Sign in to follow this  
Followers 0

Set ACL on windows Objects

28 posts in this topic

Posted (edited)

Set ACL properties in Windows

Several users in the help forum wondered how to set ACL properties in windows, by means of a script.

For those who dont know what ACL is :

Access Control List. An Access Control List is a list attached to an object such as a file, printer, AD object, ... . It consists of control expressions, each of which grants or denies some ability to a particular user or group of users or object.

More info : http://www.pluralsight.com/wiki/default.as...edSecurity.html

Well there are serveral ways of doing this. But one easy going is this using the SetACL COM Object.

SetACL in Windows

This also comes along with a commandline tool.

This is a quick example on how to get started.

;SetACL $ACCESS Modes
Const $DENY_ACCESS = 3
Const $GRANT_ACCESS = 1
Const $REVOKE_ACCESS = 4
Const $SET_ACCESS = 2
Const $SET_AUDIT_FAILURE = 6
Const $SET_AUDIT_SUCCESS = 5

;SetACL Actions
Const $ACTN_ADDACE = 1
Const $ACTN_CLEARDACL = 16
Const $ACTN_CLEARSACL = 32
Const $ACTN_COPYDOMAIN = 1024
Const $ACTN_COPYTRUSTEE = 1024
Const $ACTN_DOMAIN = 8192
Const $ACTN_LIST = 2
Const $ACTN_REMOVEDOMAIN = 512
Const $ACTN_REMOVETRUSTEE = 512
Const $ACTN_REPLACEDOMAIN = 256
Const $ACTN_REPLACETRUSTEE = 256
Const $ACTN_RESETCHILDPERMS = 128
Const $ACTN_RESTORE = 2048
Const $ACTN_SETGROUP = 8
Const $ACTN_SETINHFROMPAR = 64
Const $ACTN_SETOWNER = 4
Const $ACTN_TRUSTEE = 4096

;SetACL Inheritance Values
Const $INHPARCOPY = 2
Const $INHPARNOCHANGE = 0
Const $INHPARNOCOPY = 4
Const $INHPARYES = 1

;SetACL $LIST Formats
Const $LIST_CSV = 1
Const $LIST_SDDL = 0
Const $LIST_TAB = 2

;SetACL $LIST Names
Const $LIST_NAME = 1
Const $LIST_NAME_SID = 3
Const $LIST_SID = 2

;SetACL Recursion
Const $RECURSE_CONT = 2
Const $RECURSE_CONT_OBJ = 6
Const $RECURSE_NO = 1
Const $RECURSE_OBJ = 4

;SetACL Return COdes
Const $RTN_ERR_ADD_ACE = 32
Const $RTN_ERR_CONVERT_SD = 27
Const $RTN_ERR_COPY_ACL = 31
Const $RTN_ERR_CREATE_SD = 45
Const $RTN_ERR_DEL_ACE = 30
Const $RTN_ERR_DIS_PRIV = 13
Const $RTN_ERR_EN_PRIV = 12
Const $RTN_ERR_FINDFILE = 16
Const $RTN_ERR_GENERAL = 2
Const $RTN_ERR_GET_SD_CONTROL = 17
Const $RTN_ERR_GETSECINFO = 5
Const $RTN_ERR_IGNORED = 44
Const $RTN_ERR_INTERNAL = 18
Const $RTN_ERR_INV_DIR_PERMS = 7
Const $RTN_ERR_INV_DOMAIN = 43
Const $RTN_ERR_INV_PRN_PERMS = 8
Const $RTN_ERR_INV_REG_PERMS = 9
Const $RTN_ERR_INV_SHR_PERMS = 11
Const $RTN_ERR_INV_SVC_PERMS = 10
Const $RTN_ERR_INVALID_SD = 38
Const $RTN_ERR_LIST_ACL = 28
Const $RTN_ERR_LIST_FAIL = 15
Const $RTN_ERR_LIST_OPTIONS = 26
Const $RTN_ERR_LOOKUP_SID = 6
Const $RTN_ERR_LOOP_ACL = 29
Const $RTN_ERR_NO_LOGFILE = 33
Const $RTN_ERR_NO_NOTIFY = 14
Const $RTN_ERR_OBJECT_NOT_SET = 4
Const $RTN_ERR_OPEN_LOGFILE = 34
Const $RTN_ERR_OS_NOT_SUPPORTED = 37
Const $RTN_ERR_OUT_OF_MEMORY = 46
Const $RTN_ERR_PARAMS = 3
Const $RTN_ERR_PREPARE = 24
Const $RTN_ERR_READ_LOGFILE = 35
Const $RTN_ERR_REG_CONNECT = 21
Const $RTN_ERR_REG_ENUM = 23
Const $RTN_ERR_REG_OPEN = 22
Const $RTN_ERR_REG_PATH = 20
Const $RTN_ERR_SET_SD_DACL = 39
Const $RTN_ERR_SET_SD_GROUP = 42
Const $RTN_ERR_SET_SD_OWNER = 41
Const $RTN_ERR_SET_SD_SACL = 40
Const $RTN_ERR_SETENTRIESINACL = 19
Const $RTN_ERR_SETSECINFO = 25
Const $RTN_ERR_WRITE_LOGFILE = 36
Const $RTN_ERR_OK = 0
Const $RTN_ERR_USAGE = 1

