Page 1 of 2 12>
Topic Options
#132532 - 2005-01-17 09:04 AM VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Hi,

I have been trying to translate a VBS script provided by Microsoft for ADsSecurity.dll to Kix but have been unsuccessfull for over a month now. Could anyone help me translating this script: How To Use ADsSecurity.dll to Add an Access Control Entry to an NTFS Folder

At this point I want to thank the board members for providing information about problems. It helped me alot in earlier stages.

Top
#132533 - 2005-01-17 12:50 PM Re: VBS to Kix translation
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
this looks familiar.
iirc, it was never successfull translating this.
_________________________
!

download KiXnet

Top
#132534 - 2005-01-17 03:56 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Thats bad news, after months of research this was the only solution I could find that let's me remotely add users to folder rights.

I've made a kix script with a GUI thx to KixForms that let's administrators on our networks create new users but the only thing that isn't working is to set the rights of the profile folder to both the user and administrator as full access. After alot of trial and error eventually I stumbled onto this VBS script and was unsuccesfull translating it to kix. So I came here as a last hope.

Anyway thank you for your quick reply I apreciate it

Top
#132535 - 2005-01-17 04:39 PM Re: VBS to Kix translation
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
well.
I never set the folder rights, as I don't see the point.
and for sharing, I use rmtshare which also allows you to set the permissions.
or you could go with win32admin -> http://home.comcast.net/~habullock/kix_solutions.htm
_________________________
!

download KiXnet

Top
#132536 - 2005-01-17 04:56 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
The reason I do this is because the administrator and the user both must have read/write access to the Profile folder, if kix makes the folder only the administrator has access and not the user. And if I dont use kix to make the folder the folder is created by AD as soon as the user logs in but then the administrator has no access to the folder. The administrator needs access to the folder because he will run other scripts to backup profiles weekly to an external HDD. Which is why I need both to have read/write access. The folder itself isn't shared tho. The hierarchy is like this:
@lserver\personal$\%username%\My Profile\
@lserver\personal$\%username%\My Documents\
@lserver\personal$\%username%\My Mail\

The AdsSecurity.dll does just that. Which is why I need that script to work or at least a script for the AdsSecurity.dll that lets me set folder permissions like that VBS script does. So I hope I've shed some light on the subject as to why I need both to have folder permissions.


Top
#132537 - 2005-01-17 07:07 PM Re: VBS to Kix translation
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
Thre are enough tools out there that set file/folder-level permissions, e.g. XCACLS.EXE. Search the BBS for related threads. There are also tools/utilities/ways/USDs to remotley execute CLIs. Again, search the BBS as this has been discussed multiple times.
_________________________
There are two types of vessels, submarines and targets.

Top
#132538 - 2005-01-17 10:19 PM Re: VBS to Kix translation
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
Apronk,

Good to see another dutchie on the board.

Just a little side step from the original topic.

Using a hidden share could give you problems (at least i've had enough troubles with it) because the $ symbol is ussed for variables by kix.
More info here: http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Number=81652&page=1&view=collapsed&sb=5&o=&fpart=1

_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#132539 - 2005-01-17 10:51 PM Re: VBS to Kix translation
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
The '$' sign only causes problems if one doesn't follow the KiXtart syntax guidelines or doesn't use SETOPTION('NoVarsInStrings'.'ON').
_________________________
There are two types of vessels, submarines and targets.

Top
#132540 - 2005-01-18 09:19 AM Re: VBS to Kix translation
Anonymous
Unregistered


I have been scripting in Kix for over a year now, I know my way around variables and hidden shares they pose no problems, I also tried using cacls, xcacls and the sorts but I need a kix only solution with the exeption of ADsSecutiry.dll which provides the solution, the only thing needed is the code in kix and not vbs. Which is possible I won't stop till I get it working one way or another. I hope you can provide a solution, so far I tranlated it into this part of code:
Code:
 $sec = CreateObject("ADsSecurity")
$textusr = "BLAH\testuser"
$userdir = "\\PC-BLAH-XP-4\d$\TEST"
$filenm = $userdir
$permspart = "add(" + $textusr + ":F)+add(Administrators:F)"
ChangeAcls($filenm, $permspart, "EDIT", "FOLDER")


;############################################### Functions ##########################################################

FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = 1
$ADS_ACEFLAG_INHERIT_ACE = 2
$ADS_ACEFLAG_SUB_NEW = 9
$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
$dacl = $sd.discretionaryacl
;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace $existingace
NEXT
ENDIF

;break up Perms into individual actions
$cmdarray=split($perms,"+")

FOR x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray(x)
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF

$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts(0)
$rightvar=$cmdparts(1)

; if flagged edit, delete ACE;s belonging to user about to add an ace for

IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF

$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)

