code:

---

You can also use WMI. Here's the example from the
Win32_LogicalFileSecuritySetting docs...
' The folder named "testfolder" must exist on the C:\ drive.
' Connect to WMI and get the file security object for the testfolder
directory
Set wmiFileSecSetting = GetObject
("winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\testfolder'")
' Use the Win32_LogicalFileSecuritySetting Caption property to create a
simple header before
' dumping the discretionary access control list (DACL)
Wscript.Echo wmiFileSecSetting.Caption & ":" & vbCrLf
' Call the Win32_LogicalFileSecuritySetting GetSecurityDescriptor
' method to retrieve an instance of the Win32_SecurityDescriptor class
' for the target object, that is, C:\TestFolder. Note that this is achieved
by
' passing an empty variable to GetSecurityDescriptor, which
' GetSecurityDescriptor in turn initializes with an instance of the
' Win32_SecurityDescriptor class that corresponds to the security
' descriptor for the target object.
RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor)
' After the security descriptor is retrieved, you can use the properties
provided by the
' Win32_SecurityDescriptor class to dissect the security descriptor's access
control lists
' (DACL and SACL) and access control entries (ACEs).

' Retrieve the content of Win32_SecurityDescriptor DACL property.
' The DACL is an array of Win32_ACE objects.
DACL = wmiSecurityDescriptor.DACL
For each wmiAce in DACL
    wscript.echo "Access Mask: "     & wmiAce.AccessMask
    wscript.echo "ACE Type: "        & wmiAce.AceType
' Get Win32_Trustee object from ACE
       Set Trustee = wmiAce.Trustee
    wscript.echo "Trustee Domain: "  & Trustee.Domain
    wscript.echo "Trustee Name: "    & Trustee.Name
' Get SID as array from Trustee
    SID = Trustee.SID
    For i = 0 To UBound(SID) - 1
        strsid = strsid & SID(i) & ","
    Next
    strsid = strsid & SID(i)
    wscript.echo "Trustee SID: {"     & strsid & "}"
Next
wscript.echo "ReturnValue is:  " & RetVal
Requirements

---

here is what i have in kix so far.

code:

---

$wmiFileSecSetting = GetObject("winmgmts:Win32_LogicalFileSecuritySetting.path='%temp%'")
$wmiFileSecSetting.Caption ?

; Call the Win32_LogicalFileSecuritySetting GetSecurityDescriptor
; method to retrieve an instance of the Win32_SecurityDescriptor class
; for the target object, that is, C:\TestFolder. Note that this is achievedby
; passing an empty variable to GetSecurityDescriptor, which
; GetSecurityDescriptor in turn initializes with an instance of the
; Win32_SecurityDescriptor class that corresponds to the security
; descriptor for the target object.
$RetVal = $wmiFileSecSetting.GetSecurityDescriptor($wmiSecurityDescriptor)

; After the security descriptor is retrieved, you can use the properties
; provided by the Win32_SecurityDescriptor class to dissect the security 
; descriptor's access control lists (DACL and SACL) and access control 
; entries (ACEs).
; Retrieve the content of Win32_SecurityDescriptor DACL property.
; The DACL is an array of Win32_ACE objects.
$DACL = $wmiSecurityDescriptor.DACL

---

the problem is that this line

$RetVal = $wmiFileSecSetting.GetSecurityDescriptor($wmiSecurityDescriptor)

is supposed to return an object named $wmiSecurityDescriptor, but i can not figure out why it is not. $RetVal is just a return code that equals 0 if successful a number if not. I am getting successful return codes both @error and $RetVal = 0, but my object handle is no where to be found.

Bryce

This line:

$RetVal = $wmiFileSecSetting.GetSecurityDescriptor($wmiSecurityDescriptor)

is not very kixtart (scripting) friendly. I don't know what the hell MS was thinking when they designed this sucker. This intent (I think) is to pass $wmiSecurityDescriptor as an empty object variable that is initialized by the COM object itself ... kinda like passing a variable by reference. It works in VBS but probably not a lot of other scripting languages. That is why they came out with these COM reskit utils, like ADsid and ADsSecurity.

ADsSecurity handles this nicely, here's a working kixtart version:

Break On

$Security = CreateObject("ADsSecurity")

$SecurityDescriptor = $Security.GetSecurityDescriptor("%temp%")

For Each $ACE in $SecurityDescriptor.DiscretionaryACL
 ?"Name="$ACE.Trustee
 ?"Type="$ACE.AceType
 ?"Mask="$ACE.AccessMask
Next

Exit 1

ADsSecurity is part of the ADSI reskit, available here:

ADSI SDK Download

Just unzip ADsSecurity.dll into system32 and run:

regsvr32 adssecurity.dll

This assumes win2000 or windows xp or nt/9x with ADSI already installed.

Hope this helps

-Shawn

I have been seeing references to the ADsSecurity COM object, but i did not know you had to add it by hand.

Bryce

-Shawn

Cool stuff!

but this seems to have me stumped.

According to the sdk, the access mask returns a flag value obtained from this table.

code:

---

    ADS_RIGHT_GENERIC_READ           = 0x80000000,
    ADS_RIGHT_GENERIC_WRITE          = 0x40000000,
    ADS_RIGHT_GENERIC_EXECUTE        = 0x20000000,
    ADS_RIGHT_GENERIC_ALL            = 0x10000000,
    ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x1000000,
    ADS_RIGHT_SYNCHRONIZE            = 0x100000,
    ADS_RIGHT_WRITE_OWNER            = 0x80000,
    ADS_RIGHT_WRITE_DAC              = 0x40000,
    ADS_RIGHT_READ_CONTROL           = 0x20000,
    ADS_RIGHT_DELETE                 = 0x10000,
    ADS_RIGHT_DS_CONTROL_ACCESS      = 0x100
    ADS_RIGHT_DS_LIST_OBJECT         = 0x80,
    ADS_RIGHT_DS_DELETE_TREE         = 0x40,
    ADS_RIGHT_DS_WRITE_PROP          = 0x20,
    ADS_RIGHT_DS_READ_PROP           = 0x10,
    ADS_RIGHT_DS_SELF                = 0x8,
    ADS_RIGHT_ACTRL_DS_LIST          = 0x4,
    ADS_RIGHT_DS_DELETE_CHILD        = 0x2,
    ADS_RIGHT_DS_CREATE_CHILD        = 0x1,

---

the 0x# is that the value of the flag in hex? and is the value returned by .AccessMask a base 10 number?

I guess my non programmer roots are showing

Bryce

Your are correct. However, I think it is easier to just think of it as returning a number. So long as it IS a number, internally, the computer always treats it as binary. Decimal and Hex are merely convenient notations for people to use.

Notice that the maximum value returned is 0x80000000. This is 2,147,483,648. Sound familiar? The maximum/minumum values KiXtart can handle are 2,147,483,647 or -2,147,483,648. Because of this, it sounds like it might be easier to "&" the return value for testing.

I frequently use something like this for error codes. I create one error code value, then "|" it with a particular error code bit. It doesn't matter how many times that error occurs, it will only be set once. Then on exit, I can parse the bits in the error code to see which error bits were set.

New Mexico Mark

Shawn and I had quite a thread going on this very subject last summer.

Check this out - http://kixtart.org/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=2&t=002078

Have fun!

- Kent

Bryce