#58160 - 2001-08-14 10:11 PM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Kent,Ok - I have to admit it - this was painfull to code. It took me about a half day to do it but looking back - it's not so bad ... It's basically ripped from here and there on the web - but I mostly used the WMI SDK and MSDN ... This script will automatically create an NTFS SHARE and permission it as EVERYONE:FULLCONTROL ... sorry for the lack of comments, etc ... I need a coffee REAL bad ... It requires Windows 2000 or WindowsNT/9x with retro WMI installed. Give it a shot ... now to study your script  code:
break on
; SET YOUR SPECIFICS ...
$servername = @wksta
$sharename = "TEMP"
$sharepath = "C:\TEMP"
$sharedescription = "My Temp Share"
dim $aces[1]
$wmi = getobject('winmgmts:{impersonationlevel=impersonate}!//$servername')
$secdesc = $wmi.get("win32_securitydescriptor")
$trustee = $wmi.get("win32_trustee")
$trustee.domain = ""
$trustee.name = "everyone"
$trustee.sid = 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0
$ace = $wmi.get("win32_ace")
$ace.accessmask = 2032127
$ace.aceflags = 3
$ace.acetype = 0
$ace.trustee = $trustee
$aces[0] = $ace
$secdesc.dacl = $aces
$share = $wmi.get("win32_share")
$create = $share.methods_("create")
$inparms = $create.inparameters
$inparms.access = $secdesc
$inparms.description = $sharedescription
$inparms.name = $sharename
$inparms.path = $sharepath
$inparms.type = 0
$share.execmethod_("create",$inparms)
exit
-Shawn p.s. The new share doesn't auto-refresh in NT explorer. Close re-open explorer or use NET share to check-out ! [ 14 August 2001: Message edited by: Shawn ]
|
|
Top
|
|
|
|
|
#58161 - 2001-08-15 07:10 PM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Shawn,Well, I looked at my original code and there are still some issues to be worked out like I need to figure out the difference between & and +...  It now creates the share, but the perms are off.. code:
; -- createshare.kix
; -- 08/10/2001
; -- Kent Dyer
; -- Version .8a Release
; The basis of this is using code from - http://cwashington.netreach.net/script_repository/view_scripts.asp?Index=360&S criptType=vbscript
; It requires the ADSI SDK from - http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp
; You will need to REGSVR32 the ADSSECURITY.DLL from the ADSI SDK
; KIX 4.x - is required for the UDFs (User-Defined Functions) and the use of FOR..EACH, and DIM, and CREATEOBJECT Break ON
Cls $kixv = InStr(@KIX, "4.") ; Check to see if KIX 4.x is being used
If $kixv = 0
? "Kix 4.00 is required - Sorry."
Sleep 2
Exit
EndIf Dim $textusr
Dim $textshare ; Create objects
$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity") If $sec ; Check to see if ADSSECURITY.DLL is registered ; Capture the name of the person you are working with
COLOR g+/n
? "Enter the userid of the person - jdoe"
COLOR w+/n
?
GETS $textusr IF $textusr = ""
COLOR r+/n
? "No UserID input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF ; Capture the name of the server are you adding the share to
COLOR g+/n
? "Enter the server - server"
COLOR w+/n
?
GETS $textshare IF $textshare = ""
COLOR r+/n
? "No Server Name input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF ; Setting the user$ variable - jdoe$ - Hidden shares don't show when browsing to a server
$textsharen = $textusr & Chr(36) ; Path for user folders
$usershare = "\\" + $textshare + "\users" ; Now let;s create a variable to work with - \\SERVER\users\jdoe
; Directory to save
$userdir = "\\"+ $textshare + "\users\" + $textusr ; Create folder
;If Not $ofs.FolderExists($userdir) Then $ofs.CreateFolder $userdir
$createfolder = Exist($userdir)
IF $createfolder <> 1
MD $userdir
ENDIF ; Create share
$fservobj = GetObject("WinNT://"+ $textshare +"/lanmanserver") ; Create the share for the server jdoe$
$newshare = $fservobj.create("fileshare",$textsharen)
; Set the path for the share on the server - D:\Users
$newshare.path = "D:\Users\" & $textusr
$newshare.setinfo
$newshare = Nothing ; Set ACLs $filenm = $userdir
$permspart = "add(" & $textusr & ":c)+add(domain admins:F)+add(Administrators:F)+del(everyone:F)" ;-- Replace ACL on single file or folder-------
$chkfile=$ofs.fileexists($filenm) ; make sure file exists
IF $chkfile=true
; changeacls $filenm, $permspart, "REPLACE", "FILE"
;ELSE
$chkfolder=$ofs.folderexists($filenm) ; if its not a file, is it a folder?
IF chkfolder=true
$changeacls $filenm, $permspart, "REPLACE", "FOLDER"
ENDIF
ENDIF
$ofs=nothing FUNCTION ChangeAcls($file,$perms,$redit,$ffolder)
;- Edit ACLS of specified file -----
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACEFLAG_INHERIT_ACE = 2
Const ADS_ACEFLAG_SUB_NEW = 9
$sd = GetSecurityDescriptor("FILE://"+$file+")"
$dacl = $sd.discretionaryacl ;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace $existingace
NEXT
ENDIF
;break up Perms into individual actions
$cmdarray=split($perms,"+")
FOR x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray(x)
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF
$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts(0)
$rightvar=$cmdparts(1)
; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr(trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF
$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)
IF $uctrunamevar=$ucnamevar
$dacl.removeace $existingace
ENDIF
NEXT
ENDIF ; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE
ELSE
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED,0
ENDIF
ENDIF
NEXT
FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=newtrustee
ENDIF
NEXT
; final sets and cleanup
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor $sd $sd=nothing
$dacl=nothing
$sec=nothing
ENDFUNCTION FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
Const RIGHT_READ = &H80000000
Const RIGHT_EXECUTE = &H20000000
Const RIGHT_WRITE = &H40000000
Const RIGHT_DELETE = &H10000
Const RIGHT_FULL = &H10000000
Const RIGHT_CHANGE_PERMS = &H40000
Const RIGHT_TAKE_OWNERSHIP = &H80000
$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee
SELECT
CASE
ucase($maskvar)
; specified rights so far only include FC & R. Could be expanded though
CASE
"F"
$ace.accessmask = RIGHT_FULL
CASE
"C"
$ace.accessmask = RIGHT_READ OR RIGHT_WRITE OR RIGHT_EXECUTE OR RIGHT_DELETE
CASE
"R"
$ace.accessmask = RIGHT_READ OR RIGHT_EXECUTE
ENDSELECT
$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace $ace
$ace=nothing
ENDFUNCTION
ELSE
COLOR r+/n
?"ADsSecurity not installed on this machine"
COLOR w+/n
SLEEP 2
EXIT
ENDIF EXIT
Oh well.. - Kent [ 15 August 2001: Message edited by: kdyer ] [ 15 August 2001: Message edited by: kdyer ]
|
|
Top
|
|
|
|
|
#58162 - 2001-08-15 08:14 PM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Shawn
Administrator
Registered: 1999-08-13
Posts: 8611
|
Kent,Downloading ... Converting (opps... bad conversion ... bad bulletin board... bad, naughty bulletin board) ... Printing .... Studying ... Question ... In this function ... FUNCTION ChangeAcls($file,$perms,$redit,$ffolder) ...what is this line all about ... $sd = GetSecurityDescriptor("FILE://"+$file+")"
~Shawn
|
|
Top
|
|
|
|
|
#58163 - 2001-08-16 12:15 AM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Shawn,The line has to do with the Port-over from VBS. In VBS, it is -
code:
$sd = GetSecurityDescriptor("FILE://"+$file+")"
Converting it to KIX, it should be -
code:
$sd = $sec.GetSecurityDescriptor("FILE://"+$file+")"
Thanks for catching that one.. I have done some more cleanup and it appears that I was missing some strings.... code:
; -- createshare.kix
; -- 08/15/2001
; -- Kent Dyer
; -- Version .8a Release
; The basis of this is using code from - http://cwashington.netreach.net/script_repository/view_scripts.asp?Index=360&ScriptType=vbscript
; It requires the ADSI SDK from - http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp
; You will need to REGSVR32 the ADSSECURITY.DLL from the ADSI SDK
; KIX 4.x - is required for the UDFs (User-Defined Functions) and the use of FOR..EACH, and DIM, and CREATEOBJECT Break ON
Cls $kixv = InStr(@KIX, "4.") ; Check to see if KIX 4.x is being used
If $kixv = 0
? "Kix 4.00 is required - Sorry."
Sleep 2
Exit
EndIf Dim $textusr
Dim $textshare ; Create objects
$ofs = CreateObject("Scripting.FileSystemObject")
$sec = CreateObject("ADsSecurity") If $sec ; Check to see if ADSSECURITY.DLL is registered ; Capture the name of the person you are working with
COLOR g+/n
? "Enter the userid of the person - jdoe"
COLOR w+/n
?
