Jump to content

Set ACL on windows Objects


ptrex
 Share

Recommended Posts

Set ACL properties in Windows

Several users in the help forum wondered how to set ACL properties in windows, by means of a script.

For those who dont know what ACL is :

Access Control List. An Access Control List is a list attached to an object such as a file, printer, AD object, ... . It consists of control expressions, each of which grants or denies some ability to a particular user or group of users or object.

More info : http://www.pluralsight.com/wiki/default.as...edSecurity.html

Well there are serveral ways of doing this. But one easy going is this using the SetACL COM Object.

SetACL in Windows

This also comes along with a commandline tool.

This is a quick example on how to get started.

;SetACL $ACCESS Modes
Const $DENY_ACCESS = 3
Const $GRANT_ACCESS = 1
Const $REVOKE_ACCESS = 4
Const $SET_ACCESS = 2
Const $SET_AUDIT_FAILURE = 6
Const $SET_AUDIT_SUCCESS = 5

;SetACL Actions
Const $ACTN_ADDACE = 1
Const $ACTN_CLEARDACL = 16
Const $ACTN_CLEARSACL = 32
Const $ACTN_COPYDOMAIN = 1024
Const $ACTN_COPYTRUSTEE = 1024
Const $ACTN_DOMAIN = 8192
Const $ACTN_LIST = 2
Const $ACTN_REMOVEDOMAIN = 512
Const $ACTN_REMOVETRUSTEE = 512
Const $ACTN_REPLACEDOMAIN = 256
Const $ACTN_REPLACETRUSTEE = 256
Const $ACTN_RESETCHILDPERMS = 128
Const $ACTN_RESTORE = 2048
Const $ACTN_SETGROUP = 8
Const $ACTN_SETINHFROMPAR = 64
Const $ACTN_SETOWNER = 4
Const $ACTN_TRUSTEE = 4096

;SetACL Inheritance Values
Const $INHPARCOPY = 2
Const $INHPARNOCHANGE = 0
Const $INHPARNOCOPY = 4
Const $INHPARYES = 1

;SetACL $LIST Formats
Const $LIST_CSV = 1
Const $LIST_SDDL = 0
Const $LIST_TAB = 2

;SetACL $LIST Names
Const $LIST_NAME = 1
Const $LIST_NAME_SID = 3
Const $LIST_SID = 2

;SetACL Recursion
Const $RECURSE_CONT = 2
Const $RECURSE_CONT_OBJ = 6
Const $RECURSE_NO = 1
Const $RECURSE_OBJ = 4

;SetACL Return COdes
Const $RTN_ERR_ADD_ACE = 32
Const $RTN_ERR_CONVERT_SD = 27
Const $RTN_ERR_COPY_ACL = 31
Const $RTN_ERR_CREATE_SD = 45
Const $RTN_ERR_DEL_ACE = 30
Const $RTN_ERR_DIS_PRIV = 13
Const $RTN_ERR_EN_PRIV = 12
Const $RTN_ERR_FINDFILE = 16
Const $RTN_ERR_GENERAL = 2
Const $RTN_ERR_GET_SD_CONTROL = 17
Const $RTN_ERR_GETSECINFO = 5
Const $RTN_ERR_IGNORED = 44
Const $RTN_ERR_INTERNAL = 18
Const $RTN_ERR_INV_DIR_PERMS = 7
Const $RTN_ERR_INV_DOMAIN = 43
Const $RTN_ERR_INV_PRN_PERMS = 8
Const $RTN_ERR_INV_REG_PERMS = 9
Const $RTN_ERR_INV_SHR_PERMS = 11
Const $RTN_ERR_INV_SVC_PERMS = 10
Const $RTN_ERR_INVALID_SD = 38
Const $RTN_ERR_LIST_ACL = 28
Const $RTN_ERR_LIST_FAIL = 15
Const $RTN_ERR_LIST_OPTIONS = 26
Const $RTN_ERR_LOOKUP_SID = 6
Const $RTN_ERR_LOOP_ACL = 29
Const $RTN_ERR_NO_LOGFILE = 33
Const $RTN_ERR_NO_NOTIFY = 14
Const $RTN_ERR_OBJECT_NOT_SET = 4
Const $RTN_ERR_OPEN_LOGFILE = 34
Const $RTN_ERR_OS_NOT_SUPPORTED = 37
Const $RTN_ERR_OUT_OF_MEMORY = 46
Const $RTN_ERR_PARAMS = 3
Const $RTN_ERR_PREPARE = 24
Const $RTN_ERR_READ_LOGFILE = 35
Const $RTN_ERR_REG_CONNECT = 21
Const $RTN_ERR_REG_ENUM = 23
Const $RTN_ERR_REG_OPEN = 22
Const $RTN_ERR_REG_PATH = 20
Const $RTN_ERR_SET_SD_DACL = 39
Const $RTN_ERR_SET_SD_GROUP = 42
Const $RTN_ERR_SET_SD_OWNER = 41
Const $RTN_ERR_SET_SD_SACL = 40
Const $RTN_ERR_SETENTRIESINACL = 19
Const $RTN_ERR_SETSECINFO = 25
Const $RTN_ERR_WRITE_LOGFILE = 36
Const $RTN_ERR_OK = 0
Const $RTN_ERR_USAGE = 1

