#57288 - 2001-07-17 03:48 AM
How Do I move shares-permissions NT4 to 2000
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
Hello all,I'm looking for some help on the following. We are moving Appx 3,000 user's folders from 20+ NT 4.0 Servers to 1 NT 2000 Compaq SAN Server. Resource Kit utilities DO NOT work. Permcopy and others work fine from 4.0 to 4.0 or from 2000 to 2000, but not when going from 4.0 to 2000 The user accounts are all global accounts. We plan to restore the data and permissions (hopefully) from Veritas Backup Exec. This does not get us the new SHARES or SHARE Permissions, or change the User Manager settings. Yes, Lonkero I have seen your post on only using KiXtart for this, but I would rather keep the built-in NT Mechanism rather then rely upon the KiXtart that may or may not always run. i.e. I want to recreate all my hidden$ shares. As I see it I can probably either do like a DIR /B command to a text file and then parse it and have KiXtart shell and run NET SHARE and then shell and run XCALCS against the user names. If anyone has completed code for such a task, and or could assist me in creating such code I would greatly appreciate it. I'm not sure how to set the Share permissions though since they can not be done via the command line that I'm aware of except with util like PERMCOPY which does not work going from different OS versions. I don't really want to use the SHOWMEMBERS utility either, since we have many accounts that are no longer valid. I only want to create for valid directories that currently exist. In our SAN Server we have 2 volumes for user folders. A-M Users go on one volume and N-Z go on another volume. All of the SHARED data folders is another animal I will tackle next at another time. Also, on another note. Does anyone know how to tell or get back what is the longest directory and or file name that exist on a volume? i.e. there is a 254 character limit that we don't want to run in to on our new systems, but we are taking up 20 characters with our new naming convention, before laying down the new SHARED data.
TIA for any and all help... We start this Friday night
|
Top
|
|
|
|
#57289 - 2001-07-17 10:50 AM
Re: How Do I move shares-permissions NT4 to 2000
|
Alex.H
Seasoned Scripter
Registered: 2001-04-10
Posts: 406
Loc: France
|
I already used this for NT4 to NT4 : JSIINC : move tons of shares to another WinNT server 1 min to do if shared directory are the same, 10 if not (remember to edit the regfile and delete unecessary share)I don't know if it'll work from NT4 to 2000. We'll go on the same process in some day, but if you success, let me know *** I finally found it : RMTSHARE.EXE from ressource kit for setting shared folders permissions from command line [ 17 July 2001: Message edited by: Popovk ]
_________________________
? getobject(Kixtart.org.Signature)
|
Top
|
|
|
|
#57294 - 2001-07-18 05:11 AM
Re: How Do I move shares-permissions NT4 to 2000
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Hey Doc,I don't have any silver bullet for you. But I have been following this thread with much interest... ummm... It seems as if you have the folder create and file restore bit covered-off, and the pieces missing are... 1) Create share 2) Permission share 3) Change usrmgr settings Being a huge OLE fan - if I were in your shoes - I'd probably look at running an automated ADSI script against the SAN Server. ADSI can cover-off items 1 and 3 (ADSI supports NT4 as well). But the permissioning part is not supported by the WinNT service provider. But like you mentioned - all this can be done equally as well using command line utilities... But I was curious at Popovk's suggestion that you use RMTSHARE... have you gone down that road yet ? Maybe we should just gang-up and write a text-file (or dir-file) driven admin script that uses NET and RMTSHARE ? -Shawn [ 18 July 2001: Message edited by: Shawn ]
|
Top
|
|
|
|
#57295 - 2001-07-18 07:14 AM
Re: How Do I move shares-permissions NT4 to 2000
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
Thanks Shawn... I think (hope) I've got it covered now. I did not go the route of RMTSHARE because I will control access via NTFS.. In my opinion the SHARE permissions are there mainly for Win9x systems that can not control file and folder permissions. Thank you everyone for the help with getting this working. Below are the steps I needed to perform to accomplish this task (hopefully, only minor testing, real deal this friday night) OPERATIONS to consolidate and move Users from Multiple NT 4.0 Servers to a single Windows 2000 SAN
code:
STEP 1 :: Restore all user folders under USERS on 2 different volumes via Backup Exec :: VOL1 = users A-M :: VOL2 = users N-ZSTEP 2 :: Create share points for directories by Kyder :: Must be run from the Server it is being used on :: Does not change any SHARE permissions - It inherits the Everyone Full :: Folder and File access will be controlled by NTFS permissions. for /f "Tokens=*" %%i in ('dir /B D:\users') do NET SHARE %%i$=D:\users\%%i /Y for /f "Tokens=*" %%i in ('dir /B E:\users') do NET SHARE %%i$=E:\users\%%i /Y STEP 3 :: Change NTFS file permissions based upon directory name by Ron Lewis - July 17, 2001 :: (meaning user names and directory names for Home Directories must match) :: Can be run from any NT Workstation remotely. Must have Domain Admin Rights. :: XCACLS allows some special folder permissions that CACLS does not, but this was :: not a big consideration for our usage. :: NOTE! XCACLS is broken and CACLS was broken but CACLS was fixed in Windows 2000 SP2, so far XCACLS is not fixed :: Cacls.exe Orders ACEs Incorrectly When Granting Rights :: http://support.microsoft.com/support/kb/articles/q268/5/46.asp? :: Current Permissions from USERS has (Domain Admins and SYSTEM) directories below USERS inherit these permissions. for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\VOL1\users') do ECHO Y| cacls \\sm-cag-fp03\VOL1\users\%%i /T /E /C /G WDI\%%i:C for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\VOL2\users') do ECHO Y| cacls \\sm-cag-fp03\VOL2\users\%%i /T /E /C /G WDI\%%i:C STEP 4 :: User Manager Home Directory update by Ron Lewis - July 17, 2001 :: You must run this batch file from a BDC to update the User Manager settings. for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\vol1\users') do NET USER %%i /homedir:\\sm-cag-fp03\%%i$ for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\vol2\users') do NET USER %%i /homedir:\\sm-cag-fp03\%%i$
Does anyone see anything obvious that I may be missing here? Aside from the Outlook Personal Folders that will probably break. Not sure I have time to tackle that one yet, but may have to when we move the other 2,800 users. Can't be visiting that many desktops. [ 18 July 2001: Message edited by: NTDOC ]
|
Top
|
|
|
|
#57297 - 2001-07-25 01:29 AM
Re: How Do I move shares-permissions NT4 to 2000
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
Update...Well, everything went quite well. Completed migration of one server in about 2 hours. Here is what was used to complete the task. Share out the User folders on each volume
code:
@ECHO OFF REM Filename FP03SHARES.BAT REM Last modified by NTDOC on July 18, 2001 - Idea by Kyder CLS ECHO. ECHO This batch file will share all folders as a hidden share using ECHO the name of the folder as input. It must be run from the same ECHO server it will be changing the shares on. ECHO. ECHO Press CTRL-C now to quit this batch file. ECHO Otherwise press any key to continue... PAUSE >nul for /f "Tokens=*" %%i in ('dir /B D:\users') do NET SHARE %%i$=D:\users\%%i /Y for /f "Tokens=*" %%i in ('dir /B E:\users') do NET SHARE %%i$=E:\users\%%i /Y
Change Rights on User Folders
code:
@ECHO OFF REM Filename FP03RIGHTS.BAT REM Created and Last modified by NTDOC on July 18, 2001 CLS ECHO This batch file can be run from any Workstation with XCALCS on it ECHO. ECHO This batch file will reset ALL the file and folder permissions on ECHO the SAN Server (SM-CAG-FP03 VOL1\USERS and VOL2\USERS) ECHO It will remove all current permissions and set the following permissions ECHO (Domain Admins-Full, Administrators-Full, SYSTEM-Full, and USER-Change) ECHO. ECHO WARNING - WARNING This is an irreversible action. ECHO. ECHO It may take half an hour or more to complete. ECHO Please contact ???? for any questions. ECHO. ECHO Press CTRL-C now to quit this batch file. ECHO Otherwise press any key to continue... PAUSE >nul for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\VOL1\users') do xcacls \\sm-cag-fp03\VOL1\users\%%i /T /Y /P "WDI\DOMAIN ADMINS":F;F Administrators:F;F SYSTEM:F;F WDI\%%i:C;C for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\VOL2\users') do xcacls \\sm-cag-fp03\VOL2\users\%%i /T /Y /P "WDI\DOMAIN ADMINS":F;F Administrators:F;F SYSTEM:F;F WDI\%%i:C;C
Change Home Directory in User Manager
code:
@ECHO OFF REM File name CHANGEHOMEDIR.BAT REM Last modified by NTDOC - on July 18, 2001 CLS ECHO This batch file is used to change the Home Directory ECHO for all users on SM-CAG-FP03 VOL1 and VOL2 ECHO You must run this batch file from a BDC to update ECHO the User Manager settings. ECHO. ECHO Please contact ???? if you have any questions ECHO Last updated: July 18, 2001 ECHO. ECHO Press CTRL-C now to quit this batch file. ECHO Otherwise press any key to continue... PAUSE >nul for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\vol1\users') do NET USER %%i /homedir:\\sm-cag-fp03\%%i$ for /f "Tokens=*" %%i in ('dir /B \\sm-cag-fp03\vol2\users') do NET USER %%i /homedir:\\sm-cag-fp03\%%i$
We changed all the rights on the user directories because they were all in a mess from years of invalid permissions carried over from our days of Novell. Now I need to work on a KiXtart script that will create a new user, add them to the Domain, create their folder, share their folder, then give them rights. Would also like to come up with a way of doing above when we migrate other user folders onto this SAN, but ignore folders that are already there. Ideas anyone? Maybe read a list then feed it back somehow? Thanks again to all for ideas on this post and others out there that helped me to get this done. [ 25 July 2001: Message edited by: NTDOC ]