GETS $textusr IF $textusr = ""
COLOR r+/n
? "No UserID input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF ; Capture the name of the server are you adding the share to
COLOR g+/n
? "Enter the server - server"
COLOR w+/n
?
GETS $textshare IF $textshare = ""
COLOR r+/n
? "No Server Name input provided. Stopping script now."
COLOR w+/n
SLEEP 2
EXIT
ENDIF ; Setting the user$ variable - jdoe$ - Hidden shares don't show when browsing to a server
$textsharen = $textusr + Chr(36) ; Path for user folders
$usershare = "\\" + $textshare + "\users" ; Now let;s create a variable to work with - \\SERVER\users\jdoe
; Directory to save
$userdir = "\\"+ $textshare + "\users\" + $textusr ; Create folder
;If Not $ofs.FolderExists($userdir) Then $ofs.CreateFolder $userdir
$createfolder = Exist($userdir)
IF $createfolder <> 1
MD $userdir
ENDIF ; Create share
$fservobj = GetObject("WinNT://"+ $textshare +"/lanmanserver") ; Create the share for the server jdoe$
$newshare = $fservobj.create("fileshare",$textsharen)
; Set the path for the share on the server - D:\Users
$newshare.path = "D:\Users\" + $textusr
$newshare.setinfo
$newshare = Nothing ; Set ACLs $filenm = $userdir
$permspart = "add(" + $textusr + ":c)+add(domain admins:F)+add(Administrators:F)+del(everyone:F)" ;-- Replace ACL on single file or folder-------
$chkfile=$ofs.fileexists($filenm) ; make sure file exists
IF $chkfile=true
; changeacls $filenm, $permspart, "REPLACE", "FILE"
;ELSE
$chkfolder=$ofs.folderexists($filenm) ; if its not a file, is it a folder?
IF $chkfolder=true
$changeacls $filenm, $permspart, "REPLACE", "FOLDER"
ENDIF
ENDIF
$ofs=nothing FUNCTION ChangeAcls($file,$perms,$redit,$ffolder)
;- Edit ACLS of specified file -----
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACEFLAG_INHERIT_ACE = 2
Const ADS_ACEFLAG_SUB_NEW = 9 $sd = $sec.GetSecurityDescriptor("FILE://"+$file+")"
$dacl = $sd.discretionaryacl ;if flagged Replace then remove all existing aces from dacl first
IF ucase($redit)="REPLACE"
FOR EACH $existingace IN $dacl
$dacl.removeace $existingace
NEXT
ENDIF
;break up Perms into individual actions
$cmdarray=split($perms,"+")
FOR x=0 TO ubound($cmdarray)
$tmpvar1=$cmdarray(x)
IF ucase(left($tmpvar1,3))="DEL"
$aclaction="DEL"
ELSE
$aclaction="ADD"
ENDIF
$tmpcmdvar=left($tmpvar1,len($tmpvar1)-1)
$tmpcmdvar=right($tmpcmdvar,len($tmpcmdvar)-4)
$cmdparts=split($tmpcmdvar,":")
$namevar=$cmdparts(0)
$rightvar=$cmdparts(1)
; if flagged edit, delete ACE;s belonging to user about to add an ace for
IF ucase($redit)="EDIT"
FOR EACH $existingAce IN $dacl
$trusteevar=$existingAce.trustee
IF instr($trusteeVar,"\")
$trunamevar=right($trusteevar,len($trusteevar)-instr($trusteevar,"\"))
ELSE
$trunamevar=$trusteevar
ENDIF
$uctrunamevar=ucase($trunamevar)
$ucnamevar=ucase($namevar)
IF $uctrunamevar=$ucnamevar
$dacl.removeace $existingace
ENDIF
NEXT
ENDIF ; if action is to del ace then following clause skips addace
IF $aclaction="ADD"
IF ucase($ffolder)="FOLDER"
; folders require 2 aces for user (to do with inheritance)
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE
ELSE
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED,0
ENDIF
ENDIF
NEXT
FOR EACH $ace IN $dacl
; for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
IF instr(ucase($ace.trustee),"NT AUTHORITY\")
$newtrustee=right($ace.trustee, len($ace.trustee)-instr($ace.trustee, "\"))
$ace.trustee=newtrustee
ENDIF
NEXT
; final sets and cleanup
$sd.discretionaryacl = $dacl
$sec.setsecuritydescriptor $sd $sd=nothing
$dacl=nothing
$sec=nothing
ENDFUNCTION FUNCTION addace($dacl, $trustee, $maskvar, $acetype, $aceflags)
; add ace to the specified dacl
Const RIGHT_READ = &H80000000
Const RIGHT_EXECUTE = &H20000000
Const RIGHT_WRITE = &H40000000
Const RIGHT_DELETE = &H10000
Const RIGHT_FULL = &H10000000
Const RIGHT_CHANGE_PERMS = &H40000
Const RIGHT_TAKE_OWNERSHIP = &H80000
$ace = CreateObject("AccessControlEntry")
$ace.trustee = $trustee
SELECT
CASE
ucase($maskvar)
; specified rights so far only include FC & R. Could be expanded though
CASE
"F"
$ace.accessmask = RIGHT_FULL
CASE
"C"
$ace.accessmask = RIGHT_READ OR RIGHT_WRITE OR RIGHT_EXECUTE OR RIGHT_DELETE
CASE
"R"
$ace.accessmask = RIGHT_READ OR RIGHT_EXECUTE
ENDSELECT
$ace.acetype = $acetype
$ace.aceflags = $aceflags
$dacl.addace $ace
$ace=nothing
ENDFUNCTION
ELSE
COLOR r+/n
?"ADsSecurity not installed on this machine"
COLOR w+/n
SLEEP 2
EXIT
ENDIF EXIT
So, it appears to create the share now, but does not apply perms... - Kent
|
|
Top
|
|
|
|
#58164 - 2002-02-21 12:05 AM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Alex.H
Seasoned Scripter
Registered: 2001-04-10
Posts: 406
Loc: France
|
i'm bringing this one from deep hole.
Dunno how i caught this thread, but i found some stuff.Kent,
ignore the following line if you alreay manage to correct the script. should'nt it be :
Const RIGHT_READ = &80000000
Const RIGHT_EXECUTE = &20000000
Const RIGHT_WRITE = &40000000
Const RIGHT_DELETE = &10000
Const RIGHT_FULL = &10000000
Const RIGHT_CHANGE_PERMS = &40000
Const RIGHT_TAKE_OWNERSHIP = &80000 in your addace function ?
also, if this call is working ?
addace $dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW
It always seems to me that any calls in kixtart should be done in this way :
addace ($dacl, $namevar, $rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW )
whatever the function return a value or not
_________________________
? getobject(Kixtart.org.Signature)
|
|
Top
|
|
|
|
|
#58166 - 2002-05-31 04:52 PM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Anonymous
Anonymous
Unregistered
|
Hey guys! I recently used the XCACLS command to give "USERS" Full access to a folder on their Windows 2000 workstations.
Run this from a command line:
code:
\\server\share\xcacls.exe c:\targetfolder /P USERS:F /E /Y /C /T
The permissions get set perfect everytime, however, if you right click on any of the files in the folder, select properties, and click on the SECURITY tab, you get the following error message: quote:
The permissions on "file" are incorrectly ordered, which may cause some entries to be ineffective. Press OK to continue and sort the permissions correctly, or Cancel to reset the permissions.
This does not cause any permissions problems because I used /T "Recursively walk through the current directory and all its subdirectories, applying the chosen access rights to the matching files or directories".
If you elect not to use /T the ACE added to the directory is also an inherit ACE for new files created in this directory. But, since 'The permissions on "directory" are incorrectly ordered', the file permissions are not correctly inherited.
So, the question here is "How do you use XCACLS to set file/folder permissions and correctly sort their order?
|
|
Top
|
|
|
|
|
#58167 - 2002-05-31 09:59 PM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
3MGrant5,
The thing is that is cool about this thread is all you need is to register a DLL and do all of this in code. However, if you want to do this with XCACLS.EXE, try this script:
http://cwashington.netreach.net/depo/view.asp?Index=355&ScriptType=kixtart
HTH,
- Kent
|
|
Top
|
|
|
|
|
#58168 - 2002-08-06 02:26 AM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
Here is some VB script code that replaces the XCACLS.EXE file. I posted this a while back, but the search engine here on the board was not able to find it so... I'm reposting it. Requires WSH 5.6
My HATS OFF to anyone that successfully converts this to KiXtart code. ![[Cool]](images/icons/cool.gif)
code:
'***********************************************************************************
'*
'* File: XCACLS.VBS
'* Created: April 18, 2001
'* Last Modified: August 31, 2001
'* Version: 1.8
'*
'* Main Function: List/Change ACLS for files and directories
'*
'*
'* Copyright (C) 2001 Microsoft Corporation
'*
'* Written by David B.
