#87221 - 2002-08-07 11:42 PM
XCACLS VB script v2.7 replacement for the executeable
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
FYI,
CACLS and XCACLS are Resource Kit utils that were written for NT 4.0
It was discovered that they did not function properly on Windows 2000 but since they were not supported tools Microsoft did not feel the need to fix them.
Then they tried a fix in SP2 to fix CACLS, but there are internal papers at Microsoft that indicate the fix for CACLS.EXE was not always successful.
As for XCACLS, they simply chose to not even attempt a fix.
Microsoft Knowledge Base Article - Q268546
Cacls.exe Orders ACEs Incorrectly When Granting Rights
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q268546
Here is a Visual Basic script written internally at Microsoft that produces the same functionality as the XCACLS.EXE file did, but without the associated problems.
As far as I know, this script is also NOT supported by Microsoft (just as the Resource Kit files are not supported).
The author expressed no objections to me publicly posting it as long as I did not include his email address and let others know that it is not supported by Microsoft.
With that said... here is the latest version which requires WSH v5.6
This script is version 2.7 and is just under 4,000 lines of code (including a lot of highly commented code)
code:
'***********************************************************************************
'*
'* File: XCACLS.VBS
'* Created: April 18, 2001
'* Last Modified: February 26, 2002
'* Version: 2.7
'*
'* Main Function: List/Change ACLS for files and directories
'*
'*
'* Copyright (C) 2001 Microsoft Corporation
'*
'* Written by David B
'*
'***********************************************************************************
OPTION EXPLICIT
'********************************************************************
'* Declare main variables
'********************************************************************
Dim intOpMode, blnQuiet, strOutputFile, objOutputFile, debug_on
Dim a_Used, t_Used, e_Used, g_Used, r_used
Dim p_Used, d_used, i_used, o_used, filename_var
Dim l_Used, q_Used, debug_Used, strDefaultDomain, strSystemDomainSid, strSystemDomainName, intPermUpdateCount
Dim g_var_User(), ObjTrustee_g_var_User(), g_Var_Perm(), g_Var_Spec()
dim r_Var_User(), ObjTrustee_r_var_User()
Dim p_var_User(), ObjTrustee_p_var_User(), p_Var_Perm(), p_Var_Spec()
Dim d_Var_User(), ObjTrustee_d_var_User(), d_Var_Perm(), d_Var_Spec()
ReDim g_var_User(0), ObjTrustee_g_var_User(0), g_Var_Perm(0), g_Var_Spec(0)
Redim r_Var_User(0), ObjTrustee_r_var_User(0)
ReDim p_var_User(0), ObjTrustee_p_var_User(0), p_Var_Perm(0), p_Var_Spec(0)
ReDim d_Var_User(0), ObjTrustee_d_var_User(0), d_Var_Perm(0), d_Var_Spec(0)
Dim i_Var, o_Var
Dim fso, InitialfilenameAbsPath, QryBaseNameHasWildcards, QryExtensionHasWildcards
Dim objService, objLocalService, objLocator
Dim strRemoteServerName, strRemoteShareName, strRemoteUserName, strRemotePassword
Dim RemoteServer_Used, RemoteUserName_Used
Dim DisplayDirPath, ActualDirPath
Dim BoolUsingCScript
Dim endTime, startTime
'This const value is for any use referenced without a domain, if this is TRUE, we will use the local machine name
'for the domain if its a non-dc. For DC's we will always use the Domain name unless you specify the actual domain to use.
'If this is FALSE, we will default to the Domain name.
CONST CONST_USE_LOCAL_FOR_NON_DCs = TRUE
'These are specific to this Script
CONST CONST_SHOW_USAGE = 3
CONST CONST_PROCEED = 4
CONST CONST_ERROR = 1
'When working with NTFS Security, we use constants that match the API documentation
'********************* ControlFlags *********************
CONST ALLOW_INHERIT = 33796 'Used in ControlFlag to turn on Inheritance
'Same as:
'SE_SELF_RELATIVE + SE_DACL_AUTO_INHERITED + SE_DACL_PRESENT
CONST DENY_INHERIT = 37892 'Used in ControlFlag to turn off Inheritance
'Same as:
'SE_SELF_RELATIVE + SE_DACL_PROTECTED + SE_DACL_AUTO_INHERITED + SE_DACL_PRESENT
Const SE_OWNER_DEFAULTED = 1 'A default mechanism, rather than the the original provider of the security
'descriptor, provided the security descriptor's owner security identifier (SID).
Const SE_GROUP_DEFAULTED = 2 'A default mechanism, rather than the the original provider of the security
'descriptor, provided the security descriptor's group SID.
Const SE_DACL_PRESENT = 4 'Indicates a security descriptor that has a DACL. If this flag is not set,
'or if this flag is set and the DACL is NULL, the security descriptor allows
'full access to everyone.
Const SE_DACL_DEFAULTED = 8 'Indicates a security descriptor with a default DACL. For example, if an
'object's creator does not specify a DACL, the object receives the default
'DACL from the creator's access token. This flag can affect how the system
'treats the DACL, with respect to ACE inheritance. The system ignores this
'flag if the SE_DACL_PRESENT flag is not set.
Const SE_SACL_PRESENT = 16 'Indicates a security descriptor that has a SACL.
Const SE_SACL_DEFAULTED = 32 'A default mechanism, rather than the the original provider of the security
'descriptor, provided the SACL. This flag can affect how the system treats
'the SACL, with respect to ACE inheritance. The system ignores this flag if
'the SE_SACL_PRESENT flag is not set.
Const SE_DACL_AUTO_INHERIT_REQ = 256 'Requests that the provider for the object protected by the security descriptor
'automatically propagate the DACL to existing child objects. If the provider
'supports automatic inheritance, it propagates the DACL to any existing child
'objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors
'of the object and its child objects.
Const SE_SACL_AUTO_INHERIT_REQ = 512 'Requests that the provider for the object protected by the security descriptor
'automatically propagate the SACL to existing child objects. If the provider
'supports automatic inheritance, it propagates the SACL to any existing child
'objects, and sets the SE_SACL_AUTO_INHERITED bit in the security descriptors of
'the object and its child objects.
Const SE_DACL_AUTO_INHERITED = 1024 'Windows 2000 only. Indicates a security descriptor in which the DACL is set up
'to support automatic propagation of inheritable ACEs to existing child objects.
'The system sets this bit when it performs the automatic inheritance algorithm
'for the object and its existing child objects. This bit is not set in security
'descriptors for Windows NT versions 4.0 and earlier, which do not support
'automatic propagation of inheritable ACEs.
Const SE_SACL_AUTO_INHERITED = 2048 'Windows 2000: Indicates a security descriptor in which the SACL is set up to
'support automatic propagation of inheritable ACEs to existing child objects.