|
Top
|
|
|
|
#57298 - 2001-07-25 02:46 AM
Re: How Do I move shares-permissions NT4 to 2000
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Heya NTDOC,You maybe able to use the Resource Kit tool PERMCOPY. That is, if you wanted to keep the perms the same. Or, ACLs from one server to another.. code:
C:\>permcopy /? Copies the permissions (ACLS) from one share to another.PERMCOPY \\SourceServer ShareName \\DestinationServer ShareName
This maybe a bit late... Oh well. On the User Management piece, you should have a gander at the last reply btw Shawn and myself at Manipulate User Account Properties. Thanks, - Kent [ 25 July 2001: Message edited by: kdyer ]
|
Top
|
|
|
|
#57306 - 2002-11-14 11:11 PM
Re: How Do I move shares-permissions NT4 to 2000
|
Lonkero
KiX Master Guru
Registered: 2001-06-05
Posts: 22346
Loc: OK
|
got it, thanks to one great tool named postprep
code: '*********************************************************************************** '* '* File: XCACLS.VBS '* Created: April 18, 2001 '* Last Modified: February 26, 2002 '* Version: 2.7 '* '* Main Function: List/Change ACLS for files and directories '* '* '* Copyright (C) 2001 Microsoft Corporation '* '* Written by David B '* '***********************************************************************************
OPTION EXPLICIT
'******************************************************************** '* Declare main variables '********************************************************************
Dim intOpMode, blnQuiet, strOutputFile, objOutputFile, debug_on Dim a_Used, t_Used, e_Used, g_Used, r_used Dim p_Used, d_used, i_used, o_used, filename_var Dim l_Used, q_Used, debug_Used, strDefaultDomain, strSystemDomainSid, strSystemDomainName, intPermUpdateCount Dim g_var_User(), ObjTrustee_g_var_User(), g_Var_Perm(), g_Var_Spec() dim r_Var_User(), ObjTrustee_r_var_User() Dim p_var_User(), ObjTrustee_p_var_User(), p_Var_Perm(), p_Var_Spec() Dim d_Var_User(), ObjTrustee_d_var_User(), d_Var_Perm(), d_Var_Spec() ReDim g_var_User(0), ObjTrustee_g_var_User(0), g_Var_Perm(0), g_Var_Spec(0) Redim r_Var_User(0), ObjTrustee_r_var_User(0) ReDim p_var_User(0), ObjTrustee_p_var_User(0), p_Var_Perm(0), p_Var_Spec(0) ReDim d_Var_User(0), ObjTrustee_d_var_User(0), d_Var_Perm(0), d_Var_Spec(0) Dim i_Var, o_Var Dim fso, InitialfilenameAbsPath, QryBaseNameHasWildcards, QryExtensionHasWildcards Dim objService, objLocalService, objLocator Dim strRemoteServerName, strRemoteShareName, strRemoteUserName, strRemotePassword Dim RemoteServer_Used, RemoteUserName_Used Dim DisplayDirPath, ActualDirPath Dim BoolUsingCScript Dim endTime, startTime
'This const value is for any use referenced without a domain, if this is TRUE, we will use the local machine name 'for the domain if its a non-dc. For DC's we will always use the Domain name unless you specify the actual domain to use. 'If this is FALSE, we will default to the Domain name.
CONST CONST_USE_LOCAL_FOR_NON_DCs = TRUE
'These are specific to this Script CONST CONST_SHOW_USAGE = 3 CONST CONST_PROCEED = 4 CONST CONST_ERROR = 1
'When working with NTFS Security, we use constants that match the API documentation '********************* ControlFlags ********************* CONST ALLOW_INHERIT = 33796 'Used in ControlFlag to turn on Inheritance 'Same as: 'SE_SELF_RELATIVE + SE_DACL_AUTO_INHERITED + SE_DACL_PRESENT CONST DENY_INHERIT = 37892 'Used in ControlFlag to turn off Inheritance 'Same as: 'SE_SELF_RELATIVE + SE_DACL_PROTECTED + SE_DACL_AUTO_INHERITED + SE_DACL_PRESENT Const SE_OWNER_DEFAULTED = 1 'A default mechanism, rather than the the original provider of the security 'descriptor, provided the security descriptor's owner security identifier (SID).
Const SE_GROUP_DEFAULTED = 2 'A default mechanism, rather than the the original provider of the security 'descriptor, provided the security descriptor's group SID.
Const SE_DACL_PRESENT = 4 'Indicates a security descriptor that has a DACL. If this flag is not set, 'or if this flag is set and the DACL is NULL, the security descriptor allows 'full access to everyone.
Const SE_DACL_DEFAULTED = 8 'Indicates a security descriptor with a default DACL. For example, if an 'object's creator does not specify a DACL, the object receives the default 'DACL from the creator's access token. This flag can affect how the system 'treats the DACL, with respect to ACE inheritance. The system ignores this 'flag if the SE_DACL_PRESENT flag is not set.
Const SE_SACL_PRESENT = 16 'Indicates a security descriptor that has a SACL.
Const SE_SACL_DEFAULTED = 32 'A default mechanism, rather than the the original provider of the security 'descriptor, provided the SACL. This flag can affect how the system treats 'the SACL, with respect to ACE inheritance. The system ignores this flag if 'the SE_SACL_PRESENT flag is not set.
