Page 1 of 1 1
Topic Options
#58268 - 2001-08-16 04:49 AM Kent: Review a WSH script - Part Deux
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Kent,

Thought I would start a new thread ...

This is were we're at. With your forgiveness, I striped your script down and did a bit of reformatting (the download toasted the script) ...

Notes:

1) Just provide the details @ the top

2) I'm testing this on a non-network connected Windows 2000 box - I haven't tested on a real remote server

3) I disabled the initial deletion of all the ACE's 'cause this tended to screw things if the script failed ...

Hope this helps the cause :

code:

break on

$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity")

$textusr = "bryce" ; username
$textshare = "tassie" ; machine
$textsharen = "$textusr$$" ; sharename
$usershare = "$textusr" ;
$userdir = "f:\users\$textusr" ; path

;===
; Create folder
;===

if not exist($userdir)
?"Creating folder..."
md "$userdir"
else
?"Folder already exits..."
endif

;===
; Create share
;===

$fservobj = GetObject("WinNT://"+ $textshare +"/lanmanserver")

$newshare = $fservobj.create("fileshare",$textsharen)
if $newshare
?"Creating share ..."
$newshare.path = $userdir
$newshare.setinfo
$newshare=0
else
?"Share already exists..."
endif

;===
; Set ACLs
;===

$filenm = $userdir
$permspart = "add($textusr:f)+add(Administrator:f)+add(Guest:f)"

;-- Replace ACL on single file or folder-------

if $ofs.fileexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FILE")
else
if $ofs.folderexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER")
endif
endif

exit

$ofs=0

exit

FUNCTION ChangeAcls($file,$perms,$redit,$ffolder)

;- Edit ACLS of specified file -----

$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = 1
$ADS_ACEFLAG_INHERIT_ACE = 2
$ADS_ACEFLAG_SUB_NEW = 9

$sd = $sec.GetSecurityDescriptor("FILE://$file")
$dacl = $sd.discretionaryacl

;===
;if flagged Replace then remove all existing aces from dacl first
;===

IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
; $dacl.removeace($existingace) ; temp removed
NEXT
ENDIF

;break up Perms into individual actions

$cmdarray=split($perms,"+")

FOR $x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF

$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]

; if flagged edit, delete ACE;s belonging to user about to add an ace for

IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF

$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)

IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)
ELSE
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED,0)
ENDIF
ENDIF
NEXT

FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=$newtrustee
ENDIF
NEXT

; final sets and cleanup

$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor($sd)

$sd=0
$dacl=0
$sec=0

ENDFUNCTION

FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)

; add ace to the specified dacl

$RIGHT_READ = &80000000
$RIGHT_EXECUTE = &20000000
$RIGHT_WRITE = &40000000
$RIGHT_DELETE = &10000
$RIGHT_FULL = &10000000
$RIGHT_CHANGE_PERMS = &40000
$RIGHT_TAKE_OWNERSHIP = &80000

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee

$maskvar = ucase($maskvar)
SELECT
CASE $maskvar="F" $ace.accessmask = $RIGHT_FULL
CASE $maskvar="C" $ace.accessmask = $RIGHT_READ | $RIGHT_WRITE | $RIGHT_EXECUTE | $RIGHT_DELETE
CASE $maskvar="R" $ace.accessmask = $RIGHT_READ | $RIGHT_EXECUTE
ENDSELECT

$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace($ace)
$ace=0

ENDFUNCTION

function Left($ExpC,$ExpN)
$Left=substr($ExpC,1,$ExpN)
endfunction

function Right($ExpC,$ExpN)
$Right=substr($ExpC,len($ExpC)-$ExpN+1,$ExpN)
endfunction


[p.s. I ripped the right()and left() functions from ScriptLogic - Brian - thank-you my friend !]

Top
#58269 - 2001-08-16 10:30 AM Re: Kent: Review a WSH script - Part Deux
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Shawn/Kent,

Once you get the SHARE stuff nailed down, how about the other items?
i.e.
Can it be made to create user accounts from scratch and do all the normal things required?