IF $uctrunamevar=$ucnamevar
$dacl.removeace $existingace
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE
ELSE
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED,0
ENDIF
ENDIF
NEXT

FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl

IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=newtrustee
ENDIF
NEXT

; final sets and cleanup
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor $sd
$sd=nothing
$dacl=nothing
$sec=nothing
ENDFUNCTION

FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
Const RIGHT_READ = &H80000000
Const RIGHT_EXECUTE = &H20000000
Const RIGHT_WRITE = &H40000000
Const RIGHT_DELETE = &H10000
Const RIGHT_FULL = &H10000000
Const RIGHT_CHANGE_PERMS = &H40000
Const RIGHT_TAKE_OWNERSHIP = &H80000

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee

SELECT
CASE
ucase($maskvar)
; specified rights so far only include FC & R. Could be expanded though
CASE
"F"
$ace.accessmask = RIGHT_FULL
CASE
"C"
$ace.accessmask = RIGHT_READ OR RIGHT_WRITE OR RIGHT_EXECUTE OR RIGHT_DELETE
CASE
"R"
$ace.accessmask = RIGHT_READ OR RIGHT_EXECUTE
ENDSELECT

$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace $ace
$ace=nothing
ENDFUNCTION



But gets stuck in ubound

Top
#132541 - 2005-01-18 09:20 AM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Sorry forgot to login.
Top
#132542 - 2005-01-18 07:26 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
This is the last I can make of it, I get no error returns anymore but it doesn't work either :/
If anyone can take a look at it I'd apreciate it.

Code:

$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity")
$textusr = "BLAH\testuser"
$userdir = "\\PC-BLAH-XP-4\d$\TEST"
$filenm = $userdir
$permspart = "add(" + $textusr + ":E)+add(Administrators:F)"
;-- Replace ACL on single file or folder-------
ChangeAcls($filenm, $permspart, "EDIT", "FOLDER")
; $ofs=nothing

;############################################### Functions ##########################################################

FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = "0"
$ADS_ACETYPE_ACCESS_DENIED = "1"
$ADS_ACEFLAG_INHERIT_ACE = "2"
$ADS_ACEFLAG_SUB_NEW = "9"
$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
$dacl = $sd.discretionaryacl
;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace($existingace)
NEXT
ENDIF

;break up Perms into individual actions
$cmdarray=split($perms,"+")

For $x = 0 to Ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
EndIf

$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]

; if flagged edit, delete ACE's belonging to user about to add an ace for

IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF

$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)

IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)
ELSE
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, "0")
ENDIF
ENDIF
NEXT

FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl

IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee,"\"))
$ace.trustee=newtrustee
ENDIF
NEXT
ENDFUNCTION

FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$RIGHT_READ = +H80000000
$RIGHT_EXECUTE = +H20000000
$RIGHT_WRITE = +H40000000
$RIGHT_DELETE = +H10000
$RIGHT_FULL = +H10000000
$RIGHT_CHANGE_PERMS = +H40000
$RIGHT_TAKE_OWNERSHIP = +H80000

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee

$case = ucase($maskvar)
SELECT

CASE ($case = "F")
$ace.accessmask = $RIGHT_FULL
CASE ($case = "C")
$ace.accessmask = $RIGHT_READ OR $RIGHT_WRITE OR $RIGHT_EXECUTE OR $RIGHT_DELETE
CASE ($case = "R")
$ace.accessmask = $RIGHT_READ OR $RIGHT_EXECUTE
CASE ($case = "E")
$ace.accessmask = $RIGHT_EXECUTE
ENDSELECT

$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace($ace.trustee)
ENDFUNCTION


Top
#132543 - 2005-01-18 08:42 PM Re: VBS to Kix translation
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4549
Loc: USA
I have not tried your code, and am certainly not a expert when it comes to HEX and bitwise code... but I think I see some things that may help... I'm sure others around here could verify this better than I.

No need for the quotes around the numbers:
Code:
  
$ADS_ACETYPE_ACCESS_ALLOWED = "0"
$ADS_ACETYPE_ACCESS_DENIED = "1"
$ADS_ACEFLAG_INHERIT_ACE = "2"
$ADS_ACEFLAG_SUB_NEW = "9"



If these are HEX values shouldn't they be like $hex=&H0000
Code:
 
$RIGHT_READ = +H80000000
$RIGHT_EXECUTE = +H20000000
$RIGHT_WRITE = +H40000000
$RIGHT_DELETE = +H10000
$RIGHT_FULL = +H10000000
$RIGHT_CHANGE_PERMS = +H40000
$RIGHT_TAKE_OWNERSHIP = +H80000



Shouldn't the code below be using "|" instead of OR
Code:
 
CASE ($case = "C")
$ace.accessmask = $RIGHT_READ OR $RIGHT_WRITE OR $RIGHT_EXECUTE OR $RIGHT_DELETE
CASE ($case = "R")
$ace.accessmask = $RIGHT_READ OR $RIGHT_EXECUTE



Hope this helps.