'*
'***********************************************************************************
OPTION EXPLICIT
'********************************************************************
'* Declare main variables
'********************************************************************
Dim intOpMode, blnQuiet, strOutputFile, objOutputFile, debug_on
Dim a_Used, t_Used, e_Used, g_Used, r_used
Dim p_Used, d_used, i_used, o_used, filename_var
Dim l_Used, q_Used, debug_Used, strDefaultDomain, strSystemDomainSid, strSystemDomainName, intPermUpdateCount
Dim g_var_User(), ObjTrustee_g_var_User(), g_Var_Perm(), g_Var_Spec()
dim r_Var_User(), ObjTrustee_r_var_User()
Dim p_var_User(), ObjTrustee_p_var_User(), p_Var_Perm(), p_Var_Spec()
Dim d_Var_User(), ObjTrustee_d_var_User(), d_Var_Perm(), d_Var_Spec()
ReDim g_var_User(0), ObjTrustee_g_var_User(0), g_Var_Perm(0), g_Var_Spec(0)
Redim r_Var_User(0), ObjTrustee_r_var_User(0)
ReDim p_var_User(0), ObjTrustee_p_var_User(0), p_Var_Perm(0), p_Var_Spec(0)
ReDim d_Var_User(0), ObjTrustee_d_var_User(0), d_Var_Perm(0), d_Var_Spec(0)
Dim i_Var, o_Var
Dim fso, InitialfilenameAbsPath, QryBaseNameHasWildcards, QryExtensionHasWildcards
Dim objService, objLocalService, objLocator
Dim strRemoteServerName, strRemoteShareName, strRemoteUserName, strRemotePassword
Dim RemoteServer_Used, RemoteUserName_Used
Dim DisplayDirPath, ActualDirPath
'This const value is for any use referenced without a domain, if this is TRUE, we will use the local machine name
'for the domain if its a non-dc. For DC's we will always use the Domain name unless you specify the actual domain to use.
'If this is FALSE, we will default to the Domain name.
CONST CONST_USE_LOCAL_FOR_NON_DCs = TRUE
'These are specific to this Script
CONST CONST_SHOW_USAGE = 3
CONST CONST_PROCEED = 4
CONST CONST_ERROR = 1
'When working with NTFS Security, we use constants that match the API documentation
'********************* ControlFlags *********************
CONST ALLOW_INHERIT = 33796 'Used in ControlFlag to turn on Inheritance
'Same as:
'SE_SELF_RELATIVE + SE_DACL_AUTO_INHERITED + SE_DACL_PRESENT
CONST DENY_INHERIT = 37892 'Used in ControlFlag to turn off Inheritance
'Same as:
'SE_SELF_RELATIVE + SE_DACL_PROTECTED + SE_DACL_AUTO_INHERITED + SE_DACL_PRESENT
Const SE_OWNER_DEFAULTED = 1 'A default mechanism, rather than the the original provider of the security
'descriptor, provided the security descriptor's owner security identifier (SID).
Const SE_GROUP_DEFAULTED = 2 'A default mechanism, rather than the the original provider of the security
'descriptor, provided the security descriptor's group SID.
Const SE_DACL_PRESENT = 4 'Indicates a security descriptor that has a DACL. If this flag is not set,
'or if this flag is set and the DACL is NULL, the security descriptor allows
'full access to everyone.
Const SE_DACL_DEFAULTED = 8 'Indicates a security descriptor with a default DACL. For example, if an
'object's creator does not specify a DACL, the object receives the default
'DACL from the creator's access token. This flag can affect how the system
'treats the DACL, with respect to ACE inheritance. The system ignores this
'flag if the SE_DACL_PRESENT flag is not set.
Const SE_SACL_PRESENT = 16 'Indicates a security descriptor that has a SACL.
Const SE_SACL_DEFAULTED = 32 'A default mechanism, rather than the the original provider of the security
'descriptor, provided the SACL. This flag can affect how the system treats
'the SACL, with respect to ACE inheritance. The system ignores this flag if
'the SE_SACL_PRESENT flag is not set.
Const SE_DACL_AUTO_INHERIT_REQ = 256 'Requests that the provider for the object protected by the security descriptor
'automatically propagate the DACL to existing child objects. If the provider
'supports automatic inheritance, it propagates the DACL to any existing child
'objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors
'of the object and its child objects.
Const SE_SACL_AUTO_INHERIT_REQ = 512 'Requests that the provider for the object protected by the security descriptor
'automatically propagate the SACL to existing child objects. If the provider
'supports automatic inheritance, it propagates the SACL to any existing child
'objects, and sets the SE_SACL_AUTO_INHERITED bit in the security descriptors of
'the object and its child objects.
Const SE_DACL_AUTO_INHERITED = 1024 'Windows 2000 only. Indicates a security descriptor in which the DACL is set up
'to support automatic propagation of inheritable ACEs to existing child objects.
'The system sets this bit when it performs the automatic inheritance algorithm
'for the object and its existing child objects. This bit is not set in security
'descriptors for Windows NT versions 4.0 and earlier, which do not support
'automatic propagation of inheritable ACEs.
Const SE_SACL_AUTO_INHERITED = 2048 'Windows 2000: Indicates a security descriptor in which the SACL is set up to
'support automatic propagation of inheritable ACEs to existing child objects.
'The system sets this bit when it performs the automatic inheritance algorithm
'for the object and its existing child objects. This bit is not set in security
'descriptors for Windows NT versions 4.0 and earlier, which do not support automatic
'propagation of inheritable ACEs.
Const SE_DACL_PROTECTED = 4096 'Windows 2000: Prevents the DACL of the security descriptor from being modified
'by inheritable ACEs.
Const SE_SACL_PROTECTED = 8192 'Windows 2000: Prevents the SACL of the security descriptor from being modified
'by inheritable ACEs.
Const SE_SELF_RELATIVE = 32768 'Indicates a security descriptor in self-relative format with all the security
'information in a contiguous block of memory. If this flag is not set, the security
'descriptor is in absolute format. For more information, see Absolute and
'Self-Relative Security Descriptors in the Platform SDK topic Low-Level Access-Control.
'********************* ACE Flags *********************
CONST OBJECT_INHERIT_ACE = 1 'Noncontainer child objects inherit the ACE as an effective ACE. For child
'objects that are containers, the ACE is inherited as an inherit-only ACE
'unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONST CONTAINER_INHERIT_ACE = 2 'Child objects that are containers, such as directories, inherit the ACE
'as an effective ACE. The inherited ACE is inheritable unless the
'NO_PROPAGATE_INHERIT_ACE bit flag is also set.
CONST NO_PROPAGATE_INHERIT_ACE = 4 'If the ACE is inherited by a child object, the system clears the
'OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE.
'This prevents the ACE from being inherited by subsequent generations of objects.
CONST INHERIT_ONLY_ACE = 8 'Indicates an inherit-only ACE which does not control access to the object
'to which it is attached. If this flag is not set, the ACE is an effective
'ACE which controls access to the object to which it is attached. Both
'effective and inherit-only ACEs can be inherited depending on the state of
'the other inheritance flags.
CONST INHERITED_ACE = 16 'Windows NT 5.0 and later, Indicates that the ACE was inherited. The system sets
'this bit when it propagates an inherited ACE to a child object.
CONST ACEFLAG_VALID_INHERIT_FLAGS = 31 'Indicates whether the inherit flags are valid.
'Two special flags that pertain only to ACEs that are contained in a SACL are listed below.
CONST SUCCESSFUL_ACCESS_ACE_FLAG = 64 'Used with system-audit ACEs in a SACL to generate audit messages for successful
'access attempts.
CONST FAILED_ACCESS_ACE_FLAG = 128 'Used with system-audit ACEs in a SACL to generate audit messages for failed
'access attempts.
'********************* ACE Types *********************
CONST ACCESS_ALLOWED_ACE_TYPE = 0 'Used with Win32_Ace AceTypes
CONST ACCESS_DENIED_ACE_TYPE = 1 'Used with Win32_Ace AceTypes
CONST AUDIT_ACE_TYPE = 2 'Used with Win32_Ace AceTypes
'********************* Access Masks *********************
Dim Perms_LStr, Perms_SStr, Perms_Const
'Permission LongNames
Perms_LStr=Array("Synchronize" , _
"Take Ownership" , _
"Change Permissions" , _
"Read Permissions" , _
"Delete" , _
"Write Attributes" , _
"Read Attributes" , _
"Delete Subfolders and Files" , _
"Traverse Folder / Execute File", _
"Write Extended Attributes" , _
"Read Extended Attributes" , _
"Create Folders / Append Data" , _
"Create Files / Write Data" , _
"List Folder / Read Data" )
'Permission Single Character codes
Perms_SStr=Array("" , _
"D" , _
"C" , _
"B" , _
"A" , _
"9" , _
"8" , _
"7" , _
"6" , _
"5" , _
"4" , _
"3" , _
"2" , _
"1" )
'Permission Integer
Perms_Const=Array(1048576 , _
&H80000 , _
&H40000 , _
&H20000 , _
&H10000 , _
&H100 , _
&H80 , _
&H40 , _
&H20 , _
&H10 , _
&H8 , _
&H4 , _
&H2 , _
&H1 )
'Initializing Default values
a_Used = FALSE
t_Used = FALSE
e_Used = FALSE
g_Used = FALSE
r_used = FALSE
p_Used = FALSE
d_used = FALSE
i_used = FALSE
l_Used = FALSE
q_Used = FALSE
RemoteServer_Used = FALSE
strRemoteServerName = ""
strRemoteShareName = ""
RemoteUserName_Used = FALSE
strRemoteUserName = ""
strRemotePassword = ""
debug_Used = FALSE 'Parameter Passed
filename_var = ""
DisplayDirPath = ""
ActualDirPath = ""
debug_on = FALSE 'Actual value checked in script
blnQuiet = FALSE
strOutputFile = "XCACLS.Log"
'Parse the command line
intOpMode = intParseCmdLine()
If Err.Number Then
Wscript.Echo "Error while parsing the command line."