Add the user to User Manager,
Set his options for his account,
Create the folder for sharing
Share the folder,
Apply SHARE permissions
Apply NTFS permissions

If it can not all be done then how about doing what can be done with this and then calling NET for othe items?

Not sure I can/would be that much help on the coding side (Lonkero - are you up to it?)
but I sure would like a good "FREE",
automated TURN-KEY User Account creation tool.

Thanks...

And a special thanks to Kent for helping me with a string manipulation problem today.

Top
#58270 - 2001-08-16 11:01 AM Re: Kent: Review a WSH script - Part Deux
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
hmm...
I haven't been looking at this thread so intensively, but now it starts look intresting...
especially when shawn got the share permission stuff coded...

NTDOC, you are right when you say that we need them too, but I would want to see every of these stuffs in different udf's. maybe collected to one udf too, but sometimes we need only one of these.
like, when you are creating a new user, the homedrive will have NTFS permission for fullcontrol everyone.
when the share will have user:f and admin:f or admin:r (admin can access the drive from elsewhere, so here isn't needed.)

hmm. anyways, if creating user account and with it homeshare, then should also e-mail account be created. these are the three categories. if collected to one, it'll be one huge (too huge) script.
what you guys think?

_________________________
!

download KiXnet

Top
#58271 - 2001-08-16 08:15 PM Re: Kent: Review a WSH script - Part Deux
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Shawn,

Well it's looking pretty good, but still is not setting perms.

I like your code better, a simple conversion from VBS did not cut it.

I hope it was ok to add in some functionality..

code:

BREAK ON


IF 0 = InStr(@kix, "4.") ; Check to see if KIX 4.x is being used
? "Kix 4.00 is required - Sorry."
SLEEP 2
EXIT
ENDIF


$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity")

IF $sec ; Check to see if ADSSECURITY.DLL is registered

; Capture the name of the person you are working with
COLOR g+/n
? "Enter the userid of the person - jdoe"
COLOR w+/n
?
GETS $textusr

IF $textusr = ""
COLOR r+/n
? "No UserID input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF

; Capture the name of the server are you adding the share to
COLOR g+/n
? "Enter the server - server"
COLOR w+/n

?
GETS $textshare

IF $textshare = ""
COLOR r+/n
? "No Server Name input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF


;;$usershare = "$textusr" ;

; Path for user folders
$usershare = "\\" + $textshare + "\d$\users"


;;$userdir = "f:\users\$textusr" ; path

; Now let's create a variable to work with - \\SERVER\users\jdoe
; Directory to save
$userdir = "\\"+ $textshare + "\d$\users\" + $textusr
$usersd = "d:\users\$textusr"