'The system sets this bit when it performs the automatic inheritance algorithm
'for the object and its existing child objects. This bit is not set in security
'descriptors for Windows NT versions 4.0 and earlier, which do not support automatic
'propagation of inheritable ACEs.
Const SE_DACL_PROTECTED = 4096 'Windows 2000: Prevents the DACL of the security descriptor from being modified
'by inheritable ACEs.
Const SE_SACL_PROTECTED = 8192 'Windows 2000: Prevents the SACL of the security descriptor from being modified
'by inheritable ACEs.
Const SE_SELF_RELATIVE = 32768 'Indicates a security descriptor in self-relative format with all the security
'information in a contiguous block of memory. If this flag is not set, the security
'descriptor is in absolute format. For more information, see Absolute and
'Self-Relative Security Descriptors in the Platform SDK topic Low-Level Access-Control.
'********************* ACE Flags *********************
CONST OBJECT_INHERIT_ACE = 1 'Noncontainer child objects inherit the ACE as an effective ACE. For child
'objects that are containers, the ACE is inherited as an inherit-only ACE
'unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONST CONTAINER_INHERIT_ACE = 2 'Child objects that are containers, such as directories, inherit the ACE
'as an effective ACE. The inherited ACE is inheritable unless the
'NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONST NO_PROPAGATE_INHERIT_ACE = 4 'If the ACE is inherited by a child object, the system clears the
'OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE.
'This prevents the ACE from being inherited by subsequent generations of objects.
CONST INHERIT_ONLY_ACE = 8 'Indicates an inherit-only ACE which does not control access to the object
'to which it is attached. If this flag is not set, the ACE is an effective
'ACE which controls access to the object to which it is attached. Both
'effective and inherit-only ACEs can be inherited depending on the state of
'the other inheritance flags.
CONST INHERITED_ACE = 16 'Windows NT 5.0 and later, Indicates that the ACE was inherited. The system sets
'this bit when it propagates an inherited ACE to a child object.
CONST ACEFLAG_VALID_INHERIT_FLAGS = 31 'Indicates whether the inherit flags are valid.
'Two special flags that pertain only to ACEs that are contained in a SACL are listed below.
CONST SUCCESSFUL_ACCESS_ACE_FLAG = 64 'Used with system-audit ACEs in a SACL to generate audit messages for successful
'access attempts.
CONST FAILED_ACCESS_ACE_FLAG = 128 'Used with system-audit ACEs in a SACL to generate audit messages for failed
'access attempts.
'********************* ACE Types *********************
CONST ACCESS_ALLOWED_ACE_TYPE = 0 'Used with Win32_Ace AceTypes
CONST ACCESS_DENIED_ACE_TYPE = 1 'Used with Win32_Ace AceTypes
CONST AUDIT_ACE_TYPE = 2 'Used with Win32_Ace AceTypes
'********************* Access Masks *********************
Dim Perms_LStr, Perms_SStr, Perms_Const
'Permission LongNames
Perms_LStr=Array("Synchronize" , _
"Take Ownership" , _
"Change Permissions" , _
"Read Permissions" , _
"Delete" , _
"Write Attributes" , _
"Read Attributes" , _
"Delete Subfolders and Files" , _
"Traverse Folder / Execute File", _
"Write Extended Attributes" , _
"Read Extended Attributes" , _
"Create Folders / Append Data" , _
"Create Files / Write Data" , _
"List Folder / Read Data" )
'Permission Single Character codes
Perms_SStr=Array("" , _
"D" , _
"C" , _
"B" , _
"A" , _
"9" , _
"8" , _
"7" , _
"6" , _
"5" , _
"4" , _
"3" , _
"2" , _
"1" )
'Permission Integer
Perms_Const=Array(1048576 , _
&H80000 , _
&H40000 , _
&H20000 , _
&H10000 , _
&H100 , _
&H80 , _
&H40 , _
&H20 , _
&H10 , _
&H8 , _
&H4 , _
&H2 , _
&H1 )
startTime = Timer
'Initializing Default values
a_Used = FALSE
t_Used = FALSE
e_Used = FALSE
g_Used = FALSE
r_used = FALSE
p_Used = FALSE
d_used = FALSE
i_used = FALSE
l_Used = FALSE
q_Used = FALSE
RemoteServer_Used = FALSE
strRemoteServerName = ""
strRemoteShareName = ""
RemoteUserName_Used = FALSE
strRemoteUserName = ""
strRemotePassword = ""
debug_Used = FALSE 'Parameter Passed
filename_var = ""
DisplayDirPath = ""
ActualDirPath = ""
debug_on = FALSE 'Actual value checked in script
blnQuiet = FALSE
strOutputFile = "XCACLS.Log"
BoolUsingCScript = IsEngineCScript()
'Parse the command line
intOpMode = intParseCmdLine()
If Err.Number Then
Wscript.Echo "Error while parsing the command line." & vbcrlf & "Error " & Err.Number & ": " & Err.Description
WScript.Quit
End if
'Open the output file so we can use it through out the script
If l_Used then Call OpenOutputFile()
Call PrintMsg("Starting Script at " & now)
'FSO is used in several funcitons, so lets set it globally.
Set fso = WScript.CreateObject("Scripting.FileSystemObject")
If blnErrorOccurred(" occurred in getting FileSystemObject.") Then WScript.Quit
'Put statements in loop to be able to drop out and clear variables
Do
If debug_on then Call PrintMsg("Main: Enter")
'Lets get to the work to be done...
If Not IsOSSupported() then Exit Do
Call PrintArguments() 'Show the arguments entered
'Now lets do the work based upon the arguments entered.
Select Case intOpMode
Case CONST_SHOW_USAGE
Call ShowUsage()
Case CONST_PROCEED
'Lets get the objService object which is used throughout the script
If Not SetMainVars(filename_var) then Exit Do
Call PrintMsg("")
If g_Used or r_Used or p_Used or d_Used or o_used then
Call CheckTrustees()
End if
If QryBaseNameHasWildcards or QryExtensionHasWildcards then
If debug_on then Call PrintMsg("Wildcard characters detected in """ & InitialfilenameAbsPath & """")
Select Case DoesPathNameExist(fso.GetParentFolderName(InitialfilenameAbsPath))
Case 1 'Directory
Call DoTheWorkOnEverythingUnderDirectory(fso.GetParentFolderName(InitialfilenameAbsPath))
Case Else
Call PrintMsg("Error: Directory """ & fso.GetParentFolderName(InitialfilenameAbsPath) & """ not found.")
End select
Else
If debug_on then Call PrintMsg("No Wildcard characters detected for """ & filename_var & """")
'If a folder is found with the same name, then we work it as a folder and include files under it.