Wscript.Echo "Error " & Err.Number & ": " & Err.Description
WScript.Quit
End if
'Open the output file so we can use it through out the script
If l_Used then Call OpenOutputFile()
Call PrintMsg("Starting Script at " & now)
'FSO is used in several funcitons, so lets set it globally.
Set fso = WScript.CreateObject("Scripting.FileSystemObject")
If blnErrorOccurred(" occurred in getting FileSystemObject.") Then WScript.Quit
'Put statements in loop to be able to drop out and clear variables
Do
If debug_on then Call PrintMsg("Main: Enter")
Call PrintArguments() 'Show the arguments entered
'Now lets do the work based upon the arguments entered.
Select Case intOpMode
Case CONST_SHOW_USAGE
Call ShowUsage()
Case CONST_PROCEED
strRemoteServerName = ""
'Lets get the objService object which is used throughout the script
If Not SetMainVars(filename_var) then Exit Do
Call PrintMsg("")
Call CheckTrustees()
If QryBaseNameHasWildcards or QryExtensionHasWildcards then
If debug_on then Call PrintMsg("Wildcard characters detected in """ & InitialfilenameAbsPath & """")
Select Case DoesPathNameExist(fso.GetParentFolderName(InitialfilenameAbsPath))
Case 1 'Directory
Call DoTheWorkOnEverythingUnderDirectory(fso.GetParentFolderName(InitialfilenameAbsPath))
Case Else
Call PrintMsg("Error: Directory """ & fso.GetParentFolderName(InitialfilenameAbsPath) & """ not found.")
End select
Else
If debug_on then Call PrintMsg("No Wildcard characters detected for """ & filename_var & """")
'If a folder is found with the same name, then we work it as a folder and include files under it.
Select Case DoesPathNameExist(InitialfilenameAbsPath)
Case 1 'Directory
If a_used then
Call DoTheWorkOnEverythingUnderDirectory(InitialfilenameAbsPath)
Else
Call DoTheWorkOnThisItem(InitialfilenameAbsPath, TRUE)
End if
Case 2 'File
Call DoTheWorkOnThisItem(InitialfilenameAbsPath, FALSE)
Case Else
Call PrintMsg("Error: File/Directory """ & InitialfilenameAbsPath & """ not found.")
End select
End if
Case Else
Call PrintMsg("")
Call PrintMsg(intOpMode)
End Select
Call blnErrorOccurred(" occurred while in the main routine of the script.")
If debug_on then Call PrintMsg("Main: Exit")
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objService = Nothing
Set objLocalService = Nothing
Set objLocator = Nothing
Call ClearObjectArray(ObjTrustee_g_var_User)
Call ClearObjectArray(ObjTrustee_r_var_User)
Call ClearObjectArray(ObjTrustee_p_var_User)
Call ClearObjectArray(ObjTrustee_d_var_User)
Call PrintMsg("")
Call PrintMsg("Ending Script at " & now)
Call PrintMsg("")
Call PrintMsg("")
If l_Used then
If strOutputFile <> "" Then
objOutputFile.Close
End if
End if
'********************************************************************
'* End of Main Script
'********************************************************************
'********************************************************************
'*
'* Sub DoTheWorkOnEverythingUnderDirectory()
'* Purpose: Work on Directory path passed to it, and pass paths to DoTheWorkOnThisItem sub
'* Input: ThisPath - Path to directory
'* Output: None
'* Notes: This sub will process every file and folder under the directory passed to it.
'*
'********************************************************************
Sub DoTheWorkOnEverythingUnderDirectory(ThisPath)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Enter")
Dim objFileSystemSet, objPath, objFileSystemSet2, objPath2, strQuery, strTempPath, booltempItsAFolder
Do
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Directory passed: """ & ThisPath & """")
'We already checked for existance so we will assume it exists.
strQuery = "Select * from Cim_LogicalFile Where Name='" & Replace(ThisPath,"\","\\") & "'"
Set objFileSystemSet = objService.ExecQuery(strQuery,,0)
If blnErrorOccurred(" occurred setting objFileSystemSet = objService.ExecQuery(" & strQuery & ",,0).") Then Exit Do
strTempPath = ""
for each objPath in objFileSystemSet
If objPath.Drive <> "" then
strTempPath = objPath.Path & objPath.FileName & "\"
strTempPath = Replace(strTempPath, "\\", "\")
Exit For
End if
next
strQuery = "Select * from Cim_LogicalFile Where Path='" & Replace(strTempPath,"\","\\") & "'"
Set objFileSystemSet2 = objService.ExecQuery(strQuery,,0)
If blnErrorOccurred(" occurred setting objFileSystemSet2 = objService.ExecQuery(" & strQuery & ",,0).") Then Exit Do
for each objPath2 in objFileSystemSet2
strTempPath = ""
booltempItsAFolder = False
If objPath2.Drive <> "" then
If UCASE(objPath2.FileType) = "FILE FOLDER" then booltempItsAFolder = True
strTempPath = objPath2.Name
If QryBaseNameHasWildcards Or QryExtensionHasWildcards then
If DoesItMatch(strTempPath) then
Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder)
End if
Else
'If there are no wildcards, then we are here because a /T was used or initial filename was a directory, so we do all files.
Call DoTheWorkOnThisItem(strTempPath, booltempItsAFolder)
End if
If booltempItsAFolder then
If t_Used then 'We should pass the same check to all sub folders
Call DoTheWorkOnEverythingUnderDirectory(strTempPath)
End if
End if
End if
next
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objPath = Nothing
Set objFileSystemSet = Nothing
Set objPath2 = Nothing
Set objFileSystemSet2 = Nothing
Call blnErrorOccurred(" occurred while in the DoTheWorkOnEverythingUnderDirectory routine.")
If debug_on then Call PrintMsg("DoTheWorkOnEverythingUnderDirectory: Exit")
End Sub
'********************************************************************
'*
'* Sub DoTheWorkOnThisItem()
'* Purpose: Work on File/Folder passed to it, and pass to Work routine
'* Input: ABSPath - Path to File/Folder
'* Output: TRUE if Successful, FALSE if not
'*
'********************************************************************
Sub DoTheWorkOnThisItem(AbsPath, IsItAFolder)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DoTheWorkOnThisItem: Enter")
Dim DisplayIt
Do
DisplayIt = TRUE
Call PrintMsg("")
Call PrintMsg("**************************************************************************")
If IsItAFolder then
Call PrintMsg("Directory: " & DisplayPathString(AbsPath))
Else
Call PrintMsg("File: " & DisplayPathString(AbsPath))
End if
'We already checked for existance so we will assume it exists.
If g_Used or r_Used or p_Used or d_Used or o_used or i_used then
Call SetACLForObject(AbsPath, IsItAFolder)
DisplayIt = FALSE
End If
If DisplayIt then
Call DisplayThisACL(AbsPath)
End if
Call PrintMsg("**************************************************************************")
If t_used then Call DoTheWorkOnEverythingUnderDirectory(AbsPath)
Exit Do
Loop
Call blnErrorOccurred(" occurred while in the DoTheWorkOnThisItem routine.")