$textsharen = "$textusr$$" ; sharename

;===
; Create folder
;===
IF NOT exist($userdir)
?"Creating folder..."
MD "$userdir"
ELSE
?"Folder already exits..."
ENDIF
;===
; Create share
;===
$fservobj = GetObject("WinNT://$textshare/lanmanserver")
$newshare = $fservobj.create("fileshare",$textsharen)
IF $newshare
?"Creating share ..."
$newshare.path = $usersd
$newshare.setinfo
$newshare=0
ELSE
?"Share already exists..."
ENDIF
;===
; Set ACLs
;===
$filenm = $usersd
$permspart = "add($textusr:c)+add(Administrator:f)+add(Guest:f)"
;-- Replace ACL on single file or folder-------
IF $ofs.fileexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FILE")
ELSE
IF $ofs.folderexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER")
ENDIF
ENDIF
EXIT
$ofs=0
EXIT
FUNCTION ChangeAcls($file,$perms,$redit,$ffolder)
;- Edit ACLS of specified file -----
$ads_acetype_access_allowed = 0
$ads_acetype_access_denied = 1
$ads_aceflag_inherit_ace = 2
$ads_aceflag_sub_new = 9
$sd = $sec.getsecuritydescriptor("FILE://$file")
$dacl = $sd.discretionaryacl
;===
;if flagged Replace then remove all existing aces from dacl first
;===
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
; $dacl.removeace($existingace) ; temp removed
NEXT
ENDIF
;break up Perms into individual actions
$cmdarray=split($perms,"+")
FOR $x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF
$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]
; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingace IN $dacl
$trusteevar=$existingace.trustee
IF instr($trusteevar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF
$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)
IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_sub_new)
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_inherit_ace)
ELSE
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed,0)
ENDIF
ENDIF
NEXT
FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=$newtrustee
ENDIF
NEXT
; final sets and cleanup
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor($sd)
$sd=0
$dacl=0
$sec=0
ENDFUNCTION
FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$right_read = &80000000
$right_execute = &20000000
$right_write = &40000000
$right_delete = &10000
$right_full = &10000000
$right_change_perms = &40000
$right_take_ownership = &80000
$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee
$maskvar = ucase($maskvar)
SELECT
CASE
$maskvar="F" $ace.accessmask = $right_full
CASE
$maskvar="C" $ace.accessmask = $right_read | $right_write | $right_execute | $right_delete
CASE
$maskvar="R" $ace.accessmask = $right_read | $right_execute
ENDSELECT
$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace($ace)
$ace=0
ENDFUNCTION
FUNCTION Left($expc,$expn)
$left=substr($expc,1,$expn)
ENDFUNCTION
FUNCTION Right($expc,$expn)
$right=substr($expc,len($expc)-$expn+1,$expn)
ENDFUNCTION

ELSE
COLOR r+/n
?"ADsSecurity not installed on this machine"
COLOR w+/n
SLEEP 2
EXIT
ENDIF

EXIT


Thanks!

- Kent

_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#58272 - 2001-08-16 09:24 PM Re: Kent: Review a WSH script - Part Deux
Anonymous
Unregistered


Hi

I was working on a similar script. However, mine uses the resource kit command line tools subinacl and rmtshare since they do exactly what I want them to do (lazy me).

However, net user does not do exactly what I want--I can't point it at a specific domain or NT box. So I am asking for help with using ADSI instead.

I have the VB code in there, but I can't figure out the syntax to make kix run it.

I have the two lines that do not work commented out.

code:
  

break on
cls

$HomeDrive="H:"

$Computer="DCI41889"
$Drive="D"
$Path="\homes\"
$Domain="DCI41889"

WHILE 1

$UserID=Input("User ID")
If LEN($UserID)<2
QUIT
Endif

$UserObj=getobject("WinNT://"+$Domain+"/"+$Userid+",user")
If @ERROR=0
$UNC="\\"+$Computer+"\"+$Drive+"$"+$Path+$UserID
If not EXIST($UNC)
md $UNC ? "Made directory"
Else
? $UNC+" directory already exists"
EndIf
$Share="\\"+$Computer+"\"+$UserID+"$"
If not EXIST($Share)
SHELL "rmtshare.exe "+$Share+"="+$Drive+":"+$Path+$UserID+" /grant everyone:c"
? $Share+" Has been shared"
Else
? $Share+" Share already exists"
EndIf
SHELL "subinacl.exe /noverbose /subdir "+$UNC+" /grant="+$Domain+"\"+$Userid+"=C"
SHELL "net user "+$UserID+" /homedir:"+$Share+" /domain"
; UserObj.put "HomeDirectory", $Share
; UserObj.put "HomeDirDrive", $HomeDrive
; UserObj.SetInfo
UserObj=""
Else
? "User ID not found in "+$Domain
EndIf

LOOP

Function Input($Prompt)
DO
? $Prompt+":"
GETS $Input
UNTIL $Input
EndFunction

Top
#58273 - 2001-08-17 06:20 AM Re: Kent: Review a WSH script - Part Deux
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Kent,

Try this - changed the permission masks from hex to decimal ... the formatting is all screwed-up plus you'll have to change the share pointers back to your specifics ...

code:

BREAK ON

IF 0 = InStr(@kix, "4.") ; Check to see if KIX 4.x is being used
? "Kix 4.00 is required - Sorry."
SLEEP 2
EXIT
ENDIF

$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity")
IF $sec ; Check to see if ADSSECURITY.DLL is registered
; Capture the name of the person you are working with
COLOR g+/n
? "Enter the userid of the person - jdoe"
COLOR w+/n
?
GETS $textusr
IF $textusr = ""
COLOR r+/n
? "No UserID input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF
; Capture the name of the server are you adding the share to
COLOR g+/n
? "Enter the server - server"
COLOR w+/n

?
GETS $textshare
IF $textshare = ""
COLOR r+/n
? "No Server Name input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF

;;$usershare = "$textusr" ;
; Path for user folders
$usershare = "\\" + $textshare + "\d$\users"

;;$userdir = "f:\users\$textusr" ; path
; Now let's create a variable to work with - \\SERVER\users\jdoe
; Directory to save
$userdir = "f:\users\" + $textusr
$usersd = "f:\users\$textusr"
$textsharen = "$textusr$$" ; sharename
;===
; Create folder
;===
IF NOT exist($userdir)
?"Creating folder..."
MD "$userdir"
ELSE
?"Folder already exits..."
ENDIF
;===
; Create share
;===
$fservobj = GetObject("WinNT://$textshare/lanmanserver")
$newshare = $fservobj.create("fileshare",$textsharen)
IF $newshare
?"Creating share ..."
$newshare.path = $usersd
$newshare.setinfo
$newshare=0
ELSE
?"Share already exists..."
ENDIF
;===
; Set ACLs
;===
$filenm = $usersd
$permspart = "add($textusr:c)+add(Administrator:f)+add(Guest:f)"
;-- Replace ACL on single file or folder-------
IF $ofs.fileexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FILE")
ELSE
IF $ofs.folderexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER")
ENDIF
ENDIF
EXIT
$ofs=0
EXIT


;===
; support functions
;===

FUNCTION ChangeAcls($file,$perms,$redit,$ffolder)
;- Edit ACLS of specified file -----
$ads_acetype_access_allowed = 0
$ads_acetype_access_denied = 1
$ads_aceflag_inherit_ace = 2
$ads_aceflag_sub_new = 9
$sd = $sec.getsecuritydescriptor("FILE://$file")
$dacl = $sd.discretionaryacl
;===
;if flagged Replace then remove all existing aces from dacl first
;===
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
; $dacl.removeace($existingace) ; temp removed
NEXT
ENDIF
;break up Perms into individual actions
$cmdarray=split($perms,"+")
FOR $x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF
$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]
; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingace IN $dacl
$trusteevar=$existingace.trustee
IF instr($trusteevar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF
$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)
IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_sub_new)
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_inherit_ace)
ELSE
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed,0)
ENDIF
ENDIF
NEXT
FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=$newtrustee
ENDIF
NEXT
; final sets and cleanup
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor($sd)
$sd=0
$dacl=0
$sec=0
ENDFUNCTION
FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$right_read = 2147483648
$right_execute = 536870912
$right_write = 1073741824
$right_delete = 65536
$right_full = 268435456
$right_change_perms = 262144
$right_take_ownership = 524288
$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee
$maskvar = ucase($maskvar)
SELECT
CASE
$maskvar="F" $ace.accessmask = $right_full
CASE
$maskvar="C" $ace.accessmask = $right_read + $right_write + $right_execute + $right_delete
CASE
$maskvar="R" $ace.accessmask = $right_read + $right_execute
ENDSELECT
$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace($ace)
$ace=0
ENDFUNCTION
FUNCTION Left($expc,$expn)
$left=substr($expc,1,$expn)
ENDFUNCTION
FUNCTION Right($expc,$expn)
$right=substr($expc,len($expc)-$expn+1,$expn)
ENDFUNCTION
ELSE
COLOR r+/n
?"ADsSecurity not installed on this machine"
COLOR w+/n
SLEEP 2
EXIT
ENDIF
EXIT


-Shawn

Top
#58274 - 2001-08-17 08:01 PM Re: Kent: Review a WSH script - Part Deux
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Shawn,

Am I missing the boat here?