Top
#132544 - 2005-01-19 10:55 AM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
ok I changed that part but still no dice, I have to put the hex values in quotation marks else I get error in expression stuff.
Code:

$RIGHT_READ = "&H80000000"
$RIGHT_EXECUTE = "&H20000000"
$RIGHT_WRITE = "&H40000000"
$RIGHT_DELETE = "&H10000"
$RIGHT_FULL = "&H10000000"
$RIGHT_CHANGE_PERMS = "&H40000"
$RIGHT_TAKE_OWNERSHIP = "&H80000"



Also changed the OR to |.

Top
#132545 - 2005-01-19 11:03 AM Re: VBS to Kix translation
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Drop the 'H':
Code:
$RIGHT_READ = &80000000
$RIGHT_EXECUTE = &20000000
$RIGHT_WRITE = &40000000
$RIGHT_DELETE = &10000
$RIGHT_FULL = &10000000
$RIGHT_CHANGE_PERMS = &40000
$RIGHT_TAKE_OWNERSHIP = &80000


Top
#132546 - 2005-01-19 11:58 AM Re: VBS to Kix translation
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
hmm...

k, I had to place this here as said I remembered the discussion.
not so short time ago but relevant info, no?
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB2&Number=58027
_________________________
!

download KiXnet

Top
#132547 - 2005-01-19 01:34 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Thats entirely relevant, because the code I am workin on is from Kent Dyer, his post in the link you pasted is the code I am trying to translate thouroughly to kix. The code he pasted is a VBS script converted to kix with VBS2KIX, I made the effort of trying to get it to work as it should in kix, still am...
Top
#132548 - 2005-01-19 05:05 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
You are right about the "H" thing, the &80000 values are resolved ok to Hex values. Thanks for that

The script now works without errors, however it doesn't set the permissions still :/

Top
#132549 - 2005-01-19 05:32 PM Re: VBS to Kix translation
jtokach Offline
Seasoned Scripter
*****

Registered: 2001-11-15
Posts: 513
Loc: PA, USA
I've been down this road before and gave up due to the complexity of this and time constraints . I opted to wrap SetACL. GL, and keep us posted. Here you go:

WMI Security Descriptor Objects
_________________________
-Jim

...the sort of general malaise that only the genius possess and the insane lament.

Top
#132550 - 2005-01-19 06:08 PM Re: VBS to Kix translation
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
about the rights masks, orring will not get you anywhere.
this:
Code:

CASE ($case = "F")
$ace.accessmask = $RIGHT_FULL
CASE ($case = "C")
$ace.accessmask = $RIGHT_READ OR $RIGHT_WRITE OR $RIGHT_EXECUTE OR $RIGHT_DELETE
CASE ($case = "R")
$ace.accessmask = $RIGHT_READ OR $RIGHT_EXECUTE
CASE ($case = "E")
$ace.accessmask = $RIGHT_EXECUTE



should most likely be:
Code:

CASE ($case = "F")
$ace.accessmask = $RIGHT_FULL
CASE ($case = "C")
$ace.accessmask = $RIGHT_READ + $RIGHT_WRITE + $RIGHT_EXECUTE + $RIGHT_DELETE
CASE ($case = "R")
$ace.accessmask = $RIGHT_READ + $RIGHT_EXECUTE
CASE ($case = "E")
$ace.accessmask = $RIGHT_EXECUTE



why?
I haven't checked the code nor tested nor read about anything but from old stuff know that security masks are "incrementals"

and to prove my point, doing or:
$ace = 1 or 1

will always give you 1 (or true)
doing:
$ace = 253254324 or 460943590843

will always give you 1.
that's the nature of it

so, no wonder if it does not set security if instead of huge number it gets 1, right?
_________________________
!

download KiXnet

Top
#132551 - 2005-01-19 06:08 PM Re: VBS to Kix translation
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Well, I've added some debug statements and at this point in your ChangeACLS function:
Code:
  udfDEBUG("About to GetSecurityDescriptor")
$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
If @ERROR "Failed to get DACL" Exit @ERROR EndIf
udfDEBUG("Past GetSecurityDescriptor")



I get the "About to GetSecurityDescriptor" message, but then nothing. KiXtart exits in the GetSecurityDescriptor call with no error message.

Top
Page 1 of 2 12>


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 369 anonymous users online.
Newest Members
rrosell, PatrickPinto, Raoul, Timothy, Jojo67
17877 Registered Users

Generated in 0.074 seconds in which 0.027 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org