Jump to content

Set Acl permissions UDF


Recommended Posts

  • Replies 193
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hi. I've been working on this for a while. I think now it's good enough to post it here. Functions to do most everything with the DACL and ownership on all types of objects: Files or folders, Regist

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.   #RequireAdmin #include 'Permissions.au3' _InitiatePermi

@Terenz I just noticed an issue with the script I posted for you.  I didn't have the return value for _EditObjectPermissions in the MsgBox.  I edited my post to add this.   I think I was able to

Posted Images

I have written a skript to get the ACL listing and display the result in a TreeView.
It's about 10 years old, written in German and uses the old Excel UDF - so it definitely needs a brush up.
But if you are interested ...

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to post
Share on other sites

Since 2011 the scripting world has evolved a lot !

In Powershell this is 6 lines of code and runs lightning fast...

If you persist in using AutoIT, you can run the PS code using the .NET Common Language Runtime (CLR) Framework

If you are interested ...

 

Link to post
Share on other sites

@Valnurat  Here is you an example, using the UDF.  

#include <Debug.au3>
#include <Security.au3>
#include 'Permissions.au3'

Global $sFile = @ScriptDir & '\test.txt'
FileWrite($sFile, 'test')
MsgBox(0, "File", "Created")

_InitiatePermissionResources()

;Get the file's DACL.
;Do not include inherited permissions.
;~ $pDACL = _GetObjectDacl($sFile)
;~ If @error Then Exit MsgBox(16, "ERROR", "Error _GetObjectDacl")

;Include inherited permissions.
$pDACL = _GetObjectDaclIncludeInherit($sFile)
If @error Then MsgBox(16, "ERROR", "Error _GetObjectDaclIncludeInherit")

;Create an empty array to fill with the DACL read from the object.
Global $aPerm[0][4]
$iRet = _MergeDaclToArray($pDACL, $aPerm)
;If there are no explicit permissions, and only inherited, the return valuse will be 0, if you used _GetObjectDacl.  
MsgBox(0, '', '_MergeDaclToArray return value: ' & $iRet)
If $iRet = 0 Then Exit 2

;SIDs are DLL structs so they show up as blank strings in the array.  Pemissions show up as signed integers. 
;$array[n][0] - SID structure. 
;$array[n][1] - The access type. A value of 1 grants acecess, 0 denies access.
;$array[n][2] - The access mask. 

_DebugArrayDisplay($aPerm, $sFile)

;Show users and groups in the DACL array as strings.
Global $aAcct
Global $pAcct
Global $sAcct
For $i = 0 To UBound($aPerm, 1) - 1 
    
    $pAcct = DllStructGetPtr($aPerm[$i][0])
    
    ;Convert SIDs to users and groups strings.  
    $aAcct = _Security__LookupAccountSid($pAcct)
    If Not IsArray($aAcct) Then 
        $aPerm[$i][0] = _Security__SidToStringSid($pAcct) ;Put SID string for unknown SID.
        ContinueLoop
    EndIf
    $sAcct = ($aAcct[1] <> "" ? $aAcct[1] & "\" : "" ) & $aAcct[0]
    
    ConsoleWrite($sAcct & "  _Security__IsValidSid: " & _Security__IsValidSid($pAcct) & @CRLF)
    
    ;Replace struct with string.  
    $aPerm[$i][0] = $sAcct
    
Next

_ClosePermissionResources()

;User and group names changed to strings to be viewable and searchable.  
_DebugArrayDisplay($aPerm, $sFile)

FileDelete($sFile)
MsgBox(0, "File", "Deleted")

@ptrex  I would like to see and example using Powershell.  If possible, I would like to see how to get the users' or groups' specific permissions.  Thanks.  

 

Adam

 

Link to post
Share on other sites
On 5/18/2020 at 1:18 PM, water said:

I have written a skript to get the ACL listing and display the result in a TreeView.
It's about 10 years old, written in German and uses the old Excel UDF - so it definitely needs a brush up.
But if you are interested ...

@water - Yes, I would be interested.

Yours sincerely

Kenneth.

Link to post
Share on other sites
On 5/25/2020 at 8:13 AM, Valnurat said:

Thank you for your support.

But I'm sorry, I now get this message as attached.

PermError.PNG

@AdamUL - I'm sorry, but do you know why I get this error? I get error because I tried to use the "_GetObjectDacl"

If I tried to use the "_GetObjectDaclIncludeInherit", I get this error:

 

Capture.PNG

Yours sincerely

Kenneth.

Link to post
Share on other sites
On 5/29/2020 at 9:27 AM, Valnurat said:

@water - Yes, I would be interested.

I had a look at my code archive and unfortunately I can't find the preparation code for my two-step approach:
First step retrieves a list of permissions for the selected path by running something like CACLS, processes the output and writes it to a file.
The second step displays the file in a TreeView and adds some additional features (search, export ...)

But without the code for step one this doesn't help much.

I did a Google search and found some (free) tools to display permissions: https://blog.netwrix.com/2017/08/18/top-5-free-tools-for-ntfs-permissions-reporting/
Maybe there is something that fits your needs?

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to post
Share on other sites
  • 11 months later...

I have been the whole day looking for an easy way to set registry permissions.
Most scripts do not what I want (just add "users" and grant it full rights.

I also have  been looking for hours at the permissions.udf, but I really do not get the grasp of it.
I know permissions is not something easy, but the permission.udf has not made setting permissions easy to understand.

Shouldn't the way calcs or icalcs use their parameters be easier ?
After a brief test with SetACL, I have decided to use this 3rd party tool, to get my script finished

So, is there an easy Autoit way to set permissions on registry keys other then using permissions.udf ?

 

What do you all think of a function AddPermission (object (registry/file/folder), useraccount/sid, Permission (read/write/change etc, Inherit options

with siblings  ChangePermission, RemovePermission.

Link to post
Share on other sites

@Shark007Thanks both you  for the example and also @AdamUL for his permissions.udf.
Your example has made it more clearly how to use the UDF.

My script is already finished using SetACL.exe and I am going forward with other work and scripts.
However I have archived your example for future use.☺️

From simplicty sake, what would you think about the following implementation ?

 

AddPermission (object (registry/file/folder), useraccount/sid, Permission (read/write/change etc, Inherit options
ChangePermission(object (registry/file/folder), useraccount/sid, Permission (read/write/change etc, Inherit options
RemovePermission(object (registry/file/folder), useraccount/sid, Permission (read/write/change etc, Inherit options

With your example, I could probably create the above. Made also a mental note to do this in a future far far away 😉
 

 

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...