Select Case DoesPathNameExist(InitialfilenameAbsPath)
Case 1 'Directory
Call DoTheWorkOnThisItem(InitialfilenameAbsPath, TRUE)
If t_used or a_used then
Call DoTheWorkOnEverythingUnderDirectory(InitialfilenameAbsPath)
End if
Case 2 'File
Call DoTheWorkOnThisItem(InitialfilenameAbsPath, FALSE)
Case Else
Call PrintMsg("Error: File/Directory """ & InitialfilenameAbsPath & """ not found.")
End select
End if
Case Else
Call PrintMsg("")
Call PrintMsg(intOpMode)
End Select
Call blnErrorOccurred(" occurred while in the main routine of the script.")
If debug_on then Call PrintMsg("Main: Exit")
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objService = Nothing
Set objLocalService = Nothing
Set objLocator = Nothing
Call ClearObjectArray(ObjTrustee_g_var_User)
Call ClearObjectArray(ObjTrustee_r_var_User)
Call ClearObjectArray(ObjTrustee_p_var_User)
Call ClearObjectArray(ObjTrustee_d_var_User)
Call PrintMsg("")
Call PrintMsg("")
endTime = Timer
call PrintMsg("Operation Complete" & vbCrLf & "Elapsed Time: " & (endTime - startTime) & " seconds.")
Call PrintMsg("")
Call PrintMsg("Ending Script at " & now)
Call PrintMsg("")
Call PrintMsg("")
If l_Used then
If strOutputFile <> "" Then
objOutputFile.Close
End if
End if
'********************************************************************
'* End of Main Script
'********************************************************************
'********************************************************************
'*
'* Sub DoTheWorkOnEverythingUnderDirectory()
'* Purpose: Work on Directory path passed to it, and pass paths to DoTheWorkOnThisItem sub
'* Input: ThisPath - Path to directory
'* Output: None
'* Notes: This sub will process every file and folder under the directory passed to it.
'*
'********************************************************************
Sub DoTheWorkOnEverythingUnderDirectory(ThisPath)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Enter")
Dim objFileSystemSet, objPath, objFileSystemSet2, objPath2, strQuery, strTempPath, booltempItsAFolder
Dim f, f1, fc
Do
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Directory passed: """ & ThisPath & """")
'We already checked for existance so we will assume it exists.
If RemoteServer_Used then
strQuery = "Select * from Cim_LogicalFile Where Name='" & Replace(ThisPath,"\","\\") & "'"
Set objFileSystemSet = objService.ExecQuery(strQuery,,0)
If blnErrorOccurred(" occurred setting objFileSystemSet = objService.ExecQuery(" & strQuery & ",,0).") Then Exit Do
strTempPath = ""
for each objPath in objFileSystemSet
If objPath.Drive <> "" then
strTempPath = objPath.Path & objPath.FileName & "\"
strTempPath = Replace(strTempPath, "\\", "\")
Exit For
End if
next
strQuery = "Select * from Cim_LogicalFile Where Path='" & Replace(strTempPath,"\","\\") & "'"
Set objFileSystemSet2 = objService.ExecQuery(strQuery,,0)
If blnErrorOccurred(" occurred setting objFileSystemSet2 = objService.ExecQuery(" & strQuery & ",,0).") Then Exit Do
for each objPath2 in objFileSystemSet2
strTempPath = ""
booltempItsAFolder = False
If objPath2.Drive <> "" then
If UCASE(objPath2.FileType) = "FILE FOLDER" then booltempItsAFolder = True
strTempPath = objPath2.Name
If QryBaseNameHasWildcards Or QryExtensionHasWildcards then
If DoesItMatch(strTempPath) then
Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder)
End if
If booltempItsAFolder then
If t_used then Call DoTheWorkOnEverythingUnderDirectory(strTempPath)
End if
Else
If booltempItsAFolder then
If t_used then
Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder)
Call DoTheWorkOnEverythingUnderDirectory(strTempPath)
End if
Else
If a_used then
Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder)
End if
End if
End if
End if
next
Else
Set f = fso.GetFolder(ThisPath)
If blnErrorOccurred(" occurred in getting FileSystemObject.GetFolder") Then Exit Do
Set fc = f.Files
For Each f1 in fc
If QryBaseNameHasWildcards Or QryExtensionHasWildcards then
If DoesItMatch(f1.Path) then
Call DoTheWorkOnThisItem(f1.Path, False)
End if
Else
If a_used then Call DoTheWorkOnThisItem(f1.Path, False)
End if
Next
Set fc = Nothing
Set fc = f.SubFolders
For Each f1 in fc
If QryBaseNameHasWildcards Or QryExtensionHasWildcards then
If DoesItMatch(f1.Path) then
Call DoTheWorkOnThisItem(f1.Path, True)
End if
If t_used then Call DoTheWorkOnEverythingUnderDirectory(f1.Path)
Else
If t_used then
Call DoTheWorkOnThisItem(f1.Path, True)
Call DoTheWorkOnEverythingUnderDirectory(f1.Path)
End if
End if
Next
Set fc = Nothing
End if
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set f = Nothing
Set fc = Nothing
Set f1 = Nothing
Set objPath = Nothing
Set objFileSystemSet = Nothing
Set objPath2 = Nothing
Set objFileSystemSet2 = Nothing
Call blnErrorOccurred(" occurred while in the DoTheWorkOnEverythingUnderDirectory routine.")
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Exit")
End Sub
'********************************************************************
'*
'* Sub DoTheWorkOnThisItem()
'* Purpose: Work on File/Folder passed to it, and pass to Work routine
'* Input: ABSPath - Path to File/Folder
'* Output: TRUE if Successful, FALSE if not
'*
'********************************************************************
Sub DoTheWorkOnThisItem(AbsPath, IsItAFolder)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DoTheWorkOnThisItem: Enter")
Dim DisplayIt
Do
DisplayIt = TRUE
Call PrintMsg("")
Call PrintMsg("**************************************************************************")
If IsItAFolder then
Call PrintMsg("Directory: " & DisplayPathString(AbsPath))
Else
Call PrintMsg("File: " & DisplayPathString(AbsPath))
End if
'We already checked for existance so we will assume it exists.
If g_Used or r_Used or p_Used or d_Used or o_used or i_used then
Call SetACLForObject(AbsPath, IsItAFolder)
DisplayIt = FALSE
End If
If DisplayIt then
Call DisplayThisACL(AbsPath)
End if
Call PrintMsg("**************************************************************************")
Exit Do
Loop
Call blnErrorOccurred(" occurred while in the DoTheWorkOnThisItem routine.")