If debug_on then Call PrintMsg("DoTheWorkOnThisItem: Exit")
End Sub
'********************************************************************
'*
'* Sub DisplayThisACL()
'* Purpose: Shows ACL's that are applied to strPath
'* Input: strPath - string containing path of file or folder, ShowLong - If TRUE, permissions are in long form
'* Output: prints the acls
'*
'********************************************************************
Sub DisplayThisACL(strPath)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("DisplayThisACL: Enter")
Dim objFileSecSetting, objOutParams, objSecDescriptor, objOwner, objDACL_Member
Dim objtrustee, numAceFlags, strAceFlags, x, strAceType, numControlFlags
ReDim arraystrACLS(0)
'Put statements in loop to be able to drop out and clear variables
Do
set objFileSecSetting = objService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
If blnErrorOccurred(" occurred setting Win32_LogicalFileSecuritySetting object.") Then Exit Do
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor")
If blnErrorOccurred(" occurred when this command was issued: GetSecurityDescriptor.") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor
If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
numControlFlags = objSecDescriptor.ControlFlags
If IsArray(objSecDescriptor.DACL) then
Call PrintMsg("")
Call PrintMsg("Permissions:")
Call PrintMsg( strPackString("Type", 9, 1, TRUE) & strPackString("Username", 24, 1, TRUE) & strPackString("Permissions", 22, 1, TRUE) & strPackString("Inheritance", 22, 1, TRUE))
For Each objDACL_Member in objSecDescriptor.DACL
Select Case objDACL_Member.AceType
Case ACCESS_ALLOWED_ACE_TYPE
strAceType = "Allowed"
Case ACCESS_DENIED_ACE_TYPE
strAceType = "Denied"
Case else
strAceType = "Unknown"
End select
Set objtrustee = objDACL_Member.Trustee
numAceFlags = objDACL_Member.AceFlags
strAceFlags = StringAceFlag(numAceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, FALSE)
Call AddStringToArray(arraystrACLS, strPackString(strAceType, 9, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 24, 1, TRUE) & strPackString(SECString(objDACL_Member.AccessMask,TRUE), 22, 1, TRUE) & strPackString(strAceFlags, 22, 1, TRUE),-1)
Set objtrustee = Nothing
Next
For x = LBound(arraystrACLS) to UBound(arraystrACLS)
Call PrintMsg(arraystrACLS(x))
Next
Else
Call PrintMsg("")
Call PrintMsg("No Permissions set")
End if
ReDim arraystrACLS(0)
If IsArray(objSecDescriptor.SACL) then
Call PrintMsg("")
Call PrintMsg("Auditing:")
Call PrintMsg(strPackString("Type", 9, 1, TRUE) & strPackString("Username", 24, 1, TRUE) & strPackString("Access", 22, 1, TRUE) & strPackString("Inheritance", 22, 1, TRUE))
For Each objDACL_Member in objSecDescriptor.SACL
Set objtrustee = objDACL_Member.Trustee
numAceFlags = objDACL_Member.AceFlags
strAceType = StringSACLAceFlag(numAceFlags)
strAceFlags = StringAceFlag(numAceFlags, numControlFlags, SE_SACL_AUTO_INHERITED, FALSE)
Call AddStringToArray(arraystrACLS, strPackString(strAceType, 9, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 24, 1, TRUE) & strPackString(SECString(objDACL_Member.AccessMask,TRUE), 22, 1, TRUE) & strPackString(strAceFlags, 22, 1, TRUE),-1)
Set objtrustee = Nothing
Next
For x = LBound(arraystrACLS) to UBound(arraystrACLS)
Call PrintMsg(arraystrACLS(x))
Next
Else
Call PrintMsg("")
Call PrintMsg("No Auditing set")
End if
Set objOwner = objSecDescriptor.Owner
If blnErrorOccurred(" occurred setting objOwner = objSecDescriptor.Owner.") Then Exit Do
Call PrintMsg("")
Call PrintMsg("Owner: " & objOwner.Domain & "\" & objOwner.Name)
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objOwner = Nothing
Set objSecDescriptor = Nothing
Set objDACL_Member = Nothing
Set objtrustee = Nothing
Set objOutParams = Nothing
Set objFileSecSetting = Nothing
Call blnErrorOccurred(" occurred while in the DisplayThisACL routine.")
If debug_on then Call PrintMsg("DisplayThisACL: Exit")
End Sub
'********************************************************************
'*
'* Sub SetACLForObject()
'* Purpose: Set the ACL for the file/folder passed
'* Input: strPath - string containing path of file or folder, IsItAFolder,
'* Output: None
'*
'********************************************************************
Sub SetACLForObject(strPath, IsItAFolder)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("SetACLForObject: Enter")
Dim objFileSecSetting, objmethod, objSecDescriptor
Dim objtrustee, objInParam, objOutParams, objOwner
Dim objParentFileSecSetting, objParentOutParams, objParentSecDescriptor
Dim OldAceObj, ObjNewAce, NewobjDescriptor, RetVal, i_Var_Copy_Temp
Dim BlankDaclObj, OldDaclObj(), NewDaclObj(), ImpDenyDaclObj()
Dim ImpAllowDaclObj(), ImpDenyObjectDaclObj()
Dim objTempTrustee, i, t, ThisUserAccess, RightsToGive, NewRights
Dim intTempAccessMask, boolDoTheUpdate
Dim strOldAccount, strThisAccount, NewArraySize, NewArrayMember, BoolDoThisOne
Dim ControlFlagsVar, BoolAllowInherited, BoolGetInherited, BoolInitialInheritRightsPresent, numControlFlags
'Put statements in loop to be able to drop out and clear variables
Do
'Initialize all of the new ACL objects
ReDim OldDaclObj(0)
ReDim NewDaclObj(0)
ReDim ImpDenyDaclObj(0)
ReDim ImpAllowDaclObj(0)
ReDim InheritedObjectDaclObj(0)
ReDim BlankDaclObj(0)
BoolAllowInherited = FALSE
BoolGetInherited = FALSE
BoolInitialInheritRightsPresent = FALSE
If debug_on then Call PrintMsg("SetACLForObject: Working on """ & strPath & """")
set objFileSecSetting = objService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
If blnErrorOccurred(" occurred setting Win32_LogicalFileSecuritySetting object.") Then Exit Do
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor")
If blnErrorOccurred(" occurred Setting objOutParams = objFileSecSetting.ExecMethod_(""GetSecurityDescriptor"")") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor
If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
Set objOwner = objSecDescriptor.Owner
If blnErrorOccurred(" occurred setting objOwner = objSecDescriptor.Owner.") Then Exit Do
numControlFlags = objSecDescriptor.ControlFlags
If debug_on then Call PrintMsg("SetACLForObject: Getting DACL array")
Call GetDaclArray(OldDaclObj,objSecDescriptor, FALSE)
If blnErrorOccurred(" occurred after Calling GetDaclArray(OldDaclObj,objSecDescriptor, FALSE)") Then Exit Do
If UBound(OldDaclObj) = 0 then
'If the array is empty and we need to Copy or Enable Inheritance, we need to set Inheritance and get array again.
If i_used then
If i_var < 3 then BoolGetInherited = TRUE
End if
Else
'If Copy or Enable Inheritance is set and there was no Inherited Properties, we need to set Inheritance and get array again.
If i_used then
If i_var < 3 then BoolGetInherited = TRUE
For i = 1 to UBound(OldDaclObj)
If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do
Set OldAceObj = OldDaclObj(i)
If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE) = "Inherited" then
BoolInitialInheritRightsPresent = TRUE
BoolGetInherited = FALSE
Exit For
End if
Next
End if
End if
If BoolGetInherited Then 'We need the inherited ACE's so lets get them.
If debug_on then Call PrintMsg("SetACLForObject: Inherited ACL's not found and needed, getting from Parent Directory")
'Any existing ACE's will remain in array
Set NewobjDescriptor = objService.Get("Win32_SecurityDescriptor").Spawninstance_
If blnErrorOccurred(" occurred Setting NewobjDescriptor = objService.Get(""Win32_SecurityDescriptor"").Spawninstance_") Then Exit Do
NewobjDescriptor.ControlFlags = ALLOW_INHERIT
If blnErrorOccurred(" occurred setting objSecDescriptor.ControlFlags = ALLOW_INHERIT") Then Exit Do
Set objmethod = objFileSecSetting.Methods_("SetSecurityDescriptor")
If blnErrorOccurred(" occurred setting objmethod = objFileSecSetting.Methods_(""SetSecurityDescriptor"")") Then Exit Do
Set objInParam = objmethod.inParameters.SpawnInstance_()
If blnErrorOccurred(" occurred Setting objInParam = objmethod.inParameters.SpawnInstance_()") Then Exit Do
objInParam.Properties_.item("Descriptor") = NewobjDescriptor
If blnErrorOccurred(" occurred setting objInParam.Properties_.item(""Descriptor"") = NewobjDescriptor") Then Exit Do
Set RetVal = objFileSecSetting.ExecMethod_("SetSecurityDescriptor", objInParam)
If blnErrorOccurred(" occurred setting RetVal = objFileSecSetting.ExecMethod_(""SetSecurityDescriptor"", objInParam)") Then Exit Do
'Now we need to get only the Inherited ACE's (Everyone group may be set if DACL array was empty)
Set objOutParams = objFileSecSetting.ExecMethod_("GetSecurityDescriptor")
If blnErrorOccurred(" occurred Setting objOutParams = objFileSecSetting.ExecMethod_(""GetSecurityDescriptor"")") Then Exit Do
set objSecDescriptor = objOutParams.Descriptor
If blnErrorOccurred(" occurred setting objSecDescriptor = objOutParams.Descriptor.") Then Exit Do
Call GetDaclArray(OldDaclObj,objSecDescriptor, TRUE)
If blnErrorOccurred(" occurred when Calling GetDaclArray(OldDaclObj,objSecDescriptor, TRUE)") Then Exit Do
Set NewobjDescriptor = Nothing
Set objmethod = Nothing
Set objInParam = Nothing
Set RetVal = Nothing
boolDoTheUpdate = TRUE
End if
'Now we have the inherited rights, if one of the revoked users is in the list, then we need to copy the list and turn off inheritance.
