Page 2 of 2 <12
Topic Options
#132552 - 2005-01-19 06:09 PM Re: VBS to Kix translation
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
oh, and for kixtart OR and | are exactly the same thing.
_________________________
!

download KiXnet

Top
#132553 - 2005-01-19 06:30 PM Re: VBS to Kix translation
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Quote:

oh, and for kixtart OR and | are exactly the same thing.




No, they are very definately different. One is a logical operator, the other a bitwise operator.

Logical operators can only deal with true and false inputs.

Top
#132554 - 2005-01-19 06:39 PM Re: VBS to Kix translation
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
right.
how come I still make these stupid arguments without thinking a bit?
_________________________
!

download KiXnet

Top
#132555 - 2005-01-19 07:32 PM Re: VBS to Kix translation
krabourn Offline
Hey THIS is FUN
*****

Registered: 2000-12-11
Posts: 244
Loc: San Antonio, Texas, USA
Here is some test code that I have. It might help.Code:
BREAK ON
; The folder named "images" must exist on the C:\ drive.

$wmiFileSecSetting = GetObject("winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\Temp'")
$objMethod = $wmiFileSecSetting.Methods_.Item("GetSecurityDescriptor")
$objRegOut = $wmiFileSecSetting.ExecMethod_($objMethod.Name)
IF @Error <> 0
? "GetSecurityDescriptor failed" + @CRLF + @Error + @CRLF + @SError
QUIT 1
ELSE
? "GetSecurityDescriptor succeeded"
ENDIF
$wmiSecurityDescriptor = $objRegOut.Descriptor

; Retrieve the DACL array of Win32_ACE objects.
$DACL = $wmiSecurityDescriptor.DACL
FOR EACH $wmiAce IN $DACL
? "Access Mask: " + $wmiAce.AccessMask
? "ACE Type: " + $wmiAce.AceType
; Get Win32_Trustee object from ACE
$Trustee = $wmiAce.Trustee
? "Trustee Domain: " + $Trustee.Domain
? "Trustee Name: " + $Trustee.Name
? "Trustee SID: " + $Trustee.SIDString
NEXT

_________________________
Kelly

Top
#132556 - 2005-01-19 09:08 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
To Jooel:
Well the Orring got me for a sec too, so for testing puposes I removed the CASE stuff and set the $ace.AccessMask to &80000, just to be on the safe side that that should work. (&80000 being Full Owner)

To Richard H.
So far I debugged every variable I've set in this script the I can read the variables ok, I even get all the Ace's and their stuff returned, just add this piece of code:
Code:

FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = &1
$ADS_ACEFLAG_INHERIT_ACE = &2
$ADS_ACEFLAG_SUB_NEW = &9

$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
For Each $ace in $sd.DiscretionaryACL
? "Name="$ACE.Trustee
? "Type="$ACE.AceType
? "Mask="$ACE.AccessMask
Next


Place the for loop there and you will get a nice view on who has access to the folder you are trying to set rights to. I am calling it quits for this evening so I will paste my current progress.

Code:

;##################################################### Script #########################################################

$sec = CreateObject("ADsSecurity")
$textusr = "TESTDOMAIN\testuser"
$userdir = "\\PC-TESTDOMAIN-XP-2\d$\TEST"
$filenm = $userdir
$permspart = "add(" + $textusr + ":R)+add(Administrator:F)"
;-- Replace ACL on single file or folder-------
ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER")

;############################################### Functions ##########################################################

FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = &1
$ADS_ACEFLAG_INHERIT_ACE = &2
$ADS_ACEFLAG_SUB_NEW = &9

$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
; For Each $ace in $sd.DiscretionaryACL
; ? "Name="$ACE.Trustee
; ? "Type="$ACE.AceType
; ? "Mask="$ACE.AccessMask
; Next
$dacl = $sd.DiscretionaryACL
;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace($existingace)
NEXT
ENDIF

;break up Perms into individual actions
$cmdarray=split($perms,"+")

For $x = 0 to Ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
EndIf

$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]

; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF

$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)

IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)
ELSE
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, &0)
ENDIF
ENDIF
NEXT

; FOR EACH $ace IN $dacl
; ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
; IF instr(ucase($ace.trustee),"NT AUTHORITY\")
; $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee,"\"))
; $ace.trustee=newtrustee
; ENDIF
; NEXT

; final sets and cleanup
; $sd.discretionaryacl = $dacl
; $sec.setsecuritydescriptor $sd
; $sd=""
$dacl=""
; $sec=""
ENDFUNCTION

FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$ADS_RIGHT_GENERIC_READ = &80000000
$ADS_RIGHT_GENERIC_EXECUTE = &20000000
$ADS_RIGHT_GENERIC_WRITE = &40000000
$ADS_RIGHT_DELETE = &10000
$ADS_RIGHT_GENERIC_ALL = &10000000
$ADS_RIGHT_WRITE_DAC = &40000
$ADS_RIGHT_WRITE_OWNER = &80000
$ADS_ACEFLAG_UNKNOWN = &1
$ADS_ACEFLAG_INHERITED_ACE = &10
$ADS_ACETYPE_ACCESS_ALLOWED = 0

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee

$case = ucase($maskvar)
SELECT
; CASE
; ucase($maskvar)
; specified rights so far only include FC & R. Could be expanded though
CASE ($case = "F")
$ace.AccessMask = $ADS_RIGHT_GENERIC_ALL
CASE ($case = "C")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ OR $ADS_RIGHT_GENERIC_WRITE OR $ADS_RIGHT_GENERIC_EXECUTE OR $ADS_RIGHT_DELETE
CASE ($case = "R")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ OR $ADS_RIGHT_GENERIC_EXECUTE
CASE ($case = "E")
$ace.AccessMask = $ADS_RIGHT_GENERIC_EXECUTE
ENDSELECT
$ace.AccessMask = &80000
$ace.AceType = $acetype
$ace.AceFlags = $aceflags
$dacl.addace($ace)
ReorderDacl($dacl)
$sd.discretionaryacl = $dacl
; $sec.setsecuritydescriptor $sd
ENDFUNCTION

Function ReorderDacl($dacl)
;
; Initialize all of the new ACLs
;
; VBS methods of creating the ACL bins
;
$newdacl = CreateObject("AccessControlList")
$ImpDenyDacl = CreateObject("AccessControlList")
$InheritedDacl = CreateObject("AccessControlList")
$ImpAllowDacl = CreateObject("AccessControlList")
$InhAllowDacl = CreateObject("AccessControlList")
$ImpDenyObjectDacl = CreateObject("AccessControlList")
$ImpAllowObjectDacl = CreateObject("AccessControlList")
;
; Sift the DACL into 5 bins:
; Inherited Aces
; Implicit Deny Aces
; Implicit Deny Object Aces
; Implicit Allow Aces
; Implicit Allow object aces
;
For Each $ace In $dacl
;
; Sort the original ACEs into their appropriate
; ACLs
;
If (($ace.AceFlags AND $ADS_ACEFLAG_INHERITED_ACE) = $ADS_ACEFLAG_INHERITED_ACE)
;
; Don't really care about the order of inherited aces. Since we are
; adding them to the top of a new list, when they are added back
; to the Dacl for the object, they will be in the same order as
; they were originally. Just a positive side affect of adding items
; of a LIFO ( Last In First Out) type list.
;
$InheritedDacl.AddAce($ace)
Else
;
; We have an Implicit ACE, lets put it the proper pool
;
Select Case ace.AceType
Case $ADS_ACETYPE_ACCESS_ALLOWED
;
; We have an implicit allow ace
;
$ImpAllowDacl.AddAce($ace)
Case $ADS_ACETYPE_ACCESS_DENIED
;
; We have a implicit Deny ACE
;
$ImpDenyDacl.AddAce($ace)
Case $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
;
; We have an object allowed ace
; Does it apply to a property? or an Object?
;
$impAllowObjectDacl.AddAce($ace)
Case $ADS_ACETYPE_ACCESS_DENIED_OBJECT
;
; We have a object Deny ace
;
$ImpDenyObjectDacl.AddAce($ace)
EndSelect
EndIf
Next
;
; Combine the ACEs in the proper order
; Implicit Deny
; Implicit Deny Object
; Implicit Allow
; Implicit Allow Object
; Inherited aces
;
; Implicit Deny
;
For Each $ace In $ImpDenyDacl
$newdacl.AddAce($ace)
Next
;
; Implicit Deny Object
;
For Each $ace In $ImpDenyObjectDacl
$newdacl.AddAce($ace)
Next
;
; Implicit Allow
;
For Each $ace In $ImpAllowDacl
$newdacl.AddAce($ace)
Next
;
; Implicit Allow Object
;
For Each $ace In $impAllowObjectDacl
$newdacl.AddAce($ace)
Next
;
; Inherited Aces
;
For Each $ace In $InheritedDacl
$newdacl.AddAce($ace)
Next
;
; Clean up
;
$InheritedDacl = ""
$ImpAllowDacl = ""
$ImpDenyObjectDacl = ""
$ImpDenyDacl = ""
;
; Set the appropriate revision level
; for the DACL
;
$newdacl.AclRevision = $dacl.AclRevision
;
; Replace the Security Descriptor
;
$dacl = ""
$dacl = $newdacl
EndFunction
Top
#132557 - 2005-01-19 09:20 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
SO far the ChangeACLS works as it should, because you can verify (by the commented out for loop) that it returns the ACL's of the current users. It's the AddAce function that doesn't work properly yet. Here's the code so far:

Code:

;##################################################### Script #########################################################

$sec = CreateObject("ADsSecurity")
$textusr = "TESTDOMAIN\testuser"
$userdir = "\\PC-TESTDOMAIN-XP-2\d$\TEST"
$filenm = $userdir
$permspart = "add(" + $textusr + ":R)+add(Administrator:F)"
;-- Replace ACL on single file or folder-------
ChangeAcls($filenm, $permspart, "REPLACE", "FOLDER")

;############################################### Functions ##########################################################

FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = &1
$ADS_ACEFLAG_INHERIT_ACE = &2
$ADS_ACEFLAG_SUB_NEW = &9

$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
; For Each $ace in $sd.DiscretionaryACL
; ? "Name="$ACE.Trustee
; ? "Type="$ACE.AceType
; ? "Mask="$ACE.AccessMask
; Next
$dacl = $sd.DiscretionaryACL
;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace($existingace)
NEXT
ENDIF

;break up Perms into individual actions
$cmdarray=split($perms,"+")

For $x = 0 to Ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
EndIf

$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]

; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF

$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)

IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)
ELSE
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, &0)
ENDIF
ENDIF
NEXT

; FOR EACH $ace IN $dacl
; ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
; IF instr(ucase($ace.trustee),"NT AUTHORITY\")
; $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee,"\"))
; $ace.trustee=newtrustee
; ENDIF
; NEXT

; final sets and cleanup
; $sd.discretionaryacl = $dacl
; $sec.setsecuritydescriptor $sd
; $sd=""
$dacl=""
; $sec=""
ENDFUNCTION

FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$ADS_RIGHT_GENERIC_READ = &80000000
$ADS_RIGHT_GENERIC_EXECUTE = &20000000
$ADS_RIGHT_GENERIC_WRITE = &40000000
$ADS_RIGHT_DELETE = &10000
$ADS_RIGHT_GENERIC_ALL = &10000000
$ADS_RIGHT_WRITE_DAC = &40000
$ADS_RIGHT_WRITE_OWNER = &80000
$ADS_ACEFLAG_UNKNOWN = &1
$ADS_ACEFLAG_INHERITED_ACE = &10
$ADS_ACETYPE_ACCESS_ALLOWED = 0

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee

$case = ucase($maskvar)
SELECT
; CASE
; ucase($maskvar)
; specified rights so far only include FC & R. Could be expanded though
CASE ($case = "F")
$ace.AccessMask = $ADS_RIGHT_GENERIC_ALL
CASE ($case = "C")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ OR $ADS_RIGHT_GENERIC_WRITE OR $ADS_RIGHT_GENERIC_EXECUTE OR $ADS_RIGHT_DELETE
CASE ($case = "R")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ OR $ADS_RIGHT_GENERIC_EXECUTE
CASE ($case = "E")
$ace.AccessMask = $ADS_RIGHT_GENERIC_EXECUTE
ENDSELECT
$ace.AccessMask = &80000
$ace.AceType = $acetype
$ace.AceFlags = $aceflags
$dacl.AddAce($ace)
ReorderDacl($dacl)
$sd.DiscretionaryAcl = $dacl
$sec.SetSecurityDescriptor($sd)
ENDFUNCTION

Function ReorderDacl($dacl)
$newdacl = CreateObject("AccessControlList")
$ImpDenyDacl = CreateObject("AccessControlList")
$InheritedDacl = CreateObject("AccessControlList")
$ImpAllowDacl = CreateObject("AccessControlList")
$InhAllowDacl = CreateObject("AccessControlList")
$ImpDenyObjectDacl = CreateObject("AccessControlList")
$ImpAllowObjectDacl = CreateObject("AccessControlList")
For Each $ace In $dacl
If (($ace.AceFlags AND $ADS_ACEFLAG_INHERITED_ACE) = $ADS_ACEFLAG_INHERITED_ACE)
$InheritedDacl.AddAce($ace)
Else
Select Case ace.AceType
Case $ADS_ACETYPE_ACCESS_ALLOWED
$ImpAllowDacl.AddAce($ace)
Case $ADS_ACETYPE_ACCESS_DENIED

