Shawn! $right_execute = 536870912 $right_write = 1073741824 $right_delete = 65536 $right_full = 268435456 $right_change_perms = 262144 $right_take_ownership = 524288 ;$RIGHT_READ = &80000000 ; -- Permissions come out odd, prepend HEX with & page 18 of Kix Manual ;$RIGHT_EXECUTE = &20000000 ;$RIGHT_WRITE = &40000000 ;$RIGHT_DELETE = &10000 ;$RIGHT_FULL = &10000000 ;$RIGHT_CHANGE_PERMS = &40000 ;$RIGHT_TAKE_OWNERSHIP = &80000 $ace = CreateObject("AccessControlEntry") $ace.trustee = $trustee ;?$maskvar + " Maskvar" ;sleep 2 $maskvar = ucase($maskvar) SELECT CASE $maskvar="F" $ace.accessmask = $right_full CASE $maskvar="C" $ace.accessmask = $right_read + $right_write + $right_execute + $right_delete CASE $maskvar="R" $ace.accessmask = $right_read + $right_execute ENDSELECT ; -- If you use this method, you will get "the paramter is incorrect" message. ;SELECT ;CASE $maskvar="F" $ace.accessmask = $RIGHT_FULL ;CASE $maskvar="C" $ace.accessmask = $RIGHT_READ | $RIGHT_WRITE | $RIGHT_EXECUTE | $RIGHT_DELETE ;CASE $maskvar="R" $ace.accessmask = $RIGHT_READ | $RIGHT_EXECUTE ;ENDSELECT $ace.acetype = $acetype $ace.aceflags = $aceflags $dacl.addace($ace) $ace=0 ENDFUNCTION FUNCTION Left($expc,$expn) $left=substr($expc,1,$expn) ENDFUNCTION FUNCTION Right($expc,$expn) $right=substr($expc,len($expc)-$expn+1,$expn) ENDFUNCTION
Thanks! - Kent
|
Top
|
|
|
|
#58284 - 2001-08-24 08:56 AM
Re: Kent: Review a WSH script - Part Deux
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 329 anonymous users online.
|
|
|