It still does not set perms.

Arghh...

- Kent

_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#58275 - 2001-08-20 08:56 PM Re: Kent: Review a WSH script - Part Deux
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Shawn,

I should be able to get back on board with this today as we just completed a migration of 300 Mailboxes from one Exchange Server to another.

- Kent

_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#58276 - 2001-08-21 04:37 PM Re: Kent: Review a WSH script - Part Deux
mvdw Offline
Starting to like KiXtart

Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
kdyer/shawn,

i noticed that in the SDK in the examples of the acl editing there is a setinfo statement on the object you are changing the acl of.
right at the end after the setsecuritydescriptor statement.
i am still writing other code and have not had the chance to test anything but reading the script i noticed it was missing this statement...

hope it helps...

regards,
MvdW

[ 21 August 2001: Message edited by: mvdw ]

_________________________
rgrds, Maarten

Top
#58277 - 2001-08-21 09:06 PM Re: Kent: Review a WSH script - Part Deux
mvdw Offline
Starting to like KiXtart

Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
Sorry guys, that was nonsense...

i think i have it now, that is i can edit NTFS permissions, but i have not made nice loops and functions out of it. That;; smainly because i have slightly different needs in my script...it has the double entries for a folder and also.. you'll see.

i got this to work though :

code:
 
$sec = CreateObject("ADsSecurity")
$sd = $sec.getsecuritydescriptor("FILE://$homedir")
$dacl = $sd.discretionaryacl

FOR EACH $entry IN $dacl
$dacl.removeace($entry)
NEXT
;Add the domain admins with full control and the user with fullcontrol ( i know this is stupid, but that's what the
;standard is at the idiots who pay me my salary) if you want change perms, set the accessmask to 1245631 in the Ace with aceflags set to 2 and
;set the accessmask to -536805376 on the Ace that has aceflags set to 9... (this was done by trial and lots of error)

$ace1 = CreateObject("AccessControlEntry")
$Ace1.AccessMask = 2032127 ;full control
$Ace1.AceType = 0 ;allowed
$Ace1.AceFlags = 2 ;inheritable
$Ace1.Trustee = getsid("WinNT://$domain/domain admins,group")

$ace2 = CreateObject("AccessControlEntry")
$Ace2.AccessMask = 268435456 ;full control
$Ace2.AceType = 0 ;allowed
$Ace2.AceFlags = 9 ;inheritable
$Ace2.Trustee = getsid("WinNT://$domain/domain admins,group")

$ace3 = CreateObject("AccessControlEntry")
$Ace3.AccessMask = 2032127 ;full control
$Ace3.AceType = 0 ;allowed
$Ace3.AceFlags = 2 ;inheritable
$Ace3.Trustee = getsid("WinNT://$domain/$username,user")

$ace4 = CreateObject("AccessControlEntry")
$Ace4.AccessMask = 268435456 ;full control
$Ace4.AceType = 0 ;allowed
$Ace4.AceFlags = 9 ;inheritable
$Ace4.Trustee = getsid("WinNT://$domain/$username,user")

$dacl.addace($ace1)
$dacl.addace($ace2)
$dacl.addace($ace3)
$dacl.addace($ace4)
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor($sd)

$sd = 0



apart from the enumeration of the accessmask which is quite easily taken by manually setting the perms you like and just list them with a little script, the problem was that i only got it to work if the trustee was given as the SID (there we go...) of the user/group. i have adapted Shawn's getrid function to make the getsid function..

code:
 
Function getsid($adspath)

dim $adssid,$object,$sac,$sa,$sareverse,$textsid

$obj = getobject("$adspath")
$adssid = createobject("adssid")
$adssid.setas(5,"$adspath") ; put ADsPath in
$hex = $adssid.getas(1) ; take SIDstring out
$sac = val(substr($hex,3,2))

$textsid = "S-" + val(substr($hex,1,2)) + "-" + val(substr($hex,5,12))

for $x = 1 to $sac
$sa = substr($hex,(9 + $x * 8),8)
$sareverse = val("&"+substr($sa,7,2)+substr($sa,5,2)+substr($sa,3,2)+substr($sa,1,2))
$textsid = $textsid + "-" + $sareverse
next

$getsid = $textsid

endfunction


i have tried other types of the sid but i can only get it to work with this one..