If debug_on then Call PrintMsg("DoTheWorkOnThisItem: Exit")
End Sub
'********************************************************************
'*
'* Sub DisplayThisACL()
'* Purpose: Shows ACL's that are applied to strPath
'* Input: strPath - string containing path of file or folder, ShowLong - If TRUE, permissions are in long form
'* Output: prints the acls
'*
'********************************************************************
Sub DisplayThisACL(strPath)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DisplayThisACL: Enter")
Dim objFileSecSetting, objOutParams, objSecDescriptor, objOwner, objDACL_Member
Dim objtrustee, numAceFlags, strAceFlags, x, strAceType, numControlFlags, ReturnAceFlags, TempSECString
ReDim arraystrACLS(0)
'Put statements in loop to be able to drop out and clear variables
Do
set objFileSecSetting = objService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
If blnErrorOccurred(" occurred setting Win32_LogicalFileSecuritySetting object.") Then Exit Do
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor")
If blnErrorOccurred(" occurred when this command was issued: GetSecurityDescriptor.") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor
If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
numControlFlags = objSecDescriptor.ControlFlags
If IsArray(objSecDescriptor.DACL) then
Call PrintMsg("")
Call PrintMsg("Permissions:")
Call PrintMsg( strPackString("Type", 9, 1, TRUE) & strPackString("Username", 24, 1, TRUE) & strPackString("Permissions", 22, 1, TRUE) & strPackString("Inheritance", 22, 1, TRUE))
For Each objDACL_Member in objSecDescriptor.DACL
TempSECString = ""
ReturnAceFlags = 0
Select Case objDACL_Member.AceType
Case ACCESS_ALLOWED_ACE_TYPE
strAceType = "Allowed"
Case ACCESS_DENIED_ACE_TYPE
strAceType = "Denied"
Case else
strAceType = "Unknown"
End select
Set objtrustee = objDACL_Member.Trustee
numAceFlags = objDACL_Member.AceFlags
strAceFlags = StringAceFlag(numAceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, FALSE, ReturnAceFlags)
TempSECString = SECString(objDACL_Member.AccessMask,TRUE)
If ReturnAceFlags = 2 then
If TempSECString = "Read and Execute" then
TempSECString = "List Folder Contents"
End if
End if
Call AddStringToArray(arraystrACLS, strPackString(strAceType, 9, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 24, 1, TRUE) & strPackString(TempSECString, 22, 1, TRUE) & strPackString(strAceFlags, 22, 1, TRUE),-1)
Set objtrustee = Nothing
Next
For x = LBound(arraystrACLS) to UBound(arraystrACLS)
Call PrintMsg(arraystrACLS(x))
Next
Else
Call PrintMsg("")
Call PrintMsg("No Permissions set")
End if
ReDim arraystrACLS(0)
If IsArray(objSecDescriptor.SACL) then
Call PrintMsg("")
Call PrintMsg("Auditing:")
Call PrintMsg(strPackString("Type", 9, 1, TRUE) & strPackString("Username", 24, 1, TRUE) & strPackString("Access", 22, 1, TRUE) & strPackString("Inheritance", 22, 1, TRUE))
For Each objDACL_Member in objSecDescriptor.SACL
TempSECString = ""
ReturnAceFlags = 0
Set objtrustee = objDACL_Member.Trustee
numAceFlags = objDACL_Member.AceFlags
strAceType = StringSACLAceFlag(numAceFlags)
strAceFlags = StringAceFlag(numAceFlags, numControlFlags, SE_SACL_AUTO_INHERITED, FALSE, ReturnAceFlags)
TempSECString = SECString(objDACL_Member.AccessMask,TRUE)
If ReturnAceFlags = 2 then
If TempSECString = "Read and Execute" then
TempSECString = "List Folder Contents"
End if
End if
Call AddStringToArray(arraystrACLS, strPackString(strAceType, 9, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 24, 1, TRUE) & strPackString(TempSECString, 22, 1, TRUE) & strPackString(strAceFlags, 22, 1, TRUE),-1)
Set objtrustee = Nothing
Next
For x = LBound(arraystrACLS) to UBound(arraystrACLS)
Call PrintMsg(arraystrACLS(x))
Next
Else
Call PrintMsg("")
Call PrintMsg("No Auditing set")
End if
Set objOwner = objSecDescriptor.Owner
If blnErrorOccurred(" occurred setting objOwner = objSecDescriptor.Owner.") Then Exit Do
Call PrintMsg("")
Call PrintMsg("Owner: " & objOwner.Domain & "\" & objOwner.Name)
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objOwner = Nothing
Set objSecDescriptor = Nothing
Set objDACL_Member = Nothing
Set objtrustee = Nothing
Set objOutParams = Nothing
Set objFileSecSetting = Nothing
Call blnErrorOccurred(" occurred while in the DisplayThisACL routine.")
If debug_on then Call PrintMsg("DisplayThisACL: Exit")
End Sub
'********************************************************************
'*
'* Sub SetACLForObject()
'* Purpose: Set the ACL for the file/folder passed
'* Input: strPath - string containing path of file or folder, IsItAFolder,
'* Output: None
'*
'********************************************************************
Sub SetACLForObject(strPath, IsItAFolder)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("SetACLForObject: Enter")
Dim objFileSecSetting, objmethod, objSecDescriptor
Dim objtrustee, objInParam, objOutParams, objOwner
Dim objParentFileSecSetting, objParentOutParams, objParentSecDescriptor
Dim OldAceObj, ObjNewAce, NewobjDescriptor, RetVal, i_Var_Copy_Temp
Dim BlankDaclObj, OldDaclObj(), NewDaclObj(), ImpDenyDaclObj()
Dim ImpAllowDaclObj(), ImpDenyObjectDaclObj()
Dim objTempTrustee, i, t, ThisUserAccess, RightsToGive, NewRights
Dim intTempAccessMask, boolDoTheUpdate
Dim strOldAccount, strThisAccount, NewArraySize, NewArrayMember, BoolDoThisOne
Dim ControlFlagsVar, BoolAllowInherited, BoolGetInherited, BoolInitialInheritRightsPresent, numControlFlags, ReturnAceFlags
'Put statements in loop to be able to drop out and clear variables
Do
'Initialize all of the new ACL objects
ReDim OldDaclObj(0)
ReDim NewDaclObj(0)
ReDim ImpDenyDaclObj(0)
ReDim ImpAllowDaclObj(0)
ReDim InheritedObjectDaclObj(0)
ReDim BlankDaclObj(0)
BoolAllowInherited = FALSE
BoolGetInherited = FALSE
BoolInitialInheritRightsPresent = FALSE
If debug_on then Call PrintMsg("SetACLForObject: Working on """ & strPath & """")
set objFileSecSetting = objService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
If blnErrorOccurred(" occurred setting Win32_LogicalFileSecuritySetting object.") Then Exit Do
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor")
If blnErrorOccurred(" occurred Setting objOutParams = objFileSecSetting.ExecMethod_(""GetSecurityDescriptor"")") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor
If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
Set objOwner = objSecDescriptor.Owner
If blnErrorOccurred(" occurred setting objOwner = objSecDescriptor.Owner.") Then Exit Do
numControlFlags = objSecDescriptor.ControlFlags
If debug_on then Call PrintMsg("SetACLForObject: Getting DACL array")
If e_Used then
'If e_Used then the old ACL list is maintained, if not we start fresh.
