Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Set ACL on windows Objects


  • Please log in to reply
27 replies to this topic

#1 ptrex

ptrex

    Universalist

  • MVPs
  • 2,419 posts

Posted 07 August 2007 - 07:59 AM

Set ACL properties in Windows

Several users in the help forum wondered how to set ACL properties in windows, by means of a script.

For those who dont know what ACL is :

Access Control List. An Access Control List is a list attached to an object such as a file, printer, AD object, ... . It consists of control expressions, each of which grants or denies some ability to a particular user or group of users or object.
More info : http://www.pluralsight.com/wiki/default.as...edSecurity.html

Well there are serveral ways of doing this. But one easy going is this using the SetACL COM Object.

SetACL in Windows
This also comes along with a commandline tool.

This is a quick example on how to get started.

AutoIt         
;SetACL $ACCESS Modes Const $DENY_ACCESS = 3 Const $GRANT_ACCESS = 1 Const $REVOKE_ACCESS = 4 Const $SET_ACCESS = 2 Const $SET_AUDIT_FAILURE = 6 Const $SET_AUDIT_SUCCESS = 5 ;SetACL Actions Const $ACTN_ADDACE = 1 Const $ACTN_CLEARDACL = 16 Const $ACTN_CLEARSACL = 32 Const $ACTN_COPYDOMAIN = 1024 Const $ACTN_COPYTRUSTEE = 1024 Const $ACTN_DOMAIN = 8192 Const $ACTN_LIST = 2 Const $ACTN_REMOVEDOMAIN = 512 Const $ACTN_REMOVETRUSTEE = 512 Const $ACTN_REPLACEDOMAIN = 256 Const $ACTN_REPLACETRUSTEE = 256 Const $ACTN_RESETCHILDPERMS = 128 Const $ACTN_RESTORE = 2048 Const $ACTN_SETGROUP = 8 Const $ACTN_SETINHFROMPAR = 64 Const $ACTN_SETOWNER = 4 Const $ACTN_TRUSTEE = 4096 ;SetACL Inheritance Values Const $INHPARCOPY = 2 Const $INHPARNOCHANGE = 0 Const $INHPARNOCOPY = 4 Const $INHPARYES = 1 ;SetACL $LIST Formats Const $LIST_CSV = 1 Const $LIST_SDDL = 0 Const $LIST_TAB = 2 ;SetACL $LIST Names Const $LIST_NAME = 1 Const $LIST_NAME_SID = 3 Const $LIST_SID = 2 ;SetACL Recursion Const $RECURSE_CONT = 2 Const $RECURSE_CONT_OBJ = 6 Const $RECURSE_NO = 1 Const $RECURSE_OBJ = 4 ;SetACL Return COdes Const $RTN_ERR_ADD_ACE = 32 Const $RTN_ERR_CONVERT_SD = 27 Const $RTN_ERR_COPY_ACL = 31 Const $RTN_ERR_CREATE_SD = 45 Const $RTN_ERR_DEL_ACE = 30 Const $RTN_ERR_DIS_PRIV = 13 Const $RTN_ERR_EN_PRIV = 12 Const $RTN_ERR_FINDFILE = 16 Const $RTN_ERR_GENERAL = 2 Const $RTN_ERR_GET_SD_CONTROL = 17 Const $RTN_ERR_GETSECINFO = 5 Const $RTN_ERR_IGNORED = 44 Const $RTN_ERR_INTERNAL = 18 Const $RTN_ERR_INV_DIR_PERMS = 7 Const $RTN_ERR_INV_DOMAIN = 43 Const $RTN_ERR_INV_PRN_PERMS = 8 Const $RTN_ERR_INV_REG_PERMS = 9 Const $RTN_ERR_INV_SHR_PERMS = 11 Const $RTN_ERR_INV_SVC_PERMS = 10 Const $RTN_ERR_INVALID_SD = 38 Const $RTN_ERR_LIST_ACL = 28 Const $RTN_ERR_LIST_FAIL = 15 Const $RTN_ERR_LIST_OPTIONS = 26 Const $RTN_ERR_LOOKUP_SID = 6 Const $RTN_ERR_LOOP_ACL = 29 Const $RTN_ERR_NO_LOGFILE = 33 Const $RTN_ERR_NO_NOTIFY = 14 Const $RTN_ERR_OBJECT_NOT_SET = 4 Const $RTN_ERR_OPEN_LOGFILE = 34 Const $RTN_ERR_OS_NOT_SUPPORTED = 37 Const $RTN_ERR_OUT_OF_MEMORY = 46 Const $RTN_ERR_PARAMS = 3 Const $RTN_ERR_PREPARE = 24 Const $RTN_ERR_READ_LOGFILE = 35 Const $RTN_ERR_REG_CONNECT = 21 Const $RTN_ERR_REG_ENUM = 23 Const $RTN_ERR_REG_OPEN = 22 Const $RTN_ERR_REG_PATH = 20 Const $RTN_ERR_SET_SD_DACL = 39 Const $RTN_ERR_SET_SD_GROUP = 42 Const $RTN_ERR_SET_SD_OWNER = 41 Const $RTN_ERR_SET_SD_SACL = 40 Const $RTN_ERR_SETENTRIESINACL = 19 Const $RTN_ERR_SETSECINFO = 25 Const $RTN_ERR_WRITE_LOGFILE = 36 Const $RTN_ERR_OK = 0 Const $RTN_ERR_USAGE = 1 ;SetACL $SD Info Const $ACL_DACL = 1 Const $ACL_SACL = 2 Const $SD_GROUP = 8 Const $SD_OWNER = 4 ;SetACL $OBJECT Types Const $SE_FILE_OBJECT = 1 Const $SE_LMSHARE = 5 Const $SE_PRINTER = 3 Const $SE_REGISTRY_KEY = 4 Const $SE_SERVICE = 2 $strFileName = "C:TmpResults1.txt" $strUsername = "Users" $strPermission = "change" $SetACL1 = ObjCreate("SetACL.SetACLCtrl.1") If IsObj($SetACL1) then With $SetACL1 $nError = .SetObject($strFileName, $SE_FILE_OBJECT) $nError = .SetAction($ACTN_ADDACE) $nError = .ADDACE($strUsername, 0, $strPermission, $INHPARNOCHANGE, 0, $GRANT_ACCESS, $ACL_DACL) $nError = .Run Endwith Else     Msgbox(0,"Error","No Object Found") EndIf