Const SE_DACL_AUTO_INHERIT_REQ = 256 'Requests that the provider for the object protected by the security descriptor 'automatically propagate the DACL to existing child objects. If the provider 'supports automatic inheritance, it propagates the DACL to any existing child 'objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors 'of the object and its child objects.
Const SE_SACL_AUTO_INHERIT_REQ = 512 'Requests that the provider for the object protected by the security descriptor 'automatically propagate the SACL to existing child objects. If the provider 'supports automatic inheritance, it propagates the SACL to any existing child 'objects, and sets the SE_SACL_AUTO_INHERITED bit in the security descriptors of 'the object and its child objects.
Const SE_DACL_AUTO_INHERITED = 1024 'Windows 2000 only. Indicates a security descriptor in which the DACL is set up 'to support automatic propagation of inheritable ACEs to existing child objects. 'The system sets this bit when it performs the automatic inheritance algorithm 'for the object and its existing child objects. This bit is not set in security 'descriptors for Windows NT versions 4.0 and earlier, which do not support 'automatic propagation of inheritable ACEs.
Const SE_SACL_AUTO_INHERITED = 2048 'Windows 2000: Indicates a security descriptor in which the SACL is set up to 'support automatic propagation of inheritable ACEs to existing child objects. 'The system sets this bit when it performs the automatic inheritance algorithm 'for the object and its existing child objects. This bit is not set in security 'descriptors for Windows NT versions 4.0 and earlier, which do not support automatic 'propagation of inheritable ACEs.
Const SE_DACL_PROTECTED = 4096 'Windows 2000: Prevents the DACL of the security descriptor from being modified 'by inheritable ACEs.
Const SE_SACL_PROTECTED = 8192 'Windows 2000: Prevents the SACL of the security descriptor from being modified 'by inheritable ACEs.
Const SE_SELF_RELATIVE = 32768 'Indicates a security descriptor in self-relative format with all the security 'information in a contiguous block of memory. If this flag is not set, the security 'descriptor is in absolute format. For more information, see Absolute and 'Self-Relative Security Descriptors in the Platform SDK topic Low-Level Access-Control.
'********************* ACE Flags ********************* CONST OBJECT_INHERIT_ACE = 1 'Noncontainer child objects inherit the ACE as an effective ACE. For child 'objects that are containers, the ACE is inherited as an inherit-only ACE 'unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONST CONTAINER_INHERIT_ACE = 2 'Child objects that are containers, such as directories, inherit the ACE 'as an effective ACE. The inherited ACE is inheritable unless the 'NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONST NO_PROPAGATE_INHERIT_ACE = 4 'If the ACE is inherited by a child object, the system clears the 'OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. 'This prevents the ACE from being inherited by subsequent generations of objects.
CONST INHERIT_ONLY_ACE = 8 'Indicates an inherit-only ACE which does not control access to the object 'to which it is attached. If this flag is not set, the ACE is an effective 'ACE which controls access to the object to which it is attached. Both 'effective and inherit-only ACEs can be inherited depending on the state of 'the other inheritance flags.
CONST INHERITED_ACE = 16 'Windows NT 5.0 and later, Indicates that the ACE was inherited. The system sets 'this bit when it propagates an inherited ACE to a child object.
CONST ACEFLAG_VALID_INHERIT_FLAGS = 31 'Indicates whether the inherit flags are valid.
'Two special flags that pertain only to ACEs that are contained in a SACL are listed below.
CONST SUCCESSFUL_ACCESS_ACE_FLAG = 64 'Used with system-audit ACEs in a SACL to generate audit messages for successful 'access attempts.
CONST FAILED_ACCESS_ACE_FLAG = 128 'Used with system-audit ACEs in a SACL to generate audit messages for failed 'access attempts.