Call GetDaclArray(OldDaclObj,objSecDescriptor, FALSE)
If blnErrorOccurred(" occurred after Calling GetDaclArray(OldDaclObj,objSecDescriptor, FALSE)") Then Exit Do
End if
If UBound(OldDaclObj) = 0 then
'If the array is empty and we need to Copy or Enable Inheritance, we need to set Inheritance and get array again.
If i_used then
'i_var 3 = "REMOVE", if you are not removing Inheritance, you must have the Inherited DACL's
If i_var < 3 then BoolGetInherited = TRUE
End if
Else
'If Copy or Enable Inheritance is set and there was no Inherited Properties, we need to set Inheritance and get array again.
If i_used then
'i_var 3 = "REMOVE", if you are not removing Inheritance, you must have the Inherited DACL's
If i_var < 3 then BoolGetInherited = TRUE
For i = 1 to UBound(OldDaclObj)
If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do
Set OldAceObj = OldDaclObj(i)
If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE, ReturnAceFlags) = "Inherited" then
BoolInitialInheritRightsPresent = TRUE
BoolGetInherited = FALSE
Exit For
End if
Next
End if
End if
If BoolGetInherited Then 'We need the inherited ACE's so lets get them.
If debug_on then Call PrintMsg("SetACLForObject: Inherited ACL's not found and needed, getting from Parent Directory")
'Any existing ACE's will remain in array
Set NewobjDescriptor = objService.Get("Win32_SecurityDescriptor").Spawninstance_
If blnErrorOccurred(" occurred Setting NewobjDescriptor = objService.Get(""Win32_SecurityDescriptor"").Spawninstance_") Then Exit Do
NewobjDescriptor.ControlFlags = ALLOW_INHERIT
If blnErrorOccurred(" occurred setting objSecDescriptor.ControlFlags = ALLOW_INHERIT") Then Exit Do
Set objmethod = objFileSecSetting.Methods_("SetSecurityDescriptor")
If blnErrorOccurred(" occurred setting objmethod = objFileSecSetting.Methods_(""SetSecurityDescriptor"")") Then Exit Do
Set objInParam = objmethod.inParameters.SpawnInstance_()
If blnErrorOccurred(" occurred Setting objInParam = objmethod.inParameters.SpawnInstance_()") Then Exit Do
objInParam.Properties_.item("Descriptor") = NewobjDescriptor
If blnErrorOccurred(" occurred setting objInParam.Properties_.item(""Descriptor"") = NewobjDescriptor") Then Exit Do
Set RetVal = objFileSecSetting.ExecMethod_("SetSecurityDescriptor", objInParam)
If blnErrorOccurred(" occurred setting RetVal = objFileSecSetting.ExecMethod_(""SetSecurityDescriptor"", objInParam)") Then Exit Do
'Now we need to get only the Inherited ACE's (Everyone group may be set if DACL array was empty)
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor")
If blnErrorOccurred(" occurred Setting objOutParams = objFileSecSetting.ExecMethod_(""GetSecurityDescriptor"")") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor
If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
Call GetDaclArray(OldDaclObj,objSecDescriptor, TRUE)
If blnErrorOccurred(" occurred when Calling GetDaclArray(OldDaclObj,objSecDescriptor, TRUE)") Then Exit Do
Set NewobjDescriptor = Nothing
Set objmethod = Nothing
Set objInParam = Nothing
Set RetVal = Nothing
boolDoTheUpdate = TRUE
End if
'Now we have the inherited rights, if one of the revoked users is in the list, then we need to copy the list and turn off inheritance.
If debug_on then Call PrintMsg("SetACLForObject: Looking for Revoke users in Inherited list, if found, Inherited list will be copied to Effective list and inheritance turned off, so we can revoke user")
i_Var_Copy_Temp = FALSE
If r_Used then 'Revoke user if present in Inherited Allowed or Denied lists
If UBound(OldDaclObj) > 0 then
For i = 1 to UBound(OldDaclObj)
If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do
Set OldAceObj = OldDaclObj(i)
If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE, ReturnAceFlags) = "Inherited" then
For t = LBound(r_var_User) to UBound(r_var_User)
If r_Var_User(t) <> "" then
If TrusteesMatch(ObjTrustee_r_var_User(t), OldAceObj.Trustee) then
'We found a match
i_Var_Copy_Temp = TRUE
Call PrintMsg(" - One of the Revoked Users is listed under Inherited permissions.")
Call PrintMsg(" Copying Inherited Permissions and turning off inheritance.")
Exit For
End if
End if
Next
End if
Next
End If
End If
If debug_on then Call PrintMsg("SetACLForObject: Sorting DACL array and modifying rights if needed")
If UBound(OldDaclObj) > 0 then
For i = 1 to UBound(OldDaclObj)
BoolDoThisOne = TRUE
If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do
Set OldAceObj = OldDaclObj(i)
Set objTempTrustee = OldAceObj.Trustee
intTempAccessMask = OldAceObj.AccessMask
If debug_on then Call PrintMsg("SetACLForObject: """ & TrusteesDisplay(objTempTrustee) & """ current rights = " & SECString(OldAceObj.AccessMask,TRUE))
If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE, ReturnAceFlags) = "Inherited" then
If i_Var_Copy_Temp then 'This makes sure that inherited users that are revoked can be revoked...
OldAceObj.AceFlags = OBJECT_INHERIT_ACE + CONTAINER_INHERIT_ACE
Else
BoolDoThisOne = FALSE
If i_used then 'We should make them effective ACL's
Select Case i_var
Case 1 'Inherit
Call AddObjectToArray(InheritedObjectDaclObj, OldAceObj, -1)
Case 2 'Copy to Effective
OldAceObj.AceFlags = OBJECT_INHERIT_ACE + CONTAINER_INHERIT_ACE
BoolDoThisOne = TRUE
End Select
Else
Call AddObjectToArray(InheritedObjectDaclObj, OldAceObj, -1)
End If
End if
End if
If p_Used then 'Replace user rights if present
For t = LBound(p_var_User) to UBound(p_var_User)
If p_Var_User(t) <> "" then
If TrusteesMatch(ObjTrustee_p_var_User(t), objTempTrustee) then
'We found a match so skip it.
BoolDoThisOne = FALSE
Call PrintMsg("Replacing rights for existing user """ & p_Var_User(t) & """")
End if
End if
Next
Else
End If
If r_Used then 'Revoke user if present in Allowed or Denied lists
For t = LBound(r_var_User) to UBound(r_var_User)
If r_Var_User(t) <> "" then
If TrusteesMatch(ObjTrustee_r_var_User(t), objTempTrustee) then
'We found a match so skip it.