If debug_on then Call PrintMsg("SetACLForObject: Looking for Revoke users in Inherited list, if found, Inherited list will be copied to Effective list and inheritance turned off, so we can revoke user")
i_Var_Copy_Temp = FALSE
If r_Used then 'Revoke user if present in Inherited Allowed or Denied lists
If UBound(OldDaclObj) > 0 then
For i = 1 to UBound(OldDaclObj)
If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do
Set OldAceObj = OldDaclObj(i)
If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE) = "Inherited" then
For t = LBound(r_var_User) to UBound(r_var_User)
If r_Var_User(t) <> "" then
If TrusteesMatch(ObjTrustee_r_var_User(t), OldAceObj.Trustee) then
'We found a match
i_Var_Copy_Temp = TRUE
Call PrintMsg(" - One of the Revoked Users is listed under Inherited permissions.")
Call PrintMsg(" Copying Inherited Permissions and turning off inheritance.")
Exit For
End if
End if
Next
End if
Next
End If
End If
If debug_on then Call PrintMsg("SetACLForObject: Sorting DACL array and modifying rights if needed")
If UBound(OldDaclObj) > 0 then
For i = 1 to UBound(OldDaclObj)
BoolDoThisOne = TRUE
If blnErrorOccurred(" occurred looping through OldDaclObj.") Then Exit Do
Set OldAceObj = OldDaclObj(i)
Set objTempTrustee = OldAceObj.Trustee
intTempAccessMask = OldAceObj.AccessMask
If debug_on then Call PrintMsg("SetACLForObject: """ & TrusteesDisplay(objTempTrustee) & """ current rights = " & SECString(OldAceObj.AccessMask,TRUE))
If StringAceFlag(OldAceObj.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE) = "Inherited" then
If i_Var_Copy_Temp then 'This makes sure that inherited users that are revoked can be revoked...
OldAceObj.AceFlags = OBJECT_INHERIT_ACE + CONTAINER_INHERIT_ACE
Else
BoolDoThisOne = FALSE
If i_used then 'We should make them effective ACL's
Select Case i_var
Case 1 'Inherit
Call AddObjectToArray(InheritedObjectDaclObj, OldAceObj, -1)
Case 2 'Copy to Effective
OldAceObj.AceFlags = OBJECT_INHERIT_ACE + CONTAINER_INHERIT_ACE
BoolDoThisOne = TRUE
End Select
Else
Call AddObjectToArray(InheritedObjectDaclObj, OldAceObj, -1)
End If
End if
End if
If p_Used then 'Replace user rights if present
For t = LBound(p_var_User) to UBound(p_var_User)
If p_Var_User(t) <> "" then
If TrusteesMatch(ObjTrustee_p_var_User(t), objTempTrustee) then
'We found a match so skip it.
BoolDoThisOne = FALSE
Call PrintMsg("Replacing rights for existing user """ & p_Var_User(t) & """")
End if
End if
Next
Else
End If
If r_Used then 'Revoke user if present in Allowed or Denied lists
For t = LBound(r_var_User) to UBound(r_var_User)
If r_Var_User(t) <> "" then
If TrusteesMatch(ObjTrustee_r_var_User(t), objTempTrustee) then
'We found a match so skip it.
BoolDoThisOne = FALSE
Call PrintMsg("Revoking rights for existing user """ & r_Var_User(t) & """")
End if
End if
Next
End if
If BoolDoThisOne then
Select Case OldAceObj.AceType
Case ACCESS_ALLOWED_ACE_TYPE
Call AddObjectToArray(ImpAllowDaclObj, OldAceObj, -1)
Case ACCESS_DENIED_ACE_TYPE
Call AddObjectToArray(ImpDenyDaclObj, OldAceObj, -1)
Case Else
Call PrintMsg("Error: Bad ace...." & Hex(OldAceObj.AceType))
End Select
End if
Next
End If
'Add ACE's that need to be added:
If g_Used then 'Grant rights for these users
If debug_on then Call PrintMsg("SetACLForObject: Granting Rights for Users (that haven't been granted already)")
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_g_var_User, g_var_User, g_var_Perm, ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE + OBJECT_INHERIT_ACE, "Granting")
If blnErrorOccurred(" occurred when Building Granted (File) Rights array") Then Exit Do
If IsItAFolder then
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_g_var_User, g_var_User, g_var_Spec, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, "Granting")
If blnErrorOccurred(" occurred when Building Granted (Folder) Rights array") Then Exit Do
End if
End if
If p_Used then 'Grant rights for these users (Replace rights)
If debug_on then Call PrintMsg("SetACLForObject: Replacing Rights for Users (that haven't been granted already)")
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_p_var_User, p_var_User, p_var_Perm, ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE + OBJECT_INHERIT_ACE , "Replacing")
If blnErrorOccurred(" occurred when Building Replace (File) Rights array") Then Exit Do
If IsItAFolder then
Call AccessMask_New(ImpAllowDaclObj, ObjTrustee_p_var_User, p_var_User, p_var_Spec, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, "Replacing")
If blnErrorOccurred(" occurred when Building Replace (Folder) Rights array") Then Exit Do
End if
End if
If d_Used then 'Deny rights for these users
If debug_on then Call PrintMsg("SetACLForObject: Denying Rights for Users (that haven't been denied already)")
Call AccessMask_New(ImpDenyDaclObj, ObjTrustee_d_var_User, d_var_User, d_var_Perm, ACCESS_DENIED_ACE_TYPE, INHERIT_ONLY_ACE + OBJECT_INHERIT_ACE , "Denying")
If blnErrorOccurred(" occurred when Building Denied (File) Rights array") Then Exit Do
If IsItAFolder then
Call AccessMask_New(ImpDenyDaclObj, ObjTrustee_d_var_User, d_var_User, d_var_Spec, ACCESS_DENIED_ACE_TYPE, CONTAINER_INHERIT_ACE, "Denying")
If blnErrorOccurred(" occurred when Building Denied (Folder) Rights array") Then Exit Do
End if
End if
' Combine the ACEs in the proper order
' Implicit Deny
' Implicit Allow
' Inherited Aces
If debug_on then Call PrintMsg("SetACLForObject: Forming new DACL array")
boolDoTheUpdate = FALSE
ReDim NewDaclObj(0)
If UBound(ImpDenyDaclObj) > 0 then '0 member is always blank
For i = (LBound(ImpDenyDaclObj) + 1) to UBound(ImpDenyDaclObj)
boolDoTheUpdate = TRUE
Call AddObjectToArray(NewDaclObj, ImpDenyDaclObj(i), 0)
Next
If blnErrorOccurred(" occurred when Building Implicit Deny array") Then Exit Do
End if
If UBound(ImpAllowDaclObj) > 0 then
For i = (LBound(ImpAllowDaclObj) + 1) to UBound(ImpAllowDaclObj)
boolDoTheUpdate = TRUE
Call AddObjectToArray(NewDaclObj, ImpAllowDaclObj(i), 0)
Next
If blnErrorOccurred(" occurred when Building Implicit Allow array") Then Exit Do
End if
If UBound(InheritedObjectDaclObj) > 0 then
BoolAllowInherited = TRUE
For i = (LBound(InheritedObjectDaclObj) + 1) to UBound(InheritedObjectDaclObj)
boolDoTheUpdate = TRUE
InheritedObjectDaclObj(i).AccessMask = 0
Call AddObjectToArray(NewDaclObj, InheritedObjectDaclObj(i), 0)
Next
If blnErrorOccurred(" occurred when Building Inherited Object array") Then Exit Do
End if
If Not boolDoTheUpdate Then
Set NewDaclObj(0) = CreateObject("AccessControlEntry")
If blnErrorOccurred(" occurred Setting NewDaclObj(0) = CreateObject(""AccessControlEntry"").") Then Exit Do
End if
If i_Var_Copy_Temp then
If debug_on then Call PrintMsg("SetACLForObject: Inheritance turned off because one of the inherited users is revoked on this object.")