;SetACL $SD Info
Const $ACL_DACL = 1
Const $ACL_SACL = 2
Const $SD_GROUP = 8
Const $SD_OWNER = 4

;SetACL $OBJECT Types
Const $SE_FILE_OBJECT = 1
Const $SE_LMSHARE = 5
Const $SE_PRINTER = 3
Const $SE_REGISTRY_KEY = 4
Const $SE_SERVICE = 2

$strFileName = "C:TmpResults1.txt"
$strUsername = "Users"
$strPermission = "change"

$SetACL1 = ObjCreate("SetACL.SetACLCtrl.1")

If IsObj($SetACL1) then

With $SetACL1
$nError = .SetObject($strFileName, $SE_FILE_OBJECT)
$nError = .SetAction($ACTN_ADDACE)
$nError = .ADDACE($strUsername, 0, $strPermission, $INHPARNOCHANGE, 0, $GRANT_ACCESS, $ACL_DACL)
$nError = .Run
Endwith

Else
	Msgbox(0,"Error","No Object Found")
EndIf

An other tool is ofcourse the famous MS CACLS

Enjoy !!

regards

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites



Posted (edited)

Nice! I was hoping to find how to internalize SetACL.exe command line functions into a script without the need for the external executable.

New toy to play with! Merry Christmas!

:)

P.S. Requires SetACL ActiveX (SetACL.ocx) to provide the COM interface.

Edited by PsaltyDS

Share this post


Link to post
Share on other sites

Posted

Very nice! Thank you for this find :)

Share this post


Link to post
Share on other sites

Posted

@all

You are welcome !!

See you all around. :)

regards,

pterex

Share this post


Link to post
Share on other sites

Posted

a script good

Share this post


Link to post
Share on other sites

Posted

@all

You are welcome !!

See you all around. :)

regards,

pterex

Great ptrex :P How about registry permisions? Is there similar vbs script which can be translated?

Share this post


Link to post
Share on other sites

Posted

@Microsoft

Lot's of good stuff around here :P

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)

Be carefull messing around with the REGISTRY !! :)

Best make a restore point before playing around.

Regards

ptrex

Share this post


Link to post
Share on other sites

Posted

@Microsoft

Lot's of good stuff around here :P

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)

Be carefull messing around with the REGISTRY !! :)

Best make a restore point before playing around.

Regards

ptrex

Hehe :) Ever thought about making this uDF ?:)

Share this post


Link to post
Share on other sites

Posted

@MadBoy

Time is my only enemy :)

So give it a try.

regards,

ptrex

Share this post


Link to post
Share on other sites

Posted

Hello ptrex,

Do you knows how to remove an account with the SID "everyone" ?

