Jump to content
FredAI

Set Acl permissions UDF

Recommended Posts

Hello all

i need to remove a specific user of a complete tree folders (recursive mode)

i don't understand which func to user from the permissions.au3

is someone can help me to write a code to remove "users domain" from e:common_data /s

thx for help.

Edited by Reekod

Share this post


Link to post
Share on other sites

Hi guys, sorry for the delay. I've been quite busy lately. I made another update today. See the first post, please.

I'll try to find some time tomorrow to answer the questions made here.

Share this post


Link to post
Share on other sites

If you have a moment to give an example with the registry like I requested, it would be so greatly appreciated. No big rush. I know you're busy... And thanks for the update!


Developer and Co-OwnerInTime Applicaitons Inc.

Share this post


Link to post
Share on other sites

An example for registry which is similar with the example for file provided in the first post of this thread

#include 'Permissions.au3'
_InitiatePermissionResources()

RegWrite('HKLM\SOFTWARE\Example') ; write a registry key
Local $TI = TimerInit()
Local $ret = _DenyAllAccess('HKLM\SOFTWARE\Example',$SE_REGISTRY_KEY,@UserName)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Deny all access to HKLM\SOFTWARE\Example and take ownership:'&@CRLF&@CRLF& _
'_DenyAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
$ret = _GrantReadAccess('HKLM\SOFTWARE\Example',$SE_REGISTRY_KEY,'Administrators')
$TD = TimerDiff($TI)
MsgBox(0,'','Grant everyone read access, all access to admins and system, and set the owner: Admins group'&@CRLF&@CRLF& _
'_GrantReadAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
$ret = _GrantAllAccess('HKLM\SOFTWARE\Example')
$TD = TimerDiff($TI)
MsgBox(0,'','Grant everyone access'&@CRLF&@CRLF& _
'_GrantAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
$ret = _CopyFullDacl('HKLM\SOFTWARE\Example',$SE_REGISTRY_KEY,@ScriptDir)
$TD = TimerDiff($TI)
MsgBox(0,'','Restore all inherited permissions'&@CRLF&@CRLF& _
'_CopyFullDacl return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Local $aPerm[2][3] = [['Restricted',1,$GENERIC_ALL],['Users',1,$GENERIC_ALL]]
$ret = _EditObjectPermissions('HKLM\SOFTWARE\Example',$aPerm)
$TD = TimerDiff($TI)
MsgBox(0,'','Add two granted access aces: Restricted and Users'&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Dim $aPerm[2][3] = [['Restricted',1,$GENERIC_READ],['Users',1,$GENERIC_READ]]
$ret = _EditObjectPermissions('HKLM\SOFTWARE\Example',$aPerm)
$TD = TimerDiff($TI)
MsgBox(0,'','Give only read access to the Restricted and Users groups'&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Dim $aPerm[2][3] = [['Restricted',0,$GENERIC_ALL],['Users',0,$GENERIC_ALL]]
$ret = _EditObjectPermissions('HKLM\SOFTWARE\Example',$aPerm)
$TD = TimerDiff($TI)
MsgBox(0,'','Deny access to the Restricted and Users groups'&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the registry key permissons before closing the message box.')

$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI),2)
MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _
'@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _
'_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _
'_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _
'New @AutoItPID security descriptor: '&@CRLF& _
$SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.')
_Permissions_CloseHandle($Hndl)

RegDelete('HKLM\SOFTWARE\Example')
_ClosePermissionResources()

Set the owner of a registry key (the subkeys owner will not be changed)

#include 'Permissions.au3'
_InitiatePermissionResources()

RegWrite('HKLM\SOFTWARE\Example') ; write a registry key
; Set the Administrators group as the owner of a registry key (the subkeys owner will not be changed)
_SetObjectOwner('HKLM\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators')

Grants Administrators access for the given object.

Replace the owner with "Replace owner on subcontainers and objects" option checked.

Grant Administrators full control permissions with "Replace all child object permissions with inheritable permissions from this object" option checked.

Existed DACL will be preserved by using $ClearDacl = 0 in Return _SetObjectPermissions on the penultimate line of this script.