'********************* ACE Types ********************* CONST ACCESS_ALLOWED_ACE_TYPE = 0 'Used with Win32_Ace AceTypes CONST ACCESS_DENIED_ACE_TYPE = 1 'Used with Win32_Ace AceTypes CONST AUDIT_ACE_TYPE = 2 'Used with Win32_Ace AceTypes
'********************* Access Masks *********************
Dim Perms_LStr, Perms_SStr, Perms_Const 'Permission LongNames Perms_LStr=Array("Synchronize" , _ "Take Ownership" , _ "Change Permissions" , _ "Read Permissions" , _ "Delete" , _ "Write Attributes" , _ "Read Attributes" , _ "Delete Subfolders and Files" , _ "Traverse Folder / Execute File", _ "Write Extended Attributes" , _ "Read Extended Attributes" , _ "Create Folders / Append Data" , _ "Create Files / Write Data" , _ "List Folder / Read Data" ) 'Permission Single Character codes Perms_SStr=Array("" , _ "D" , _ "C" , _ "B" , _ "A" , _ "9" , _ "8" , _ "7" , _ "6" , _ "5" , _ "4" , _ "3" , _ "2" , _ "1" ) 'Permission Integer Perms_Const=Array(1048576 , _ &H80000 , _ &H40000 , _ &H20000 , _ &H10000 , _ &H100 , _ &H80 , _ &H40 , _ &H20 , _ &H10 , _ &H8 , _ &H4 , _ &H2 , _ &H1 )
startTime = Timer
'Initializing Default values a_Used = FALSE t_Used = FALSE e_Used = FALSE g_Used = FALSE r_used = FALSE p_Used = FALSE d_used = FALSE i_used = FALSE l_Used = FALSE q_Used = FALSE RemoteServer_Used = FALSE strRemoteServerName = "" strRemoteShareName = "" RemoteUserName_Used = FALSE strRemoteUserName = "" strRemotePassword = "" debug_Used = FALSE 'Parameter Passed filename_var = "" DisplayDirPath = "" ActualDirPath = ""
debug_on = FALSE 'Actual value checked in script blnQuiet = FALSE strOutputFile = "XCACLS.Log"
BoolUsingCScript = IsEngineCScript()
'Parse the command line intOpMode = intParseCmdLine() If Err.Number Then Wscript.Echo "Error while parsing the command line." & vbcrlf & "Error " & Err.Number & ": " & Err.Description WScript.Quit End if
'Open the output file so we can use it through out the script If l_Used then Call OpenOutputFile()
Call PrintMsg("Starting Script at " & now)
'FSO is used in several funcitons, so lets set it globally. Set fso = WScript.CreateObject("Scripting.FileSystemObject") If blnErrorOccurred(" occurred in getting FileSystemObject.") Then WScript.Quit
'Put statements in loop to be able to drop out and clear variables Do If debug_on then Call PrintMsg("Main: Enter")
'Lets get to the work to be done... If Not IsOSSupported() then Exit Do
Call PrintArguments() 'Show the arguments entered
'Now lets do the work based upon the arguments entered. Select Case intOpMode Case CONST_SHOW_USAGE Call ShowUsage() Case CONST_PROCEED 'Lets get the objService object which is used throughout the script
If Not SetMainVars(filename_var) then Exit Do
Call PrintMsg("") If g_Used or r_Used or p_Used or d_Used or o_used then Call CheckTrustees() End if
If QryBaseNameHasWildcards or QryExtensionHasWildcards then If debug_on then Call PrintMsg("Wildcard characters detected in """ & InitialfilenameAbsPath & """") Select Case DoesPathNameExist(fso.GetParentFolderName(InitialfilenameAbsPath)) Case 1 'Directory Call DoTheWorkOnEverythingUnderDirectory(fso.GetParentFolderName(InitialfilenameAbsPath)) Case Else Call PrintMsg("Error: Directory """ & fso.GetParentFolderName(InitialfilenameAbsPath) & """ not found.") End select Else If debug_on then Call PrintMsg("No Wildcard characters detected for """ & filename_var & """") 'If a folder is found with the same name, then we work it as a folder and include files under it. Select Case DoesPathNameExist(InitialfilenameAbsPath) Case 1 'Directory Call DoTheWorkOnThisItem(InitialfilenameAbsPath, TRUE) If t_used or a_used then Call DoTheWorkOnEverythingUnderDirectory(InitialfilenameAbsPath) End if Case 2 'File Call DoTheWorkOnThisItem(InitialfilenameAbsPath, FALSE) Case Else Call PrintMsg("Error: File/Directory """ & InitialfilenameAbsPath & """ not found.") End select End if Case Else Call PrintMsg("") Call PrintMsg(intOpMode) End Select
Call blnErrorOccurred(" occurred while in the main routine of the script.") If debug_on then Call PrintMsg("Main: Exit")
Exit Do 'We really didn't want to loop Loop 'ClearObjects that could be set and aren't needed now Set objService = Nothing Set objLocalService = Nothing Set objLocator = Nothing Call ClearObjectArray(ObjTrustee_g_var_User) Call ClearObjectArray(ObjTrustee_r_var_User) Call ClearObjectArray(ObjTrustee_p_var_User) Call ClearObjectArray(ObjTrustee_d_var_User)
Call PrintMsg("") Call PrintMsg("")
endTime = Timer call PrintMsg("Operation Complete" & vbCrLf & "Elapsed Time: " & (endTime - startTime) & " seconds.")
Call PrintMsg("") Call PrintMsg("Ending Script at " & now) Call PrintMsg("") Call PrintMsg("")
If l_Used then If strOutputFile <> "" Then objOutputFile.Close End if End if
'******************************************************************** '* End of Main Script '********************************************************************
'******************************************************************** '* '* Sub DoTheWorkOnEverythingUnderDirectory() '* Purpose: Work on Directory path passed to it, and pass paths to DoTheWorkOnThisItem sub '* Input: ThisPath - Path to directory '* Output: None '* Notes: This sub will process every file and folder under the directory passed to it. '* '********************************************************************
Sub DoTheWorkOnEverythingUnderDirectory(ThisPath)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Enter")
Dim objFileSystemSet, objPath, objFileSystemSet2, objPath2, strQuery, strTempPath, booltempItsAFolder Dim f, f1, fc
Do If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Directory passed: """ & ThisPath & """")
'We already checked for existance so we will assume it exists.