Like this that works :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("Everyone", "", False, False, 512, True, False)  
$nError = .Run

...but if i put the SID for everyone (in french "Tout le monde") like this :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("S-1-1-0", 1, False, False, 512, True, False)  
$nError = .Run

...that don't work.

I asked the question on SetACL's forum but it looks like dead :)

Thanks for any idea ;)

Share this post


Link to post
Share on other sites

Posted

Where do you find documentation on the functions of the COM object? I looked all over the project's pages, but could not find any docs on it, just the command line version. TIA

Share this post


Link to post
Share on other sites

Posted

There's no doc for this ActiveX, not much example and no support. That is the problem :)

Share this post


Link to post
Share on other sites

Posted

Well, the autor give me the answer :

The correct syntax to remove a SID on a file (with the SID) is like this :

  $nError = .SetObject("C:\1.txt", 1)
  $nError = .SetAction(4096)
  $nError = .AddTrustee("S-1-1-0", "", True, False, 512, True, False)
  $nError = .Run

You can find on this page the differents SID : http://support.microsoft.com/kb/243330/en

I hope this helps.

Share this post


Link to post
Share on other sites

Posted (edited)

This looks very interesting and something I could use in most of my scripts.

The large amount of AutoIT script are used for deploying applications here at work.

CACLS works but this looks much nicer to work with. However I have never implmented a COM object in one of my scripts.

I think I can understand how to make a change but I don't understand how AutoIT knows where to find the OCX. do I need ot register it somehow first?

Would someone mind posting an quick example of how I would integrate set an actual ACL entry within an AutoIT Script.

Thanks,

Kenny

Edited by ken82m

Share this post


Link to post
Share on other sites

Posted

@ken82m

Indead after downloading the COM file.

You will have to register it in your machine using the "Regsvr32" command.

This needs to be done on each PC, that you intend to use the scripts on.

Regards

ptrex

Share this post


Link to post
Share on other sites

Posted

Got it, great work on this! :)

Definitely gonna make my life easier.

Do you know of any RC's to verify the ACL has been changed?

I tried checking the $nError after .Run but it always seems to return 0 no matter what happens.

Thanks,

Kenny

Share this post


Link to post
Share on other sites

Posted (edited)

@ken82m

Is't that what the Security Event Log is meant for ?

How to set Security Event Logs - ACE

regards

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites

Posted (edited)

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers, where we currently use robocopy to make ACL/ACE backups to zero-byte files off-site (robo switches: /copy:ATSOU /create) due to a particular site's local info sec not fully understanding security (always falls on my group to correct their mistakes), and that CHKDSK bug awhile back that reset all ACL's on an entire volume to defaults.

I use AutoIt to run multiple concurrent robo's to expedite the process (then parse the logs and email a summary of errors), and that seems fairly efficient, but that would be very cool if I could grab the ACL/ACE's with AutoIt and store them in a database or something without registering an external DLL/OCX.

Alternatively, is it possible to use this DLL as a plugin, so its functionality could be tapped without registering it? Edit: Nevermind, I see ptrex's RegFreeCOM Au3X Example.

I just came across this topic via ptrex's sig, so if there's already an answer to this problem, I apologize.

Edited by c0deWorm

Share this post


Link to post
Share on other sites

Posted

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers...

Isn't CACLS already on each and every computer and well documented by Microsoft? Why reinvent the wheel?