#include 'Permissions.au3'
_InitiatePermissionResources()

RegWrite('HKLM\SOFTWARE\Example') ; write a registry key
_GrantAdministratorsAccess_1('HKLM\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators', 1)

; #FUNCTION# ====================================================================================================================
; Name...........: _GrantAdministratorsAccess_1
; Description ...: Grants Administrators access for the given object
; Replace the owner with "Replace owner on subcontainers and objects" option checked
; Grant Administrators full control permissions with
; "Replace all child object permissions with inheritable permissions from this object" option checked
; Permissions will be added (existed DACL will be preserved by using $ClearDacl = 0 in Return _SetObjectPermissions
; on the penultimate line of this script)
; Syntax.........: _GrantAdministratorsAccess_1($oName, $_SE_OBJECT_TYPE, $SetOwner)
; Parameters ....: $oName - The name of the object. This can be a path to a file or folder, a registry key, a service name, etc
; +See the comments on the _SE_OBJECT_TYPE enum for more info
; $_SE_OBJECT_TYPE (optional) - The type of the object to set permissions. This must be one of the values of the
; +_SE_OBJECT_TYPE enum. The default is $SE_FILE_OBJECT (a file or folder).
; $SetOwner (optional) - The user name or SID to set as the owner of the object. Setting a blank string '' will
; +make no changes to the owner. The default is the administrators group ('Administrators')
;
; Return values .: Success - 1
; Failure - 0 and sets @error
; Author ........: FredAI
; Modified.......:
; Remarks .......:
; Related .......: _DenyAllAccess, _GrantReadAccess, _GrantReadDenyWrite, _CopyFullDacl
; Link ..........:
; Example .......: _GrantAdministratorsAccess_1('C:\example.txt', $_SE_OBJECT_TYPE, @UserName)
; ===============================================================================================================================
Func _GrantAdministratorsAccess_1($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT, $SetOwner = 'Administrators', $Recurse = 1)
Local $aPerm[1][3]
$aPerm[0][0] = 'Administrators'
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
Return _SetObjectPermissions($oName, $aPerm, $_SE_OBJECT_TYPE, $SetOwner, 0, $Recurse)
EndFunc ;==>_GrantAdministratorsAccess_1

Grants Administrators access for the given object.

"Replace the owner with "Replace owner on subcontainers and objects" option checked.

Grant Administrators full control permissions with "Replace all child object permissions with inheritable permissions from this object" option checked.

Existed DACL will be cleared by using $ClearDacl = 1 in Return _SetObjectPermissions on the penultimate line of this script.

#include 'Permissions.au3'
_InitiatePermissionResources()

RegWrite('HKLM\SOFTWARE\Example') ; write a registry key
_GrantAdministratorsAccess_2('HKLM\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators', 1)

; #FUNCTION# ====================================================================================================================
; Name...........: _GrantAdministratorsAccess_2
; Description ...: Grants Administrators access for the given object
; Replace the owner with "Replace owner on subcontainers and objects" option checked
; Grant Administrators full control permissions with
; "Replace all child object permissions with inheritable permissions from this object" option checked
; Permissions will be changed (existed DACL will be cleared by using $ClearDacl = 1 in Return _SetObjectPermissions
; on the penultimate line of this script)
; Syntax.........: _GrantAdministratorsAccess_2($oName, $_SE_OBJECT_TYPE, $SetOwner)
; Parameters ....: $oName - The name of the object. This can be a path to a file or folder, a registry key, a service name, etc
; +See the comments on the _SE_OBJECT_TYPE enum for more info
; $_SE_OBJECT_TYPE (optional) - The type of the object to set permissions. This must be one of the values of the
; +_SE_OBJECT_TYPE enum. The default is $SE_FILE_OBJECT (a file or folder).
; $SetOwner (optional) - The user name or SID to set as the owner of the object. Setting a blank string '' will
; +make no changes to the owner. The default is the administrators group ('Administrators')
;
; Return values .: Success - 1
; Failure - 0 and sets @error
; Author ........: FredAI
; Modified.......:
; Remarks .......:
; Related .......: _DenyAllAccess, _GrantReadAccess, _GrantReadDenyWrite, _CopyFullDacl
; Link ..........:
; Example .......: _GrantAdministratorsAccess_2('C:\example.txt', $_SE_OBJECT_TYPE, @UserName)
; ===============================================================================================================================
Func _GrantAdministratorsAccess_2($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT, $SetOwner = 'Administrators', $Recurse = 1)
Local $aPerm[1][3]
$aPerm[0][0] = 'Administrators'
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
Return _SetObjectPermissions($oName, $aPerm, $_SE_OBJECT_TYPE, $SetOwner, 1, $Recurse)
EndFunc ;==>_GrantAdministratorsAccess_2
Edited by ffdshow