BoolDoThisOne = FALSE
Call PrintMsg("Revoking rights for existing user """ & r_Var_User(t) & """")
End if
End if
Next
End if
If BoolDoThisOne then
Select Case OldAceObj.AceType
Case ACCESS_ALLOWED_ACE_TYPE
Call AddObjectToArray(ImpAllowDaclObj, OldAceObj, -1)
Case ACCESS_DENIED_ACE_TYPE
Call AddObjectToArray(ImpDenyDaclObj, OldAceObj, -1)
Case Else
Call PrintMsg("Error: Bad ace...." & Hex(OldAceObj.AceType))
End Select
End if
Next
End If
'Add ACE's that need to be added:
If g_Used then 'Grant rights for these users
If debug_on then Call PrintMsg("SetACLForObject: Granting Rights for Users (that haven't been granted already)")
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_g_var_User, g_var_User, g_var_Perm, ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE + OBJECT_INHERIT_ACE, "Granting")
If blnErrorOccurred(" occurred when Building Granted (File) Rights array") Then Exit Do
If IsItAFolder then
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_g_var_User, g_var_User, g_var_Spec, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, "Granting")
If blnErrorOccurred(" occurred when Building Granted (Folder) Rights array") Then Exit Do
End if
End if
If p_Used then 'Grant rights for these users (Replace rights)
If debug_on then Call PrintMsg("SetACLForObject: Replacing Rights for Users (that haven't been granted already)")
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_p_var_User, p_var_User, p_var_Perm, ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE + OBJECT_INHERIT_ACE , "Replacing")
If blnErrorOccurred(" occurred when Building Replace (File) Rights array") Then Exit Do
If IsItAFolder then
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_p_var_User, p_var_User, p_var_Spec, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, "Replacing")
If blnErrorOccurred(" occurred when Building Replace (Folder) Rights array") Then Exit Do
End if
End if
If d_Used then 'Deny rights for these users
If debug_on then Call PrintMsg("SetACLForObject: Denying Rights for Users (that haven't been denied already)")
Call AccessMask_New(ImpDenyDaclObj, ObjTrustee_d_var_User, d_var_User, d_var_Perm, ACCESS_DENIED_ACE_TYPE, INHERIT_ONLY_ACE + OBJECT_INHERIT_ACE , "Denying")
If blnErrorOccurred(" occurred when Building Denied (File) Rights array") Then Exit Do
If IsItAFolder then
Call AccessMask_New(ImpDenyDaclObj, ObjTrustee_d_var_User, d_var_User, d_var_Spec, ACCESS_DENIED_ACE_TYPE, CONTAINER_INHERIT_ACE, "Denying")
If blnErrorOccurred(" occurred when Building Denied (Folder) Rights array") Then Exit Do
End if
End if
' Combine the ACEs in the proper order
' Implicit Deny
' Implicit Allow
' Inherited Aces
If debug_on then Call PrintMsg("SetACLForObject: Forming new DACL array")
boolDoTheUpdate = FALSE
ReDim NewDaclObj(0)
If UBound(ImpDenyDaclObj) > 0 then '0 member is always blank
For i = (LBound(ImpDenyDaclObj) + 1) to UBound(ImpDenyDaclObj)
boolDoTheUpdate = TRUE
Call AddObjectToArray(NewDaclObj, ImpDenyDaclObj(i), 0)
Next
If blnErrorOccurred(" occurred when Building Implicit Deny array") Then Exit Do
End if
If UBound(ImpAllowDaclObj) > 0 then
For i = (LBound(ImpAllowDaclObj) + 1) to UBound(ImpAllowDaclObj)
boolDoTheUpdate = TRUE
Call AddObjectToArray(NewDaclObj, ImpAllowDaclObj(i), 0)
Next
If blnErrorOccurred(" occurred when Building Implicit Allow array") Then Exit Do
End if
If UBound(InheritedObjectDaclObj) > 0 then
BoolAllowInherited = TRUE
For i = (LBound(InheritedObjectDaclObj) + 1) to UBound(InheritedObjectDaclObj)
boolDoTheUpdate = TRUE
InheritedObjectDaclObj(i).AccessMask = 0
Call AddObjectToArray(NewDaclObj, InheritedObjectDaclObj(i), 0)
Next
If blnErrorOccurred(" occurred when Building Inherited Object array") Then Exit Do
End if
If Not boolDoTheUpdate Then
Set NewDaclObj(0) = CreateObject("AccessControlEntry")
If blnErrorOccurred(" occurred Setting NewDaclObj(0) = CreateObject(""AccessControlEntry"").") Then Exit Do
End if
If i_Var_Copy_Temp then
If debug_on then Call PrintMsg("SetACLForObject: Inheritance turned off because one of the inherited users is revoked on this object.")
ControlFlagsVar = SE_DACL_PRESENT
Else
If i_used then
Select Case i_var
Case 1
ControlFlagsVar = ALLOW_INHERIT
Case 3
ControlFlagsVar = DENY_INHERIT
case Else '2 and non matching
ControlFlagsVar = SE_DACL_PRESENT
End Select
Else
If BoolAllowInherited or BoolInitialInheritRightsPresent then
ControlFlagsVar = ALLOW_INHERIT
Else
ControlFlagsVar = DENY_INHERIT
End if
End if
End if
If debug_on then Call PrintMsg("SetACLForObject: Saving new Descriptor")
Set NewobjDescriptor = objService.Get("Win32_SecurityDescriptor").Spawninstance_
If blnErrorOccurred(" occurred Setting NewobjDescriptor = objService.Get(""Win32_SecurityDescriptor"").Spawninstance_") Then Exit Do
If boolDoTheUpdate then
NewobjDescriptor.Properties_.item("DACL") = NewDaclObj
If blnErrorOccurred(" occurred setting NewobjDescriptor.Properties_.item(""DACL"") = NewDaclObj") Then Exit Do
Else 'Making DACL Blank
Set BlankDaclObj(0) = objService.Get("Win32_Ace").Spawninstance_
If blnErrorOccurred(" occurred Setting BlankDaclObj(0) = objService.Get(""Win32_Ace"").Spawninstance_") Then Exit Do
NewobjDescriptor.Properties_.item("DACL") = BlankDaclObj
If blnErrorOccurred(" occurred setting NewobjDescriptor.Properties_.item(""DACL"") = BlankDaclObj") Then Exit Do
End if
If o_Used then 'Change Ownership
If debug_on then Call PrintMsg("SetACLForObject: Changing Ownership")
If o_Var <> "" then
Set objTempTrustee = Nothing
Set objTempTrustee = SetTrustee(o_var)
If Not objTempTrustee Is Nothing then
If TrusteesMatch(objOwner, objTempTrustee) then
Call PrintMsg("Ownership not changed, owner is already set to """ & TrusteesDisplay(objTempTrustee) & """")
Else
NewobjDescriptor.Properties_.item("Owner") = objTempTrustee
If blnErrorOccurred(" occurred setting NewobjDescriptor.Properties_.item(""Owner"") = objTempTrustee") Then Exit Do
Call PrintMsg("Changed Ownership to """ & TrusteesDisplay(objTempTrustee) & """")
End if
Else
Call PrintMsg("Failed to Change Ownership to user """ & o_var & """")
End if
End if
End if
NewobjDescriptor.ControlFlags = ControlFlagsVar
If blnErrorOccurred(" occurred setting NewobjDescriptor.ControlFlags = ControlFlagsVar") Then Exit Do
Set objmethod = objFileSecSetting.Methods_("SetSecurityDescriptor")
If blnErrorOccurred(" occurred setting objmethod = objFileSecSetting.Methods_(""SetSecurityDescriptor"")") Then Exit Do
Set objInParam = objmethod.inParameters.SpawnInstance_()
If blnErrorOccurred(" occurred Setting objInParam = objmethod.inParameters.SpawnInstance_()") Then Exit Do
objInParam.Properties_.item("Descriptor") = NewobjDescriptor
If blnErrorOccurred(" occurred setting objInParam.Properties_.item(""Descriptor"") = NewobjDescriptor") Then Exit Do
Set RetVal = objFileSecSetting.ExecMethod_("SetSecurityDescriptor", objInParam)
If blnErrorOccurred(" occurred setting RetVal = objFileSecSetting.ExecMethod_(""SetSecurityDescriptor"", objInParam)") Then Exit Do
Call PrintMsg("Completed successfully.")