If RemoteServer_Used then strQuery = "Select * from Cim_LogicalFile Where Name='" & Replace(ThisPath,"\","\\") & "'" Set objFileSystemSet = objService.ExecQuery(strQuery,,0) If blnErrorOccurred(" occurred setting objFileSystemSet = objService.ExecQuery(" & strQuery & ",,0).") Then Exit Do
strTempPath = "" for each objPath in objFileSystemSet If objPath.Drive <> "" then strTempPath = objPath.Path & objPath.FileName & "\" strTempPath = Replace(strTempPath, "\\", "\") Exit For End if next
strQuery = "Select * from Cim_LogicalFile Where Path='" & Replace(strTempPath,"\","\\") & "'" Set objFileSystemSet2 = objService.ExecQuery(strQuery,,0) If blnErrorOccurred(" occurred setting objFileSystemSet2 = objService.ExecQuery(" & strQuery & ",,0).") Then Exit Do
for each objPath2 in objFileSystemSet2 strTempPath = "" booltempItsAFolder = False If objPath2.Drive <> "" then If UCASE(objPath2.FileType) = "FILE FOLDER" then booltempItsAFolder = True strTempPath = objPath2.Name If QryBaseNameHasWildcards Or QryExtensionHasWildcards then If DoesItMatch(strTempPath) then Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder) End if If booltempItsAFolder then If t_used then Call DoTheWorkOnEverythingUnderDirectory(strTempPath) End if Else If booltempItsAFolder then If t_used then Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder) Call DoTheWorkOnEverythingUnderDirectory(strTempPath) End if Else If a_used then Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder) End if End if End if End if next Else Set f = fso.GetFolder(ThisPath)
If blnErrorOccurred(" occurred in getting FileSystemObject.GetFolder") Then Exit Do Set fc = f.Files For Each f1 in fc If QryBaseNameHasWildcards Or QryExtensionHasWildcards then If DoesItMatch(f1.Path) then Call DoTheWorkOnThisItem(f1.Path, False) End if Else If a_used then Call DoTheWorkOnThisItem(f1.Path, False) End if Next Set fc = Nothing
Set fc = f.SubFolders
For Each f1 in fc If QryBaseNameHasWildcards Or QryExtensionHasWildcards then If DoesItMatch(f1.Path) then Call DoTheWorkOnThisItem(f1.Path, True) End if If t_used then Call DoTheWorkOnEverythingUnderDirectory(f1.Path) Else If t_used then Call DoTheWorkOnThisItem(f1.Path, True) Call DoTheWorkOnEverythingUnderDirectory(f1.Path) End if End if Next Set fc = Nothing End if
Exit Do 'We really didn't want to loop Loop 'ClearObjects that could be set and aren't needed now Set f = Nothing Set fc = Nothing Set f1 = Nothing Set objPath = Nothing Set objFileSystemSet = Nothing Set objPath2 = Nothing Set objFileSystemSet2 = Nothing
Call blnErrorOccurred(" occurred while in the DoTheWorkOnEverythingUnderDirectory routine.") If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Exit") End Sub
'******************************************************************** '* '* Sub DoTheWorkOnThisItem() '* Purpose: Work on File/Folder passed to it, and pass to Work routine '* Input: ABSPath - Path to File/Folder '* Output: TRUE if Successful, FALSE if not '* '********************************************************************
Sub DoTheWorkOnThisItem(AbsPath, IsItAFolder)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DoTheWorkOnThisItem: Enter")
Dim DisplayIt
Do DisplayIt = TRUE
Call PrintMsg("") Call PrintMsg("**************************************************************************") If IsItAFolder then Call PrintMsg("Directory: " & DisplayPathString(AbsPath)) Else Call PrintMsg("File: " & DisplayPathString(AbsPath)) End if 'We already checked for existance so we will assume it exists. If g_Used or r_Used or p_Used or d_Used or o_used or i_used then Call SetACLForObject(AbsPath, IsItAFolder) DisplayIt = FALSE End If If DisplayIt then Call DisplayThisACL(AbsPath) End if Call PrintMsg("**************************************************************************") Exit Do Loop
Call blnErrorOccurred(" occurred while in the DoTheWorkOnThisItem routine.") If debug_on then Call PrintMsg("DoTheWorkOnThisItem: Exit")
End Sub
'******************************************************************** '* '* Sub DisplayThisACL() '* Purpose: Shows ACL's that are applied to strPath '* Input: strPath - string containing path of file or folder, ShowLong - If TRUE, permissions are in long form '* Output: prints the acls '* '********************************************************************
Sub DisplayThisACL(strPath)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DisplayThisACL: Enter")
Dim objFileSecSetting, objOutParams, objSecDescriptor, objOwner, objDACL_Member Dim objtrustee, numAceFlags, strAceFlags, x, strAceType, numControlFlags, ReturnAceFlags, TempSECString ReDim arraystrACLS(0)
'Put statements in loop to be able to drop out and clear variables Do set objFileSecSetting = objService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'") If blnErrorOccurred(" occurred setting Win32_LogicalFileSecuritySetting object.") Then Exit Do