Share this post


Link to post
Share on other sites

Posted

i need example complete :P please

Share this post


Link to post
Share on other sites

Posted

@stones

Here is an example SetACL

And Google is your friend. :P

Regards

ptrex

Share this post


Link to post
Share on other sites

Posted (edited)

#include <ButtonConstants.au3>
#include <ComboConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
OPT("GUIOnEventMode", 1)
#Region ### START Koda GUI section ### Form=
$form1 = GUICreate("BORN-2-KICK",347, 284 )
GUISetFont(7, 400, 0, "MS Serif")
$Input1 = GUICtrlCreateInput("", 8, 32, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 01 HERE!!")
$Input2 = GUICtrlCreateInput("", 8, 52, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 02 HERE!!")
$Input3 = GUICtrlCreateInput("", 8, 72, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 03 HERE!!")
$Input4 = GUICtrlCreateInput("", 8, 92, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 04 HERE!!")
$Input5 = GUICtrlCreateInput("", 8, 112, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 05 HERE!!")
$Input6 = GUICtrlCreateInput("", 77, 32, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 06 HERE!!")
$Input7 = GUICtrlCreateInput("", 77, 52, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 07 HERE!!")
$Input8 = GUICtrlCreateInput("", 77, 72, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 08 HERE!!")
$Input9 = GUICtrlCreateInput("", 77, 92, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 09 HERE!!")
$Input10 = GUICtrlCreateInput("", 77, 112, 65, 19)
GUICtrlSetColor(-1, 0xFFFFFF)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ENTER YOUR ID 10 HERE!!")
$Input11 = GUICtrlCreateInput("", 8, 132, 135, 19, BitOR($ES_CENTER,$ES_AUTOHSCROLL))
GUICtrlSetTip(-1, "ENTER YOUR PASSWORD HERE!!")
$Button1 = GUICtrlCreateButton("SAVE", 8, 152, 65, 17)
GUICtrlSetCursor (-1, 0)
$Button2 = GUICtrlCreateButton("CLEAR", 78, 152, 65, 17)
GUICtrlSetCursor (-1, 0)
$Input12 = GUICtrlCreateInput("", 8, 172, 65, 19)
GUICtrlSetBkColor(-1, 0xC0C0C0)
GUICtrlSetTip(-1, "PROTECT ID 01")
$Input13 = GUICtrlCreateInput("", 8, 192, 65, 19)
GUICtrlSetBkColor(-1, 0xC0C0C0)
GUICtrlSetTip(-1, "PROTECT ID 02")
$Input14 = GUICtrlCreateInput("", 8, 212, 65, 19)
GUICtrlSetBkColor(-1, 0xC0C0C0)
GUICtrlSetTip(-1, "PROTECT ID 03")
$Input15 = GUICtrlCreateInput("", 8, 232, 65, 19)
GUICtrlSetBkColor(-1, 0xC0C0C0)
GUICtrlSetTip(-1, "PROTECT ID 04")
$Input16 = GUICtrlCreateInput("", 8, 252, 65, 19)
GUICtrlSetBkColor(-1, 0xC0C0C0)
GUICtrlSetTip(-1, "PROTECT ID 05")
$Button3 = GUICtrlCreateButton("OPEN", 78, 172, 65, 17)
GUICtrlSetCursor (-1, 0)
$Button4 = GUICtrlCreateButton("CLOSE", 78, 192, 65, 17)
GUICtrlSetCursor (-1, 0)
$Button5 = GUICtrlCreateButton("RE-Login", 78, 212, 65, 17)
GUICtrlSetCursor (-1, 0)
$Button6 = GUICtrlCreateButton("Cek Balance", 78, 233, 65, 17)
GUICtrlSetCursor (-1, 0)
$Input17 = GUICtrlCreateInput("350", 152, 32, 89, 19, BitOR($ES_CENTER,$ES_AUTOHSCROLL))
GUICtrlSetTip(-1, "DELAY")
$Input18 = GUICtrlCreateInput("74.217.68.1", 78, 252, 64, 19, BitOR($ES_CENTER,$ES_AUTOHSCROLL))
GUICtrlSetColor(-1, 0xFF0000)
GUICtrlSetBkColor(-1, 0xA0A0A4)
$Input19 = GUICtrlCreateInput("ROOM", 248, 32, 89, 19, BitOR($ES_CENTER,$ES_AUTOHSCROLL))
GUICtrlSetColor(-1, 0xFF0000)
GUICtrlSetBkColor(-1, 0x000000)
GUICtrlSetTip(-1, "ROOM")