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objOwner = Nothing
Set objFileSecSetting = Nothing
Set objmethod = Nothing
Set objSecDescriptor = Nothing
Set objtrustee = Nothing
Set objInParam = Nothing
Set objOutParams = Nothing
Set OldAceObj = Nothing
Set ObjNewAce = Nothing
Set NewobjDescriptor = Nothing
Set objTempTrustee = Nothing
Set RetVal = Nothing
Call blnErrorOccurred(" occurred while in the SetACLForObject routine.")
If debug_on then Call PrintMsg("SetACLForObject: Exit")
End Sub
'********************************************************************
'*
'* Function AccessMask_New()
'* Purpose: Takes a list of users with permissions and adds them to the list
'* Input: Array_ACLobj : DACL Array
'* Array_Users : Array of users
'* Array_Perm : Array of permissions
'* AceType : Type of Permissions (Allow or Deny)
'* AceFlag : Apply to what (Files or Folders)
'* strAction : String saying what the action was (Grant, Replace, or Deny)
'* Output: Acl Array Object
'*
'********************************************************************
Function AccessMask_New(byref Array_ACLobj, byref Array_ObjTrustee, Array_Users, Array_Perm, AceType, AceFlag, strAction)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("AccessMask_New: Enter")
Dim t, objNEWACE, RightsToGive, AceTypeString
'Put statements in loop to be able to drop out and clear variables
Do
AccessMask_New = FALSE
If AceFlag = CONTAINER_INHERIT_ACE then
AceTypeString = """This Folder and Subfolders"""
Else
AceTypeString = """Files Only"""
End if
For t = LBound(Array_Users) to UBound(Array_Users)
If blnErrorOccurred(" occurred while " & strAction & " permissions.") Then Exit Do
If Array_Users(t) <> "" and Array_Perm(t) <> "" then
If IsObject(Array_ObjTrustee(t)) then
RightsToGive = SECBitMask(Array_Perm(t))
If blnErrorOccurred(" occurred getting rights for " & Array_Users(t) & ".") Then Exit Do
Set objNEWACE = SetACE(RightsToGive, AceFlag, AceType, Array_ObjTrustee(t))
If blnErrorOccurred(" occurred creating ""ACE Object"" for " & Array_Users(t) & ".") Then Exit Do
Call AddObjectToArray(Array_ACLobj, objNEWACE, -1)
If blnErrorOccurred(" occurred adding (" & strAction & ") New ACE object to array.") Then Exit Do
Set objNEWACE = Nothing
Call PrintMsg(strAction & " NTFS rights (" & SECString(RightsToGive,TRUE) & " access for " & AceTypeString & ") for """ & Array_Users(t) & """")
Else
Call PrintMsg("Failed " & strAction & " NTFS rights (" & AceTypeString & ") for """ & Array_Users(t) & """")
End if
End if
Next
AccessMask_New = TRUE
Exit Do 'We really didn't want to loop
Loop
Set objNEWACE = Nothing
If debug_on then Call PrintMsg("AccessMask_New: Return = " & AccessMask_New)
Call blnErrorOccurred(" occurred while in the AccessMask_New routine.")
If debug_on then Call PrintMsg("AccessMask_New: Exit")
End Function
'********************************************************************
'*
'* Sub TrusteesMatch()
'* Purpose: Checks the Trustee to the Name and Domain and returns boolean TRUE if they match
'* Input: objTrusteeA, objTrusteeB
'* Output: Boolean
'* Notes: This is a nice way to check if one trustee matches another, the procedure can change
'* and compare different values and only needs to be changed here, not in the rest of the code.
'*
'********************************************************************
Function TrusteesMatch(ByRef objTrusteeA, ByRef objTrusteeB)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("TrusteesMatch: Enter")
'Put statements in loop to be able to drop out and clear variables
Do
TrusteesMatch = FALSE
If debug_on then Call PrintMsg("TrusteesMatch: Checking Users to see if they match")
If NOT IsObject(objTrusteeA) then
Exit Do
End if
If NOT IsObject(objTrusteeB) then
Exit Do
End if
If objTrusteeA.SIDString = objTrusteeB.SIDString then
TrusteesMatch = TRUE
End if
Exit Do 'We really didn't want to loop
Loop
Call blnErrorOccurred(" occurred while in the TrusteesMatch routine.")
If debug_on then Call PrintMsg("TrusteesMatch: Exit")
End Function
'********************************************************************
'*
'* Sub TrusteesDisplay()
'* Purpose: Returns a Display ready string of trustee passed in
'* Input: objTrustee
'* Output: String
'* Notes: This makes the display of a trustee a standard throughout the code
'*
'********************************************************************
Function TrusteesDisplay(ByRef objTrustee)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("TrusteesDisplay: Enter")
'Put statements in loop to be able to drop out and clear variables
Do
TrusteesDisplay = ""
If NOT IsObject(objTrustee) then
Exit Do
End if
If objTrustee.Domain = "" then
TrusteesDisplay = objTrustee.Name
Else
TrusteesDisplay = objTrustee.Domain & "\" & objTrustee.Name
End if
Exit Do 'We really didn't want to loop
Loop
Call blnErrorOccurred(" occurred while in the TrusteesDisplay routine.")
If debug_on then Call PrintMsg("TrusteesDisplay: Exit")
End Function
'********************************************************************
'*
'* Sub CheckTrustees()
'* Purpose: Checks the list of entered users and makes them valid, run only once
'* Input: Global Variables only
'* Output: None
'* Notes: This function is called only one time in the code to get a trustee object for
'* every user entered, and if we can't find one then the user is deleted from the list.