ControlFlagsVar = SE_DACL_PRESENT
Else
If i_used then
Select Case i_var
Case 1
ControlFlagsVar = ALLOW_INHERIT
Case 3
ControlFlagsVar = DENY_INHERIT
case Else '2 and non matching
ControlFlagsVar = SE_DACL_PRESENT
End Select
Else
If BoolAllowInherited or BoolInitialInheritRightsPresent then
ControlFlagsVar = ALLOW_INHERIT
Else
ControlFlagsVar = DENY_INHERIT
End if
End if
End if
If debug_on then Call PrintMsg("SetACLForObject: Saving new Descriptor")
Set NewobjDescriptor = objService.Get("Win32_SecurityDescriptor").Spawninstance_
If blnErrorOccurred(" occurred Setting NewobjDescriptor = objService.Get(""Win32_SecurityDescriptor"").Spawninstance_") Then Exit Do
If boolDoTheUpdate then
NewobjDescriptor.Properties_.item("DACL") = NewDaclObj
If blnErrorOccurred(" occurred setting NewobjDescriptor.Properties_.item(""DACL"") = NewDaclObj") Then Exit Do
Else 'Making DACL Blank
Set BlankDaclObj(0) = objService.Get("Win32_Ace").Spawninstance_
If blnErrorOccurred(" occurred Setting BlankDaclObj(0) = objService.Get(""Win32_Ace"").Spawninstance_") Then Exit Do
NewobjDescriptor.Properties_.item("DACL") = BlankDaclObj
If blnErrorOccurred(" occurred setting NewobjDescriptor.Properties_.item(""DACL"") = BlankDaclObj") Then Exit Do
End if
If o_Used then 'Change Ownership
If debug_on then Call PrintMsg("SetACLForObject: Changing Ownership")
If o_Var <> "" then
Set objTempTrustee = Nothing
Set objTempTrustee = SetTrustee(o_var)
If Not objTempTrustee Is Nothing then
If TrusteesMatch(objOwner, objTempTrustee) then
Call PrintMsg("Ownership not changed, owner is already set to """ & TrusteesDisplay(objTempTrustee) & """")
Else
NewobjDescriptor.Properties_.item("Owner") = objTempTrustee
If blnErrorOccurred(" occurred setting NewobjDescriptor.Properties_.item(""Owner"") = objTempTrustee") Then Exit Do
Call PrintMsg("Changed Ownership to """ & TrusteesDisplay(objTempTrustee) & """")
End if
Else
Call PrintMsg("Failed to Change Ownership to user """ & o_var & """")
End if
End if
End if
NewobjDescriptor.ControlFlags = ControlFlagsVar
If blnErrorOccurred(" occurred setting NewobjDescriptor.ControlFlags = ControlFlagsVar") Then Exit Do
Set objmethod = objFileSecSetting.Methods_("SetSecurityDescriptor")
If blnErrorOccurred(" occurred setting objmethod = objFileSecSetting.Methods_(""SetSecurityDescriptor"")") Then Exit Do
Set objInParam = objmethod.inParameters.SpawnInstance_()
If blnErrorOccurred(" occurred Setting objInParam = objmethod.inParameters.SpawnInstance_()") Then Exit Do
objInParam.Properties_.item("Descriptor") = NewobjDescriptor
If blnErrorOccurred(" occurred setting objInParam.Properties_.item(""Descriptor"") = NewobjDescriptor") Then Exit Do
Set RetVal = objFileSecSetting.ExecMethod_("SetSecurityDescriptor", objInParam)
If blnErrorOccurred(" occurred setting RetVal = objFileSecSetting.ExecMethod_(""SetSecurityDescriptor"", objInParam)") Then Exit Do
Call PrintMsg("Completed successfully.")
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objOwner = Nothing
Set objFileSecSetting = Nothing
Set objmethod = Nothing
Set objSecDescriptor = Nothing
Set objtrustee = Nothing
Set objInParam = Nothing
Set objOutParams = Nothing
Set OldAceObj = Nothing
Set ObjNewAce = Nothing
Set NewobjDescriptor = Nothing
Set objTempTrustee = Nothing
Set RetVal = Nothing
Call blnErrorOccurred(" occurred while in the SetACLForObject routine.")
If debug_on then Call PrintMsg("SetACLForObject: Exit")
End Sub
'********************************************************************
'*
'* Function AccessMask_New()
'* Purpose: Takes a list of users with permissions and adds them to the list
'* Input: Array_ACLobj : DACL Array
'* Array_Users : Array of users
'* Array_Perm : Array of permissions
'* AceType : Type of Permissions (Allow or Deny)
'* AceFlag : Apply to what (Files or Folders)
'* strAction : String saying what the action was (Grant, Replace, or Deny)
'* Output: Acl Array Object
'*
'********************************************************************
Function AccessMask_New(byref Array_ACLobj, byref Array_ObjTrustee, Array_Users, Array_Perm, AceType, AceFlag, strAction)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("AccessMask_New: Enter")
Dim t, objNEWACE, RightsToGive, AceTypeString
'Put statements in loop to be able to drop out and clear variables
Do
AccessMask_New = FALSE
If AceFlag = CONTAINER_INHERIT_ACE then
AceTypeString = """This Folder and Subfolders"""
Else
AceTypeString = """Files Only"""
End if
For t = LBound(Array_Users) to UBound(Array_Users)
If blnErrorOccurred(" occurred while " & strAction & " permissions.") Then Exit Do
If Array_Users(t) <> "" and Array_Perm(t) <> "" then
If IsObject(Array_ObjTrustee(t)) then
RightsToGive = SECBitMask(Array_Perm(t))
If blnErrorOccurred(" occurred getting rights for " & Array_Users(t) & ".") Then Exit Do
Set objNEWACE = SetACE(RightsToGive, AceFlag, AceType, Array_ObjTrustee(t))
If blnErrorOccurred(" occurred creating ""ACE Object"" for " & Array_Users(t) & ".") Then Exit Do
Call AddObjectToArray(Array_ACLobj, objNEWACE, -1)
If blnErrorOccurred(" occurred adding (" & strAction & ") New ACE object to array.") Then Exit Do
Set objNEWACE = Nothing
Call PrintMsg(strAction & " NTFS rights (" & SECString(RightsToGive,TRUE) & " access for " & AceTypeString & ") for """ & Array_Users(t) & """")
Else
Call PrintMsg("Failed " & strAction & " NTFS rights (" & AceTypeString & ") for """ & Array_Users(t) & """")
End if
End if
Next
AccessMask_New = TRUE
Exit Do 'We really didn't want to loop
Loop
Set objNEWACE = Nothing
If debug_on then Call PrintMsg("AccessMask_New: Return = " & AccessMask_New)
Call blnErrorOccurred(" occurred while in the AccessMask_New routine.")
If debug_on then Call PrintMsg("AccessMask_New: Exit")
End Function
'********************************************************************
'*
'* Sub TrusteesMatch()
'* Purpose: Checks the Trustee to the Name and Domain and returns boolean TRUE if they match
'* Input: objTrusteeA, objTrusteeB
'* Output: Boolean
'* Notes: This is a nice way to check if one trustee matches another, the procedure can change
'* and compare different values and only needs to be changed here, not in the rest of the code.
'*
'********************************************************************
Function TrusteesMatch(ByRef objTrusteeA, ByRef objTrusteeB)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("TrusteesMatch: Enter")
'Put statements in loop to be able to drop out and clear variables
Do
TrusteesMatch = FALSE
If debug_on then Call PrintMsg("TrusteesMatch: Checking Users to see if they match")
If NOT IsObject(objTrusteeA) then
Exit Do
End if
If NOT IsObject(objTrusteeB) then
Exit Do
End if
If objTrusteeA.SIDString = objTrusteeB.SIDString then
TrusteesMatch = TRUE
End if
Exit Do 'We really didn't want to loop
Loop
Call blnErrorOccurred(" occurred while in the TrusteesMatch routine.")
If debug_on then Call PrintMsg("TrusteesMatch: Exit")
End Function
'********************************************************************
'*
'* Sub TrusteesDisplay()
'* Purpose: Returns a Display ready string of trustee passed in
'* Input: objTrustee
'* Output: String
'* Notes: This makes the display of a trustee a standard throughout the code
'*
'********************************************************************
Function TrusteesDisplay(ByRef objTrustee)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("TrusteesDisplay: Enter")
'Put statements in loop to be able to drop out and clear variables
Do
TrusteesDisplay = ""
If NOT IsObject(objTrustee) then
Exit Do
End if
If objTrustee.Domain = "" then
TrusteesDisplay = objTrustee.Name
Else
TrusteesDisplay = objTrustee.Domain & "\" & objTrustee.Name
End if
Exit Do 'We really didn't want to loop
Loop
Call blnErrorOccurred(" occurred while in the TrusteesDisplay routine.")
If debug_on then Call PrintMsg("TrusteesDisplay: Exit")
End Function
'********************************************************************
'*
'* Sub CheckTrustees()
'* Purpose: Checks the list of entered users and makes them valid, run only once
'* Input: Global Variables only
'* Output: None
'* Notes: This function is called only one time in the code to get a trustee object for
'* every user entered, and if we can't find one then the user is deleted from the list.
'*
'********************************************************************
Sub CheckTrustees()
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("CheckTrustees: Enter")
'Put statements in loop to be able to drop out and clear variables
Do
If debug_on then Call PrintMsg("CheckTrustees: Checking Users to make sure they are proper Trustee's")
Call GetDefaultNames()
Call GetDefaultDomainSid()
If g_Used then 'Add to users
If debug_on then Call PrintMsg("CheckTrustees: Checking /G users")
If FixListOfTrustees(g_Var_User, ObjTrustee_g_var_User, "/G") = FALSE then exit Do
End if
If p_Used then 'Replace users
If debug_on then Call PrintMsg("CheckTrustees: Checking /P users")
If FixListOfTrustees(p_Var_User, ObjTrustee_p_var_User, "/P") = FALSE then exit Do
End if
If d_Used then 'Change users
If debug_on then Call PrintMsg("CheckTrustees: Checking /D users")
If FixListOfTrustees(d_Var_User, ObjTrustee_d_var_User, "/D") = FALSE then exit Do
End if
If r_Used then 'Revoke users
If debug_on then Call PrintMsg("CheckTrustees: Checking /R users")
If FixListOfTrustees(r_Var_User, ObjTrustee_r_var_User, "/R") = FALSE then exit Do
End if
Exit Do 'We really didn't want to loop
Loop
Call blnErrorOccurred(" occurred while in the CheckTrustees routine.")