$ImpDenyDacl.AddAce($ace)
Case $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

$impAllowObjectDacl.AddAce($ace)
Case $ADS_ACETYPE_ACCESS_DENIED_OBJECT

$ImpDenyObjectDacl.AddAce($ace)
EndSelect
EndIf
Next
For Each $ace In $ImpDenyDacl
$newdacl.AddAce($ace)
Next

For Each $ace In $ImpDenyObjectDacl
$newdacl.AddAce($ace)
Next

For Each $ace In $ImpAllowDacl
$newdacl.AddAce($ace)
Next

For Each $ace In $impAllowObjectDacl
$newdacl.AddAce($ace)
Next

For Each $ace In $InheritedDacl
$newdacl.AddAce($ace)
Next
$InheritedDacl = ""
$ImpAllowDacl = ""
$ImpDenyObjectDacl = ""
$ImpDenyDacl = ""
$newdacl.AclRevision = $dacl.AclRevision
$dacl = ""
$dacl = $newdacl
EndFunction


Top
#132558 - 2005-01-20 01:09 AM Re: VBS to Kix translation
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
According to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadsaccesscontrollist_addace.asp and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/example_code_for_creating_a_security_descriptor.asp your ACLs are not being comitted.
_________________________
There are two types of vessels, submarines and targets.

Top
#132559 - 2005-01-20 06:28 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Ladies and Gents, I am proud to announce that it is working!!! Perfectly too I might add. I wanna thank all of you who helped me trough this quest, I couln't have done it without you. It works like a f00kin charm. To show my grattitude I'll paste the working code:
Code:

;##################################################### Script #########################################################

$sec = CreateObject("ADsSecurity")
$textusr = "DOMAIN\testuser"
$userdir = "\\PC-DOMAIN-XP-4\d$\TEST"
$filenm = $userdir
$permspart = "add(" + $textusr + ":R)+add(Administrators:F)"

;-- Replace ACL on single file or folder-------
ChangeAcls($filenm, $permspart, "EDIT", "FOLDER")

;############################################### Functions ##########################################################

FUNCTION ChangeAcls($file, $perms, $redit, $ffolder)
;- Edit ACLS of specified file -----
$ADS_ACETYPE_ACCESS_ALLOWED = 0
$ADS_ACETYPE_ACCESS_DENIED = &1
$ADS_ACEFLAG_INHERIT_ACE = &2
$ADS_ACEFLAG_SUB_NEW = &9

$sd = $sec.GetSecurityDescriptor("FILE://" + $file)
; For Each $ace in $sd.DiscretionaryACL
; ? "Name="$ACE.Trustee
; ? "Type="$ACE.AceType
; ? "Mask="$ACE.AccessMask
; Next
$dacl = $sd.DiscretionaryACL
;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace($existingace)
NEXT
ENDIF

;break up Perms into individual actions
$cmdarray=split($perms,"+")

For $x = 0 to Ubound($cmdarray)
$tmpvar1=$cmdarray[$x]
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
EndIf

$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts[0]
$rightvar=$cmdparts[1]

; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF

$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)

IF $uctrunamevar=$ucnamevar
$dacl.removeace($existingace)
ENDIF
NEXT
ENDIF
; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_SUB_NEW)
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, $ADS_ACEFLAG_INHERIT_ACE)
ELSE
addace($dacl, $namevar, $rightvar, $ADS_ACETYPE_ACCESS_ALLOWED, &0)
ENDIF
ENDIF
NEXT

; FOR EACH $ace IN $dacl
; ; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
; IF instr(ucase($ace.trustee),"NT AUTHORITY\")
; $newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee,"\"))
; $ace.trustee=newtrustee
; ENDIF
; NEXT

; cleanup
$dacl=""
ENDFUNCTION

FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
$ADS_RIGHT_GENERIC_READ = &80000000
$ADS_RIGHT_GENERIC_EXECUTE = &20000000
$ADS_RIGHT_GENERIC_WRITE = &40000000
$ADS_RIGHT_DELETE = &10000
$ADS_RIGHT_GENERIC_ALL = &10000000
$ADS_RIGHT_WRITE_DAC = &40000
$ADS_RIGHT_WRITE_OWNER = &80000
$ADS_ACEFLAG_UNKNOWN = &1
$ADS_ACEFLAG_INHERITED_ACE = &10
$ADS_ACETYPE_ACCESS_ALLOWED = 0