BUT NOW... another problem, i have set the NTFS perms on the folder but i also want to set Share permissions. i have tried the following script :

code:
 
break on

$object = getobject("WinNT://wcws020/LanmanServer/D")
$sec = CreateObject("ADsSecurity")

? $object.name
? $object.description
? $object.path
$sd = $sec.getsecuritydescriptor("WinNT://wcws020/LanmanServer/D")
$dacl = $sd.discretionaryacl

FOR EACH $e IN $dacl
? $e.trustee + " " + $e.Accessmask + " " + $e.acetype + " " + $e.aceflags
NEXT


? "finito"
get $k
exit



WCWS020 is the workstation (remote) and D is the sharename. it does properly show me the path, name and description but it generates a script error at :

$dacl = $sd.discretionaryacl

unknown command it says... but to the best of my knowledge, all the objects have a Discretionary acl and it workes liek a charm on files/folders.

ANY IDEAS ??

Thanx,
MvdW

_________________________
rgrds, Maarten

Top
#58278 - 2001-08-22 03:20 PM Re: Kent: Review a WSH script - Part Deux
mvdw Offline
Starting to like KiXtart

Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
Hmmzzz,

still not working, i have found some hints. one at http://www.winscriptingsolutions.com/Articles/Index.cfm?ArticleID=7991&Key=Visual%20InterDev

Where it says :

You can set share permissions with WMI's Win32_Share, Win32_SecurityDescriptor, Win32_ACE, and Win32_Trustee classes

and also at :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/iadssecurityutility_getsecuritydescriptor.asp


where it says some interesting things. It is mentioned that the accessmask which can normally be used to set what to retrieve (fileter on sacl, dacl, user or group information cannot be used on a fileshare. This would indicate that the secdescriptor for a fileshare is fundamentally different and probably needs a different way of interaction/syntax.
It also says you need to specify them parameters when setting the securitydescriptor of a fileshare. i have already tried several ways to get it to work but i am not secceedung nor can i find any example script on the net where fileshare ACLs are manipulated.

I think i am staring too long at the moment, so if anybody has a fresh idea..

regards,
MvdW

_________________________
rgrds, Maarten

Top
#58279 - 2001-08-22 03:52 PM Re: Kent: Review a WSH script - Part Deux
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
m,

Check out Part I of this thread (first post, second page) ...

OFF TOPIC - Shawn can you review a WSH script for me?

I coded a routine to set NTFS share permissions using WMI ... and like I said - it was very painful because there's no information out there ...

As well - the target server needs to have WMI installed. Windows 2000 servers come standard with WMI - NT servers need the retro WMI install ... bummer !

The failure to set share permissions in ADSI is - I believe - a fundamental limitation of the WinNT service provider interface. ADsSecurity helps - but it's not the silver bullet - should delve more to see if this is true ?

Check out the code - it is worthwhile to persue a WMI solution ?

-Shawn

By the way - I see you wrote a routine to do a little SID recontructive surgery (GetSID) ? Very slick and well done. If anything - (I/we) are learning quite a bit about NT internals ...