'*
'********************************************************************
Sub CheckTrustees()
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("CheckTrustees: Enter")
'Put statements in loop to be able to drop out and clear variables
Do
If debug_on then Call PrintMsg("CheckTrustees: Checking Users to make sure they are proper Trustee's")
Call GetDefaultNames()
Call GetDefaultDomainSid()
If g_Used then 'Add to users
If debug_on then Call PrintMsg("CheckTrustees: Checking /G users")
If FixListOfTrustees(g_Var_User, ObjTrustee_g_var_User, "/G") = FALSE then exit Do
End if
If p_Used then 'Replace users
If debug_on then Call PrintMsg("CheckTrustees: Checking /P users")
If FixListOfTrustees(p_Var_User, ObjTrustee_p_var_User, "/P") = FALSE then exit Do
End if
If d_Used then 'Change users
If debug_on then Call PrintMsg("CheckTrustees: Checking /D users")
If FixListOfTrustees(d_Var_User, ObjTrustee_d_var_User, "/D") = FALSE then exit Do
End if
If r_Used then 'Revoke users
If debug_on then Call PrintMsg("CheckTrustees: Checking /R users")
If FixListOfTrustees(r_Var_User, ObjTrustee_r_var_User, "/R") = FALSE then exit Do
End if
Exit Do 'We really didn't want to loop
Loop
Call blnErrorOccurred(" occurred while in the CheckTrustees routine.")
If debug_on then Call PrintMsg("CheckTrustees: Exit")
End Sub
'********************************************************************
'*
'* Function FixListOfTrustees()
'* Purpose: Takes a list of users and changes to a valid trustee if found, else sets string to ""
'* Input: Array_Users, strAction
'* Output: Dacl Array Object
'*
'********************************************************************
Function FixListOfTrustees(byref Array_Users, byref Array_ObjTrustee, strAction)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("FixListOfTrustees: Enter")
Dim t, objTempTrustee, strTempName
'Put statements in loop to be able to drop out and clear variables
Do
FixListOfTrustees = FALSE
For t = LBound(Array_Users) to UBound(Array_Users)
strTempName = ""
If Array_Users(t) <> "" then
'First, lets remove any special quotes in the string
'Quotation mark (") 34
Array_Users(t) = Replace(Array_Users(t),chr(34),"")
'Single turned comma quotation mark 145
Array_Users(t) = Replace(Array_Users(t),chr(145),"")
'Single comma quotation mark 146
Array_Users(t) = Replace(Array_Users(t),chr(146),"")
'Double turned comma quotation mark 147
Array_Users(t) = Replace(Array_Users(t),chr(147),"")
'Double comma quotation mark 148
Array_Users(t) = Replace(Array_Users(t),chr(148),"")
'Replace #machine# with actual machine name if its in the string
Array_Users(t) = Replace(ucase(Array_Users(t)),"#MACHINE#", strDefaultDomain)
Set objTempTrustee = SetTrustee(Array_Users(t))
If blnErrorOccurred(" occurred Setting objTempTrustee = SetTrustee(Array_Users(t))") Then Exit Do
If objTempTrustee Is Nothing then
Call PrintMsg("Could not find " & strAction & " user/group: """ & Array_Users(t) & """ removing from list.")
Array_Users(t) = ""
Else
strTempName = TrusteesDisplay(objTempTrustee)
Call AddObjectToArray(Array_ObjTrustee, objTempTrustee, t)
If IsNull(objTempTrustee.Domain) then objTempTrustee.Domain = ""
If UCase(Array_Users(t)) <> UCASE(strTempName) then
Call PrintMsg(" - Changing " & strAction & " user/group: """ & Array_Users(t) & """ to """ & strTempName & """")
End if
Array_Users(t) = strTempName
Set objTempTrustee = Nothing
End if
End if
Next
FixListOfTrustees = TRUE 'Means we didn't have an error and went through the entire list
Exit Do 'We really didn't want to loop
Loop
Set objTempTrustee = Nothing
If debug_on then Call PrintMsg("FixListOfTrustees: Return = " & FixListOfTrustees)
Call blnErrorOccurred(" occurred while in the FixListOfTrustees routine.")
If debug_on then Call PrintMsg("FixListOfTrustees: Exit")
End Function
'********************************************************************
'*
'* Sub GetDaclArray()
'* Purpose: Return Dacl Array object if found
'* Input: objArrayPassedIn, objSecDescriptor, getonlyInherited
'* Output: Dacl Array Object
'*
'********************************************************************
Sub GetDaclArray(DACL_Array, objSecDescriptor, getonlyInherited)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("GetDaclArray: Enter")
Dim TempDACL_Array, objDACL_Member, numControlFlags, ReturnAceFlags
'Put statements in loop to be able to drop out and clear variables
Do
numControlFlags = objSecDescriptor.ControlFlags
If blnErrorOccurred(" occurred getting ControlFlags.") Then Exit Do
TempDACL_Array = objSecDescriptor.DACL
If blnErrorOccurred(" occurred getting Temporary DACL array.") Then Exit Do
If IsArray(TempDACL_Array) then
For Each objDACL_Member in TempDACL_Array
If blnErrorOccurred(" occurred while looping through TempDACL_Array.") Then Exit Do
If getonlyInherited then
If StringAceFlag(objDACL_Member.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE, ReturnAceFlags) = "Inherited" then Call AddObjectToArray(DACL_Array, objDACL_Member, -1)
Else
Call AddObjectToArray(DACL_Array, objDACL_Member, -1)
End If
Next
End if
If (UBound(DACL_Array) = 0) Then
Set DACL_Array(0) = CreateObject("AccessControlEntry")
If blnErrorOccurred(" occurred Setting DACL_Array(0) = CreateObject(""AccessControlEntry"").") Then Exit Do
End if
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objDACL_Member = Nothing
Call blnErrorOccurred(" occurred while in the GetDaclArray routine.")
If debug_on then Call PrintMsg("GetDaclArray: Exit")
End Sub
'********************************************************************
'* Function SetTrustee()
'* Purpose: Returns Win32_Trustee object for User/group or Nothing if not found
'* Input: strFullName
'* Output: Win32_Trustee object is returned, Nothing if not found
'********************************************************************
Function SetTrustee(strFullName)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("SetTrustee
|
|
Top
|
|
|
|
#212085 - 2016-11-08 11:35 AM
Re: XCACLS VB script v2.7 replacement for the executeable
[Re: Lonkero]
|
Varsha
Just in Town
Registered: 2016-11-08
Posts: 1
Loc: India
|
Can someone let me know what changes are to be made in the above code, to enable Inheritance ?
|
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 370 anonymous users online.
|
|
|