An other tool is ofcourse the famous MS CACLS

Enjoy !!

regards

ptrex

Edited by ptrex, 14 September 2012 - 09:36 AM.








#2 PsaltyDS

PsaltyDS

    Most Venerable Penguin

  • MVPs
  • 13,279 posts

Posted 07 August 2007 - 01:12 PM

Nice! I was hoping to find how to internalize SetACL.exe command line functions into a script without the need for the external executable.

New toy to play with! Merry Christmas!

:)

P.S. Requires SetACL ActiveX (SetACL.ocx) to provide the COM interface.

Edited by PsaltyDS, 07 August 2007 - 01:37 PM.

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

#3 Toady

Toady

    Easy there turbo...

  • Active Members
  • PipPipPipPipPipPip
  • 698 posts

Posted 07 August 2007 - 01:16 PM

Very nice! Thank you for this find :)
www.itoady.com (Go here to download the MacroGamer installer)

#4 ptrex

ptrex

    Universalist

  • MVPs
  • 2,419 posts

Posted 07 August 2007 - 03:16 PM

@all

You are welcome !!

See you all around. :)

regards,

pterex

#5 microsoft

microsoft

    Wayfarer

  • Active Members
  • Pip
  • 67 posts

Posted 09 August 2007 - 07:15 AM

a script good

#6 MadBoy

MadBoy

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 829 posts

Posted 09 August 2007 - 08:53 AM

@all

You are welcome !!

See you all around. :)

regards,

pterex

Great ptrex :P How about registry permisions? Is there similar vbs script which can be translated?

#7 ptrex

ptrex

    Universalist

  • MVPs
  • 2,419 posts

Posted 09 August 2007 - 09:27 AM

@Microsoft

Lot's of good stuff around here :P

@MadBoy

Change :
.SetObject($strFileName, $SE_FILE_OBJECT)


Be carefull messing around with the REGISTRY !! :)
Best make a restore point before playing around.

Regards

ptrex

#8 MadBoy

MadBoy

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 829 posts

Posted 09 August 2007 - 02:15 PM

@Microsoft

Lot's of good stuff around here :P

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)


Be carefull messing around with the REGISTRY !! :)
Best make a restore point before playing around.

Regards

ptrex

Hehe :) Ever thought about making this uDF ?:)

#9 ptrex

ptrex

    Universalist

  • MVPs
  • 2,419 posts

Posted 09 August 2007 - 03:00 PM

@MadBoy

Time is my only enemy :)

So give it a try.

regards,

ptrex

#10 FrenchTroll

FrenchTroll

    Wayfarer

  • Active Members
  • Pip
  • 51 posts

Posted 23 August 2007 - 01:44 PM

Hello ptrex,

Do you knows how to remove an account with the SID "everyone" ?

Like this that works :

$nError = .SetObject("C:\1.txt", 1)   $nError = .SetAction(4096)   $nError = .AddTrustee("Everyone", "", False, False, 512, True, False)   $nError = .Run


...but if i put the SID for everyone (in french "Tout le monde") like this :

$nError = .SetObject("C:\1.txt", 1)   $nError = .SetAction(4096)   $nError = .AddTrustee("S-1-1-0", 1, False, False, 512, True, False)   $nError = .Run


...that don't work.