[ 22 August 2001: Message edited by: Shawn ]

Top
#58280 - 2001-08-22 07:09 PM Re: Kent: Review a WSH script - Part Deux
mvdw Offline
Starting to like KiXtart

Registered: 2001-05-01
Posts: 124
Loc: Voorburg, Netherlands
Shawn,

you can definitely say we are learning more and more about what's underneath in NT.

i will check out the share permissions through WMI tomorrow (still don't have internet at home.. in two months i'm moving so then i'll probably be flooding the board ;-)

It's a shame i need to implement WMI on the servers first. i'll probably implement it on several customers and some of them, are w2k but a bunch are still nt 4 and usually when i opt for new additions like this development starts nagging (we have some fundamental differences in opinion..
.. but that's just for one of the customers.

Is WMI tough install or just a couple of registered dll's ??


-- The saga never ends..

Ciao,
MvdW

ps are you also noticing that the one thing that is hard to code is often the thing that has absolutely no info on the web/example scripts.. or is that by definition ?

_________________________
rgrds, Maarten

Top
#58281 - 2001-08-22 07:30 PM Re: Kent: Review a WSH script - Part Deux
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
quote:
ps are you also noticing that the one thing that is hard to code is often the thing that has absolutely no info on the web/example scripts.. or is that by definition ?

I like to think of it as breaking new ground!

Think of it like this... you are doing something with a script, that others do with compiled programs!

Bryce

Top
#58282 - 2001-08-22 07:34 PM Re: Kent: Review a WSH script - Part Deux
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
lol - pretty soon we'll be shelling-out to our own scripts !

-Shawn

Top
#58283 - 2001-08-23 03:26 AM Re: Kent: Review a WSH script - Part Deux
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Shawn,

I must be totally asleep.

Anyway, please find the script below with comments. Let me know what you think? Are we getting anywhere with WMI/WBEM on this?

As you may notice, I went back to your initial conversion of this.

code:

BREAK ON
$wshshell = CreateObject("WScript.Shell")
$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity")
$textusr = "kdyer" ; userid
$textshare = "server" ; machine
$textsharen = "$textusr$$" ; sharename
$usershare = "$textusr" ; userid
$usersd = "\\$textshare\d$\users\$textusr" ; Admin path across the WAN
$userdir = "d:\users\$textusr" ; Local path on server
;===
; Create folder
;===
; -- Since we are playing around with Objects, let's try this with a WSCRIPT type command
; -- Uh doesn't work.. :-(
;IF NOT $ofs.folderexists($usersd)
; ?"Creating folder..."
; $ofs.createfolder $usersd
;ELSE
; ?"Folder already exits..."
;ENDIF

IF NOT exist($usersd)
?"Creating folder..."
;md "$userdir"
MD "$usersd"
ELSE
?"Folder already exits..."
ENDIF

;===
; Create share
;===
$fservobj = GetObject("WinNT://"+ $textshare +"/lanmanserver")
$newshare = $fservobj.create("fileshare",$textsharen)
IF $newshare
?"Creating share ..."
$newshare.path = $userdir
$newshare.setinfo
$newshare=0
ELSE
?"Share already exists..."
ENDIF
;===
; Set ACLs
;===
$filenm = $usersd
;$filenm = $userdir
$permspart = "add($textusr:c)+add(domain admins:F)+add(Administrators:F)+del(everyone:F)"
;-- Replace ACL on single file or folder-------
IF $ofs.fileexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FILE")
ELSE
IF $ofs.folderexists($filenm)
ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER")
ENDIF
ENDIF
EXIT
$ofs=0
EXIT
FUNCTION ChangeAcls($file,$perms,$redit,$ffolder)
; -- Let's do some debugging
;?$file + " file"
;?$perms + " perms"
;?$redit + " redit"
;?$ffolder + " ffolder"
;sleep 2
;gets $x
;- Edit ACLS of specified file -----
$ads_acetype_access_allowed = 0
$ads_acetype_access_denied = 1
$ads_aceflag_inherit_ace = 2
$ads_aceflag_sub_new = 9
$sd = $sec.getsecuritydescriptor("FILE://$file")
$dacl = $sd.discretionaryacl
;===
;if flagged Replace then remove all existing aces from dacl first
;===
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace($existingace) ; temp removed - Needed for removal of user(s)
NEXT
ENDIF
;break up Perms into individual actions
$cmdarray=split($perms,"+")
FOR $x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF
$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]
; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingace IN $dacl
$trusteevar=$existingace.trustee
IF instr($trusteevar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF
$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)
IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_sub_new)
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed, $ads_aceflag_inherit_ace)
ELSE
addace($dacl, $namevar, $rightvar, $ads_acetype_access_allowed,0)
ENDIF
ENDIF
NEXT
FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=$newtrustee
ENDIF
NEXT
; final sets and cleanup
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor($sd)
$sd=0
$dacl=0
$sec=0
ENDFUNCTION
FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$right_read = 2147483648 ; -- Converted to DEC from HEX - Thanks Shawn!
$right_execute = 536870912
$right_write = 1073741824
$right_delete = 65536
$right_full = 268435456
$right_change_perms = 262144
$right_take_ownership = 524288