$Button7 = GUICtrlCreateButton("ENTER", 248, 53, 41, 17)
GUICtrlSetCursor (-1, 0)
$Button8 = GUICtrlCreateButton("LEAVE", 296, 53, 41, 17)
GUICtrlSetCursor (-1, 0)
$Button9 = GUICtrlCreateButton("Get List", 152, 53, 89, 17)
GUICtrlSetCursor (-1, 0)
$Button10 = GUICtrlCreateButton("KILL", 152, 212, 89, 41)
GUICtrlSetFont(-1, 24, 400, 0, "MS Serif")
GUICtrlSetCursor (-1, 0)
$Input20 = GUICtrlCreateInput("", 248, 72, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 01")
$Input21 = GUICtrlCreateInput("", 248, 92, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 02")
$Input22 = GUICtrlCreateInput("", 248, 112, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 03")
$Input23 = GUICtrlCreateInput("", 248, 132, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 04")
$Input24 = GUICtrlCreateInput("", 248, 152, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 05")
$Input25 = GUICtrlCreateInput("", 248, 172, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 06")
$Input26 = GUICtrlCreateInput("", 248, 192, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 07")
$Input27 = GUICtrlCreateInput("", 248, 212, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 08")
$Input28 = GUICtrlCreateInput("", 248, 232, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 09")
$Input29 = GUICtrlCreateInput("", 248, 252, 89, 19)
GUICtrlSetTip(-1, "TARGET KICK 10")
$Button11 = GUICtrlCreateButton("EXIT", 152, 256, 89, 17)
GUICtrlSetCursor (-1, 0)
$Button12 = GUICtrlCreateButton("READY", 152, 192, 89, 17)
GUICtrlSetCursor (-1, 0)
$Group1 = GUICtrlCreateGroup("Get Timer IN", 152, 144, 89, 41, $BS_CENTER)
$Radio1 = GUICtrlCreateRadio("60s", 160, 160, 33, 17)
GUICtrlSetState(-1, $GUI_CHECKED)
$Radio2 = GUICtrlCreateRadio("40s", 200, 160, 33, 17)
GUICtrlSetState(-1, $GUI_DISABLE)
GUICtrlSetTip(-1, "Activ For Next Version")
GUICtrlCreateGroup("", -99, -99, 1, 1)
$Button13 = GUICtrlCreateButton("About", 200, 122, 41, 17)
GUICtrlSetCursor (-1, 4)
$Button14 = GUICtrlCreateButton("B-2-K", 152, 120, 41, 17)
GUICtrlSetCursor (-1, 4)
$Group2 = GUICtrlCreateGroup("MODE WAR", 152, 72, 89, 41, $BS_CENTER)
$Radio3 = GUICtrlCreateRadio("A", 160, 88, 25, 17)
GUICtrlSetState(-1, $GUI_CHECKED)
$Radio4 = GUICtrlCreateRadio("B", 200, 88, 25, 17)
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

WHILE 1
	$Delay = IniRead("SET-01.ini", "modified by autoiters", "Delay", "")
	SLEEP(200)
		If WinExists("BORN-2-KICK" , "") Then
		WinClose("BORN-2-KICK" , "")
	EndIf
WEND

this my script n please i need example setacl for this script i dont understand look sample in forum....

thanks n please help me

Edited by stones

Share this post


Link to post
Share on other sites

Posted

@stones,

I don't see in your script where ever you would need tha SetACL function ?

regards

ptrex

Share this post


Link to post
Share on other sites

Posted

@stones,

I don't see in your script where ever you would need tha SetACL function ?

regards

ptrex

yes i need func setacl for my script...

please help me...

please give me example setacl with my scrip

thanks before ptrex

Share this post


Link to post
Share on other sites

Posted

@stones

I cannot help you, since I don't see where in your script you are usign SetACL ?

Regards

ptrex

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0




  • Recently Browsing   0 members

    No registered users viewing this page.