;SetACL $SD Info
Const $ACL_DACL = 1
Const $ACL_SACL = 2
Const $SD_GROUP = 8
Const $SD_OWNER = 4

;SetACL $OBJECT Types
Const $SE_FILE_OBJECT = 1
Const $SE_LMSHARE = 5
Const $SE_PRINTER = 3
Const $SE_REGISTRY_KEY = 4
Const $SE_SERVICE = 2

$strFileName = "C:TmpResults1.txt"
$strUsername = "Users"
$strPermission = "change"

$SetACL1 = ObjCreate("SetACL.SetACLCtrl.1")

If IsObj($SetACL1) then

With $SetACL1
$nError = .SetObject($strFileName, $SE_FILE_OBJECT)
$nError = .SetAction($ACTN_ADDACE)
$nError = .ADDACE($strUsername, 0, $strPermission, $INHPARNOCHANGE, 0, $GRANT_ACCESS, $ACL_DACL)
$nError = .Run
Endwith

Else
    Msgbox(0,"Error","No Object Found")
EndIf

An other tool is ofcourse the famous MS CACLS

Enjoy !!

regards

ptrex

Edited by ptrex
Link to comment
Share on other sites

Nice! I was hoping to find how to internalize SetACL.exe command line functions into a script without the need for the external executable.

New toy to play with! Merry Christmas!

:)

P.S. Requires SetACL ActiveX (SetACL.ocx) to provide the COM interface.

Edited by PsaltyDS
Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Link to comment
Share on other sites

Link to comment
Share on other sites

@Microsoft

Lot's of good stuff around here :P

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)

Be carefull messing around with the REGISTRY !! :)

Best make a restore point before playing around.

Regards

ptrex

Hehe :) Ever thought about making this uDF ?:)

My little company: Evotec (PL version: Evotec)

Link to comment
Share on other sites

  • 2 weeks later...

Hello ptrex,

Do you knows how to remove an account with the SID "everyone" ?

Like this that works :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("Everyone", "", False, False, 512, True, False)  
$nError = .Run

...but if i put the SID for everyone (in french "Tout le monde") like this :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("S-1-1-0", 1, False, False, 512, True, False)  
$nError = .Run

...that don't work.

I asked the question on SetACL's forum but it looks like dead :)

Thanks for any idea ;)

Link to comment
Share on other sites

Well, the autor give me the answer :

The correct syntax to remove a SID on a file (with the SID) is like this :

$nError = .SetObject("C:\1.txt", 1)
  $nError = .SetAction(4096)
  $nError = .AddTrustee("S-1-1-0", "", True, False, 512, True, False)
  $nError = .Run

You can find on this page the differents SID : http://support.microsoft.com/kb/243330/en

I hope this helps.

Link to comment
Share on other sites

  • 1 month later...

This looks very interesting and something I could use in most of my scripts.

The large amount of AutoIT script are used for deploying applications here at work.

CACLS works but this looks much nicer to work with. However I have never implmented a COM object in one of my scripts.

I think I can understand how to make a change but I don't understand how AutoIT knows where to find the OCX. do I need ot register it somehow first?

Would someone mind posting an quick example of how I would integrate set an actual ACL entry within an AutoIT Script.

Thanks,

Kenny

Edited by ken82m

 "I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains."

Link to comment
Share on other sites

Link to comment
Share on other sites

Got it, great work on this! :)

Definitely gonna make my life easier.

Do you know of any RC's to verify the ACL has been changed?

I tried checking the $nError after .Run but it always seems to return 0 no matter what happens.

Thanks,

Kenny

 "I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains."

Link to comment
Share on other sites

Link to comment
Share on other sites

  • 9 months later...

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers, where we currently use robocopy to make ACL/ACE backups to zero-byte files off-site (robo switches: /copy:ATSOU /create) due to a particular site's local info sec not fully understanding security (always falls on my group to correct their mistakes), and that CHKDSK bug awhile back that reset all ACL's on an entire volume to defaults.

I use AutoIt to run multiple concurrent robo's to expedite the process (then parse the logs and email a summary of errors), and that seems fairly efficient, but that would be very cool if I could grab the ACL/ACE's with AutoIt and store them in a database or something without registering an external DLL/OCX.

Alternatively, is it possible to use this DLL as a plugin, so its functionality could be tapped without registering it? Edit: Nevermind, I see ptrex's RegFreeCOM Au3X Example.

I just came across this topic via ptrex's sig, so if there's already an answer to this problem, I apologize.

Edited by c0deWorm

My UDFs: ExitCodes

Link to comment
Share on other sites

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers...

Isn't CACLS already on each and every computer and well documented by Microsoft? Why reinvent the wheel?
Link to comment
Share on other sites

  • 6 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...