;$RIGHT_READ = &80000000 ; -- Permissions come out odd, prepend HEX with & page 18 of Kix Manual
;$RIGHT_EXECUTE = &20000000
;$RIGHT_WRITE = &40000000
;$RIGHT_DELETE = &10000
;$RIGHT_FULL = &10000000
;$RIGHT_CHANGE_PERMS = &40000
;$RIGHT_TAKE_OWNERSHIP = &80000

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee
;?$maskvar + " Maskvar"
;sleep 2
$maskvar = ucase($maskvar)
SELECT
CASE
$maskvar="F" $ace.accessmask = $right_full
CASE
$maskvar="C" $ace.accessmask = $right_read + $right_write + $right_execute + $right_delete
CASE
$maskvar="R" $ace.accessmask = $right_read + $right_execute
ENDSELECT
; -- If you use this method, you will get "the paramter is incorrect" message.
;SELECT
;CASE $maskvar="F" $ace.accessmask = $RIGHT_FULL
;CASE $maskvar="C" $ace.accessmask = $RIGHT_READ | $RIGHT_WRITE | $RIGHT_EXECUTE | $RIGHT_DELETE
;CASE $maskvar="R" $ace.accessmask = $RIGHT_READ | $RIGHT_EXECUTE
;ENDSELECT
$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace($ace)
$ace=0
ENDFUNCTION
FUNCTION Left($expc,$expn)
$left=substr($expc,1,$expn)
ENDFUNCTION
FUNCTION Right($expc,$expn)
$right=substr($expc,len($expc)-$expn+1,$expn)
ENDFUNCTION


Thanks!

- Kent

_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#58284 - 2001-08-24 08:56 AM Re: Kent: Review a WSH script - Part Deux
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Everybody -

Thanks to Doc, he got some code from a friend of his that may help us get going in the right direction on this. (Hope this is O.K.)

Shawn - Hope this doesn't totally destroy your weekend.

Win32_Share http://www.microsoft.com/management/wbem/classes/Win32_ShareVerbose.htm

And home page for WBEM is - http://www.microsoft.com/management/wbem/contents/

Doing some more digging around MS, we find -

Win32_Share as a WMI_Class http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/hh/wmisdk/r_32os_52zp.asp

Create Method in Class Win32_Share http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/hh/wmisdk/r_32os_2xut.asp

Delete Method in Class Win32_Share http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/hh/wmisdk/r_32os_9xt1.asp

Win32_ConnectionShare http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/hh/wmisdk/r_32os_7u5h.asp

ManagementClass.GetInstances Method (Interesting code at the bottom) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemManagementManagementClassClassGetInstancesTopic.asp

Wait a second!!
WSH Network Administrator Sample Script http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/wssamWSHNetworkAdministatorSampleScript.asp

Operating System Classes http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/hh/wmisdk/r_32os_12yb.asp

Appendix C - Hardware Inventory Classes http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/sms/reskit/sms2res/appendixes/smapc.asp

Well... Let's see where this takes us.

- Kent

_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
Page 1 of 1 1


Moderator:  Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 329 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.074 seconds in which 0.03 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org