If debug_on then Call PrintMsg("CheckTrustees: Exit")
End Sub
'********************************************************************
'*
'* Function FixListOfTrustees()
'* Purpose: Takes a list of users and changes to a valid trustee if found, else sets string to ""
'* Input: Array_Users, strAction
'* Output: Dacl Array Object
'*
'********************************************************************
Function FixListOfTrustees(byref Array_Users, byref Array_ObjTrustee, strAction)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("FixListOfTrustees: Enter")
Dim t, objTempTrustee, strTempName
'Put statements in loop to be able to drop out and clear variables
Do
FixListOfTrustees = FALSE
For t = LBound(Array_Users) to UBound(Array_Users)
strTempName = ""
If Array_Users(t) <> "" then
'First, lets remove any special quotes in the string
'Quotation mark (") 34
Array_Users(t) = Replace(Array_Users(t),chr(34),"")
'Single turned comma quotation mark 145
Array_Users(t) = Replace(Array_Users(t),chr(145),"")
'Single comma quotation mark 146
Array_Users(t) = Replace(Array_Users(t),chr(146),"")
'Double turned comma quotation mark 147
Array_Users(t) = Replace(Array_Users(t),chr(147),"")
'Double comma quotation mark 148
Array_Users(t) = Replace(Array_Users(t),chr(148),"")
Set objTempTrustee = SetTrustee(Array_Users(t))
If blnErrorOccurred(" occurred Setting objTempTrustee = SetTrustee(Array_Users(t))") Then Exit Do
If objTempTrustee Is Nothing then
Call PrintMsg("Could not find " & strAction & " user/group: """ & Array_Users(t) & """ removing from list.")
Array_Users(t) = ""
Else
strTempName = TrusteesDisplay(objTempTrustee)
Call AddObjectToArray(Array_ObjTrustee, objTempTrustee, t)
If IsNull(objTempTrustee.Domain) then objTempTrustee.Domain = ""
If UCase(Array_Users(t)) <> UCASE(strTempName) then
Call PrintMsg(" - Changing " & strAction & " user/group: """ & Array_Users(t) & """ to """ & strTempName & """")
End if
Array_Users(t) = strTempName
Set objTempTrustee = Nothing
End if
End if
Next
FixListOfTrustees = TRUE 'Means we didn't have an error and went through the entire list
Exit Do 'We really didn't want to loop
Loop
Set objTempTrustee = Nothing
If debug_on then Call PrintMsg("FixListOfTrustees: Return = " & FixListOfTrustees)
Call blnErrorOccurred(" occurred while in the FixListOfTrustees routine.")
If debug_on then Call PrintMsg("FixListOfTrustees: Exit")
End Function
'********************************************************************
'*
'* Sub GetDaclArray()
'* Purpose: Return Dacl Array object if found
'* Input: objArrayPassedIn, objSecDescriptor, getonlyInherited
'* Output: Dacl Array Object
'*
'********************************************************************
Sub GetDaclArray(DACL_Array, objSecDescriptor, getonlyInherited)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("GetDaclArray: Enter")
Dim TempDACL_Array, objDACL_Member, numControlFlags
'Put statements in loop to be able to drop out and clear variables
Do
numControlFlags = objSecDescriptor.ControlFlags
If blnErrorOccurred(" occurred getting ControlFlags.") Then Exit Do
TempDACL_Array = objSecDescriptor.DACL
If blnErrorOccurred(" occurred getting Temporary DACL array.") Then Exit Do
If IsArray(TempDACL_Array) then
For Each objDACL_Member in TempDACL_Array
If blnErrorOccurred(" occurred while looping through TempDACL_Array.") Then Exit Do
If getonlyInherited then
If StringAceFlag(objDACL_Member.AceFlags, numControlFlags, SE_DACL_AUTO_INHERITED, TRUE) = "Inherited" then Call AddObjectToArray(DACL_Array, objDACL_Member, -1)
Else
Call AddObjectToArray(DACL_Array, objDACL_Member, -1)
End If
Next
End if
If (UBound(DACL_Array) = 0) Then
Set DACL_Array(0) = CreateObject("AccessControlEntry")
If blnErrorOccurred(" occurred Setting DACL_Array(0) = CreateObject(""AccessControlEntry"").") Then Exit Do
End if
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objDACL_Member = Nothing
Call blnErrorOccurred(" occurred while in the GetDaclArray routine.")
If debug_on then Call PrintMsg("GetDaclArray: Exit")
End Sub
'********************************************************************
'* Function SetTrustee()
'* Purpose: Returns Win32_Trustee object for User/group or Nothing if not found
'* Input: strFullName
'* Output: Win32_Trustee object is returned, Nothing if not found
'********************************************************************
Function SetTrustee(strFullName)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("SetTrustee: Enter")
Dim objTrustee, objAccount, objSID, strSid, strDomain, strName
'Put statements in loop to be able to drop out and clear variables
Do
Set SetTrustee = Nothing
strSid = ""
Set objTrustee = objService.Get("Win32_Trustee").Spawninstance_
'GetStandardSid will parse the strFullname into strDomain and strName
strSid = GetStandardSid(strFullName, strDomain, strName)
If strSid <> "" then
objTrustee.Domain = strDomain
objTrustee.Name = strName
If blnErrorOccurred(" occurred setting Domain and Name for Trustee object.") Then
Exit Do
End if
Else
Set objAccount = GetAccountObj(strDomain, strName)
If blnErrorOccurred(" occurred getting Account Object.") Then
Exit Do
End if
If objAccount Is Nothing then
Call PrintMsg("Can't find Sid for: """ & strFullName & """")
Exit Do
Else
strSid = objAccount.Sid
End If
objTrustee.Domain = objAccount.Domain
objTrustee.Name = objAccount.Name
If blnErrorOccurred(" occurred setting Domain and Name for Trustee object.") Then
Exit Do
End if
End If
If strSid = "" then 'This means it doesn't exist
Call PrintMsg("Can't find Sid for: """ & strFullName & """")
Exit Do
End if
set objSID = objService.Get("Win32_SID.SID='" & strSid &"'")
If blnErrorOccurred(" occurred getting Win32_SID.SID Object.") Then
Exit Do
End if
objTrustee.Properties_.item("SID") = objSID.BinaryRepresentation
objTrustee.Properties_.item("SidLength") = objSID.SidLength
objTrustee.Properties_.item("SIDString") = objSID.Sid
set objSID = nothing
Set objAccount = Nothing
set SetTrustee = objTrustee
Exit Do 'We really didn't want to loop
Loop
'ClearObjects that could be set and aren't needed now
Set objTrustee = Nothing
Set objAccount = Nothing
Set objSID = Nothing
If debug_on then
If SetTrustee is Nothing then
Call PrintMsg("SetTrustee: Return = " & "Nothing")
Else
Call PrintMsg("SetTrustee: Return = " & "Win32_Trustee object")
End if
End if
Call blnErrorOccurred(" occurred while in the SetTrustee routine.")
If debug_on then Call PrintMsg("SetTrustee: Exit")
End Function
'********************************************************************
'* Function GetStandardSid()
'* Purpose: Returns Sid if the account is a special account
'* Input: strFullName
'* Output: String Value of Sid
'********************************************************************
Function GetStandardSid(ByRef strFullName, ByRef strDomain, ByRef strName)
ON ERROR RESUME NEXT
If debug_on then Call PrintMsg("GetStandardSid: Enter")
Dim strSpecialDomain
'Put statements in loop to be able to drop out and clear variables
Do
strDomain = ""
strName = ""
If InStr(1, strFullName, "\",1) > 0 then
strDomain = Left(strFullName, InStr(1, strFullName, "\",1) - 1)
strName = Mid(strFullName, InStr(1, strFullName, "\",1) + 1)
Else
If InStr(1, strFullName, "/",1) > 0 then
strDomain = Left(strFullName, InStr(1, strFullName, "/",1) - 1)
strName = Mid(strFullName, InStr(1, strFullName, "/",1) + 1)
Else
strName = strFullName
End if
End if
strSpecialDomain = ""
'List
|
|
Top
|
|
|
|
#58169 - 2002-08-06 02:11 PM
Re: OFF TOPIC - Shawn can you review a WSH script for me?
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Sure Doc..
Would you like fries with that?
Kent
[ 06. August 2002, 22:08: Message edited by: kdyer ]
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 369 anonymous users online.
|
|
|