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor") If blnErrorOccurred(" occurred when this command was issued: GetSecurityDescriptor.") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
numControlFlags = objSecDescriptor.ControlFlags
If IsArray(objSecDescriptor.DACL) then Call PrintMsg("") Call PrintMsg("Permissions:") Call PrintMsg( strPackString("Type", 9, 1, TRUE) & strPackString("Username", 24, 1, TRUE) & strPackString("Permissions", 22, 1, TRUE) & strPackString("Inheritance", 22, 1, TRUE)) For Each objDACL_Member in objSecDescriptor.DACL TempSECString = "" ReturnAceFlags = 0 Select Case objDACL_Member.AceType Case ACCESS_ALLOWED_ACE_TYPE strAceType = "Allowed" Case ACCESS_DENIED_ACE_TYPE strAceType = "Denied" Case else strAceType = "Unknown" End select Set objtrustee = objDACL_Member.Trustee numAceFlags = objDACL_Member.AceFlags strAceFlags = StringAceFlag(numAceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, FALSE, ReturnAceFlags) TempSECString = SECString(objDACL_Member.AccessMask,TRUE) If ReturnAceFlags = 2 then If TempSECString = "Read and Execute" then TempSECString = "List Folder Contents" End if End if Call AddStringToArray(arraystrACLS, strPackString(strAceType, 9, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 24, 1, TRUE) & strPackString(TempSECString, 22, 1, TRUE) & strPackString(strAceFlags, 22, 1, TRUE),-1) Set objtrustee = Nothing Next For x = LBound(arraystrACLS) to UBound(arraystrACLS) Call PrintMsg(arraystrACLS(x)) Next Else Call PrintMsg("") Call PrintMsg("No Permissions set") End if ReDim arraystrACLS(0) If IsArray(objSecDescriptor.SACL) then Call PrintMsg("") Call PrintMsg("Auditing:") Call PrintMsg(strPackString("Type", 9, 1, TRUE) & strPackString("Username", 24, 1, TRUE) & strPackString("Access", 22, 1, TRUE) & strPackString("Inheritance", 22, 1, TRUE)) For Each objDACL_Member in objSecDescriptor.SACL TempSECString = "" ReturnAceFlags = 0 Set objtrustee = objDACL_Member.Trustee numAceFlags = objDACL_Member.AceFlags strAceType = StringSACLAceFlag(numAceFlags) strAceFlags = StringAceFlag(numAceFlags, numControlFlags, SE_SACL_AUTO_INHERITED, FALSE, ReturnAceFlags) TempSECString = SECString(objDACL_Member.AccessMask,TRUE) If ReturnAceFlags = 2 then If TempSECString = "Read and Execute" then TempSECString = "List Folder Contents" End if End if Call AddStringToArray(arraystrACLS, strPackString(strAceType, 9, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 24, 1, TRUE) & strPackString(TempSECString, 22, 1, TRUE) & strPackString(strAceFlags, 22, 1, TRUE),-1) Set objtrustee = Nothing Next For x = LBound(arraystrACLS) to UBound(arraystrACLS) Call PrintMsg(arraystrACLS(x)) Next Else Call PrintMsg("") Call PrintMsg("No Auditing set") End if
Set objOwner = objSecDescriptor.Owner If blnErrorOccurred(" occurred setting objOwner = objSecDescriptor.Owner.") Then Exit Do Call PrintMsg("") Call PrintMsg("Owner: " & objOwner.Domain & "\" & objOwner.Name)
Exit Do 'We really didn't want to loop Loop 'ClearObjects that could be set and aren't needed now Set objOwner = Nothing Set objSecDescriptor = Nothing Set objDACL_Member = Nothing Set objtrustee = Nothing Set objOutParams = Nothing Set objFileSecSetting = Nothing
Call blnErrorOccurred(" occurred while in the DisplayThisACL routine.") If debug_on then Call PrintMsg("DisplayThisACL: Exit")
End Sub
'******************************************************************** '* '* Sub SetACLForObject() '* Purpose: Set the ACL for the file/folder passed '* Input: strPath - string containing path of file or folder, IsItAFolder, '* Output: None '* '********************************************************************
Sub SetACLForObject(strPath, IsItAFolder) ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("SetACLForObject: Enter")
Dim objFileSecSetting, objmethod, objSecDescriptor Dim objtrustee, objInParam, objOutParams, objOwner Dim objParentFileSecSetting, objParentOutParams, objParentSecDescriptor
Dim OldAceObj, ObjNewAce, NewobjDescriptor, RetVal, i_Var_Copy_Temp Dim BlankDaclObj, OldDaclObj(), NewDaclObj(), ImpDenyDaclObj() Dim ImpAllowDaclObj(), ImpDenyObjectDaclObj()
Dim objTempTrustee, i, t, ThisUserAccess, RightsToGive, NewRights Dim intTempAccessMask, boolDoTheUpdate Dim strOldAccount, strThisAccount, NewArraySize, NewArrayMember, BoolDoThisOne Dim ControlFlagsVar, BoolAllowInherited, BoolGetInherited, BoolInitialInheritRightsPresent, numControlFlags, ReturnAceFlags
'Put statements in loop to be able to drop out and clear variables Do
'Initialize all of the new ACL objects ReDim OldDaclObj(0) ReDim NewDaclObj(0) ReDim ImpDenyDaclObj(0) ReDim ImpAllowDaclObj(0) ReDim InheritedObjectDaclObj(0) ReDim BlankDaclObj(0) BoolAllowInherited = FALSE BoolGetInherited = FALSE BoolInitialInheritRightsPresent = FALSE