$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee

$case = ucase($maskvar)
SELECT
; specified rights so far only include FC & R. Could be expanded though
CASE ($case = "F")
$ace.AccessMask = $ADS_RIGHT_GENERIC_ALL
CASE ($case = "C")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_WRITE + $ADS_RIGHT_GENERIC_EXECUTE + $ADS_RIGHT_DELETE
CASE ($case = "R")
$ace.AccessMask = $ADS_RIGHT_GENERIC_READ + $ADS_RIGHT_GENERIC_EXECUTE
CASE ($case = "E")
$ace.AccessMask = $ADS_RIGHT_GENERIC_EXECUTE
ENDSELECT
$ace.AceFlags = $aceflags
$dacl.AddAce($ace)
$sd.DiscretionaryAcl = $dacl
$sec.SetSecurityDescriptor($sd)
ENDFUNCTION


Top
#132560 - 2005-01-20 10:50 PM Re: VBS to Kix translation
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4549
Loc: USA
You've come this far... why not clean these up, add a header, and add these to the UDFs.
Top
#132561 - 2005-01-21 12:22 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
I will, thanks for mentioning that. Will post it tonight or this weekend.
Top
#132562 - 2005-01-22 11:40 PM Re: VBS to Kix translation
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
So, what was the problem? That the ACL wasn't committed to the object?
_________________________
There are two types of vessels, submarines and targets.

Top
#132563 - 2005-01-25 02:33 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Yup, that was the problem, I cleaned it up a bit and submitted the function (All Thank you's in place as well)
Top
#132564 - 2005-01-25 02:38 PM Re: VBS to Kix translation
maciep Offline
Korg Regular
*****

Registered: 2002-06-14
Posts: 947
Loc: Pittsburgh
nicely done! but i just have to warn you that you'll probably get pulled over by the "code tag" police in the udf forum. So i would suggest you edit that post to add code tags.

too late


Edited by maciep (2005-01-25 02:39 PM)
_________________________
Eric

Top
#132565 - 2005-01-25 02:39 PM Re: VBS to Kix translation
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
Too late. The Code Tags division never sleeps.
Top
#132566 - 2005-01-25 03:34 PM Re: VBS to Kix translation
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
And the follow-the-guidelines division also already reared it's ugly head.
_________________________
There are two types of vessels, submarines and targets.

Top
#132567 - 2005-01-25 03:45 PM Re: VBS to Kix translation
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4549
Loc: USA
Sorry apronk... I forgot to mention adding your UDFs would unleash the hounds
Top
#132568 - 2005-01-26 09:35 AM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
argh... Allright, I'l change is and make is "kixtart.org compliant" as soon as I find some time this week. Thx for mentioning it
Top
#132569 - 2005-01-26 10:34 AM Re: VBS to Kix translation
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
If you have anything unclear about the guidelines in udf forum leave me a pm and I'll try to explain ...

Edited by Jochen (2005-01-26 10:35 AM)
_________________________



Top
#132570 - 2005-02-08 08:50 AM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Hi all, I am sorry I haven't replied in some time. the workload is a bit much the last few weeks. Anyway i'm not submitting the function just yet, I found out that it still misses one important thing, setting the owner. As soon as thats done I will submit it. If anyone has any suggestions I'd be glad to hear it.
Top
#132571 - 2005-03-24 07:01 PM Re: VBS to Kix translation
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1895
Loc: Hilversum, The Netherlands
Sory it is taking so long to submit again, but I have found some problems that remain, first the Aces have to be "reordered" which present problem #1, also the owner of the main folder has to be set properly so the subfolders can inherit the rights properly which is problem #2. When I solved those 2 probs I will submit the Function but as it is at the moment the whole script consists of 3 functions. one of which isn't working yet, if anyone can shed some light on the owner or reorder problem please do so

I am working on the script most of my free time so although i takes a while once it is finished alot of ppl will benefit from this.

Top
Page 2 of 2 <12


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 286 anonymous users online.
Newest Members
rrosell, PatrickPinto, Raoul, Timothy, Jojo67
17877 Registered Users

Generated in 0.074 seconds in which 0.025 seconds were spent on a total of 14 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org