I asked the question on SetACL's forum but it looks like dead :)

Thanks for any idea ;)

#11 Klaatu

Klaatu

    Prodigy

  • Active Members
  • PipPipPip
  • 198 posts

Posted 23 August 2007 - 05:31 PM

Where do you find documentation on the functions of the COM object? I looked all over the project's pages, but could not find any docs on it, just the command line version. TIA
My Projects:DebugIt - Debug your AutoIt scripts with DebugIt!

#12 FrenchTroll

FrenchTroll

    Wayfarer

  • Active Members
  • Pip
  • 51 posts

Posted 23 August 2007 - 05:51 PM

There's no doc for this ActiveX, not much example and no support. That is the problem :)

#13 FrenchTroll

FrenchTroll

    Wayfarer

  • Active Members
  • Pip
  • 51 posts

Posted 23 August 2007 - 08:44 PM

Well, the autor give me the answer :

The correct syntax to remove a SID on a file (with the SID) is like this :

  $nError = .SetObject("C:\1.txt", 1)   $nError = .SetAction(4096)   $nError = .AddTrustee("S-1-1-0", "", True, False, 512, True, False)   $nError = .Run


You can find on this page the differents SID : http://support.microsoft.com/kb/243330/en

I hope this helps.

#14 ken82m

ken82m

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 628 posts

Posted 11 October 2007 - 01:59 PM

This looks very interesting and something I could use in most of my scripts.
The large amount of AutoIT script are used for deploying applications here at work.

CACLS works but this looks much nicer to work with. However I have never implmented a COM object in one of my scripts.

I think I can understand how to make a change but I don't understand how AutoIT knows where to find the OCX. do I need ot register it somehow first?

Would someone mind posting an quick example of how I would integrate set an actual ACL entry within an AutoIT Script.


Thanks,

Kenny

Edited by ken82m, 11 October 2007 - 02:16 PM.

My ContributionsPC Builders Console - Secure PDF Creator - Cisco VPN Installer MS DNS Server Backup Script - MS DHCP Backup Script IT Admin Console - Toggle Admin Mode - MyMovies-Add Discs ScriptIT Help Desk and System Information ToolSet On Lid Close Power Option - Streaming Media Server & Website”I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains.”

#15 ptrex

ptrex

    Universalist

  • MVPs
  • 2,419 posts

Posted 11 October 2007 - 03:27 PM

@ken82m

Indead after downloading the COM file.

You will have to register it in your machine using the "Regsvr32" command.

This needs to be done on each PC, that you intend to use the scripts on.

Regards

ptrex

#16 ken82m

ken82m

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 628 posts

Posted 11 October 2007 - 04:13 PM

Got it, great work on this! :)

Definitely gonna make my life easier.


Do you know of any RC's to verify the ACL has been changed?
I tried checking the $nError after .Run but it always seems to return 0 no matter what happens.


Thanks,

Kenny
My ContributionsPC Builders Console - Secure PDF Creator - Cisco VPN Installer MS DNS Server Backup Script - MS DHCP Backup Script IT Admin Console - Toggle Admin Mode - MyMovies-Add Discs ScriptIT Help Desk and System Information ToolSet On Lid Close Power Option - Streaming Media Server & Website”I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains.”

#17 ptrex

ptrex

    Universalist

  • MVPs
  • 2,419 posts

Posted 12 October 2007 - 06:52 AM

@ken82m

Is't that what the Security Event Log is meant for ?

How to set Security Event Logs - ACE

regards

ptrex

Edited by ptrex, 12 October 2007 - 06:52 AM.


#18 Gigglestick

Gigglestick

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 502 posts

Posted 08 August 2008 - 04:20 PM

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers, where we currently use robocopy to make ACL/ACE backups to zero-byte files off-site (robo switches: /copy:ATSOU /create) due to a particular site's local info sec not fully understanding security (always falls on my group to correct their mistakes), and that CHKDSK bug awhile back that reset all ACL's on an entire volume to defaults.

I use AutoIt to run multiple concurrent robo's to expedite the process (then parse the logs and email a summary of errors), and that seems fairly efficient, but that would be very cool if I could grab the ACL/ACE's with AutoIt and store them in a database or something without registering an external DLL/OCX.

Alternatively, is it possible to use this DLL as a plugin, so its functionality could be tapped without registering it? Edit: Nevermind, I see ptrex's RegFreeCOM Au3X Example.

I just came across this topic via ptrex's sig, so if there's already an answer to this problem, I apologize.

Edited by c0deWorm, 08 August 2008 - 06:40 PM.

My UDFs: ExitCodes

#19 Confuzzled

Confuzzled

    Mouse moved. Please restart Windows for changes to take effect.

  • Active Members
  • PipPipPipPipPipPip
  • 1,000 posts

Posted 14 August 2008 - 02:23 PM

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers...

Isn't CACLS already on each and every computer and well documented by Microsoft? Why reinvent the wheel?

#20 stones

stones

    Seeker

  • Active Members
  • 14 posts

Posted 09 March 2009 - 05:18 PM

i need example complete :P please




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users