If debug_on then Call PrintMsg("SetACLForObject: Working on """ & strPath & """")
set objFileSecSetting = objService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'") If blnErrorOccurred(" occurred setting Win32_LogicalFileSecuritySetting object.") Then Exit Do
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor") If blnErrorOccurred(" occurred Setting objOutParams = objFileSecSetting.ExecMethod_(""GetSecurityDescriptor"")") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
Set objOwner = objSecDescriptor.Owner If blnErrorOccurred(" occurred setting objOwner = objSecDescriptor.Owner.") Then Exit Do
numControlFlags = objSecDescriptor.ControlFlags
If debug_on then Call PrintMsg("SetACLForObject: Getting DACL array")
If e_Used then 'If e_Used then the old ACL list is maintained, if not we start fresh. Call GetDaclArray(OldDaclObj,objSecDescriptor, FALSE) If blnErrorOccurred(" occurred after Calling GetDaclArray(OldDaclObj,objSecDescriptor, FALSE)") Then Exit Do End if
If UBound(OldDaclObj) = 0 then 'If the array is empty and we need to Copy or Enable Inheritance, we need to set Inheritance and get array again. If i_used then 'i_var 3 = "REMOVE", if you are not removing Inheritance, you must have the Inherited DACL's If i_var < 3 then BoolGetInherited = TRUE End if Else 'If Copy or Enable Inheritance is set and there was no Inherited Properties, we need to set Inheritance and get array again. If i_used then 'i_var 3 = "REMOVE", if you are not removing Inheritance, you must have the Inherited DACL's If i_var < 3 then BoolGetInherited = TRUE For i = 1 to UBound(OldDaclObj) If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do Set OldAceObj = OldDaclObj(i) If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE, ReturnAceFlags) = "Inherited" then BoolInitialInheritRightsPresent = TRUE BoolGetInherited = FALSE Exit For End if Next End if End if If BoolGetInherited Then 'We need the inherited ACE's so lets get them.
If debug_on then Call PrintMsg("SetACLForObject: Inherited ACL's not found and needed, getting from Parent Directory")
'Any existing ACE's will remain in array Set NewobjDescriptor = objService.Get("Win32_SecurityDescriptor").Spawninstance_ If blnErrorOccurred(" occurred Setting NewobjDescriptor = objService.Get(""Win32_SecurityDescriptor"").Spawninstance_") Then Exit Do
NewobjDescriptor.ControlFlags = ALLOW_INHERIT If blnErrorOccurred(" occurred setting objSecDescriptor.ControlFlags = ALLOW_INHERIT") Then Exit Do
Set objmethod = objFileSecSetting.Methods_("SetSecurityDescriptor") If blnErrorOccurred(" occurred setting objmethod = objFileSecSetting.Methods_(""SetSecurityDescriptor"")") Then Exit Do
Set objInParam = objmethod.inParameters.SpawnInstance_() If blnErrorOccurred(" occurred Setting objInParam = objmethod.inParameters.SpawnInstance_()") Then Exit Do
objInParam.Properties_.item("Descriptor") = NewobjDescriptor If blnErrorOccurred(" occurred setting objInParam.Properties_.item(""Descriptor"") = NewobjDescriptor") Then Exit Do
Set RetVal = objFileSecSetting.ExecMethod_("SetSecurityDescriptor", objInParam) If blnErrorOccurred(" occurred setting RetVal = objFileSecSetting.ExecMethod_(""SetSecurityDescriptor"", objInParam)") Then Exit Do
'Now we need to get only the Inherited ACE's (Everyone group may be set if DACL array was empty) Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor") If blnErrorOccurred(" occurred Setting objOutParams = objFileSecSetting.ExecMethod_(""GetSecurityDescriptor"")") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
Call GetDaclArray(OldDaclObj,objSecDescriptor, TRUE) If blnErrorOccurred(" occurred when Calling GetDaclArray(OldDaclObj,objSecDescriptor, TRUE)") Then Exit Do Set NewobjDescriptor = Nothing Set objmethod = Nothing Set objInParam = Nothing Set RetVal = Nothing boolDoTheUpdate = TRUE End if 'Now we have the inherited rights, if one of the revoked users is in the list, then we need to copy the list and turn off inheritance. If debug_on then Call PrintMsg("SetACLForObject: Looking for Revoke users in Inherited list, if found, Inherited list will be copied to Effective list and inheritance turned off, so we can revoke user") i_Var_Copy_Temp = FALSE If r_Used then 'Revoke user if present in Inherited Allowed or Denied lists If UBound(OldDaclObj) > 0 then For i = 1 to UBound(OldDaclObj) If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do Set OldAceObj = OldDaclObj(i) If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE, ReturnAceFlags) = "Inherited" then For t = LBound(r_var_User) to UBound(r_var_User) If r_Var_User(t) <> "" then &
_________________________
!download KiXnet
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 348 anonymous users online.
|
|
|