Share this post


Link to post
Share on other sites

Great UDF! I noticed though when using the _InheritParentPermissions function on a folder that it will clear the existing DACL (when set) of the files within the folder, but, it will not clear the DACL of the folder itself.

Also, I see the option to add security to an object for a user, but what about for a Group?

Edited by kickarse

Share this post


Link to post
Share on other sites

Great job... Great UDF. I look for some like this over 1-2 years.

But....

I would deny one user in the security of a folder. Like this:

post-71125-0-53810600-1346224532_thumb.j

But my example does not work:

#include <permissions.au3>

Global $aPerm [1][3]

$aPerm[0][0] = 'Username'
$aPerm[0][1] = 0
$aPerm[0][2] = BitOr($FILE_WRITE_DATA, $FILE_ADD_SUBDIRECTORY)

_SetObjectPermissions("D:Test1", $aPerm)

What is wrong ?

Better: Deny User-Write only for the folder "D:Test1", not for subfolders that are exists !

Greetings from Germany...

Micha

Edit: I found a solution...

#include <Permissions.au3>

Global $sFolder = 'D:Test'
Global $sUser = 'xx'
Global $aPerm [2][4]

$aPerm[0][0] = $sUser
$aPerm[0][1] = 0 ; deny
$aPerm[0][2] = BitOr($FILE_WRITE_DATA, $FILE_APPEND_DATA) ; new Files & Folders
$aPerm[0][3] = $INHERIT_NO_PROPAGATE ; only this folder
$aPerm[1][0] = $sUser
$aPerm[1][1] = 1 ; allow
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT ; modify
$aPerm[1][3] = $SUB_CONTAINERS_AND_OBJECTS_INHERIT ; Folder, Files, Subfolder

_EditObjectPermissions($sFolder, $aPerm)
Edited by Michahe

Share this post


Link to post
Share on other sites

FYI

For those who are more into COM you can use the for Files / Directory / Registry / AD objects

ObjCreate("ADsSecurityUtility")
 And
ObjCreate("AccessControlEntry")

Examples on how to http://msdn.microsoft.com/en-us/library/windows/desktop/aa705922(v=vs.85).aspx

Rgds

ptrex


Share this post


Link to post
Share on other sites

... but i found a new problem.

When i used the function _EditObjectPermissions() to (e.g.) add a new user to a folder that inherit his acl from his parent, then all of the inherit-rights are doubled. One from inherit and one from the _EditObjectPermissions()-function. The problem is, the _EditObjectPermission() use the _MergeDaclToarray() to merge the rights (also the inherited) with the new right(s) and then set the complete DACL with the function _SetObjectSecurity() to the folder.

I have already tried the function _SetObjectPermission() instead. But when i used this function and the folder had been non-inherit rights, then the old rights were lost. Only the inherit rights and the new one remains.

Does anyone have a tip for me ?

Share this post


Link to post
Share on other sites

Hello Programmers,

I try this nice UDF and found out that the Sub __GetObjectDacl not return the $Dacl of the File they called by.

Local $Dacl = __GetObjectDacl($oName, $_SE_OBJECT_TYPE)

_MergeDaclToArray($Dacl, $aPermissions)

I Follow the way of $Dacl, and detected that Func _GetObjectSecurityDescriptor should return them.

If $_SE_OBJECT_TYPE = $SE_REGISTRY_KEY Then $oName = __Security_RegKeyName($oName)

$aRet = DllCall( $h__Advapi32Dll, _

'DWORD' ,'GetNamedSecurityInfo' , _

'str' ,$oName , _

'dword' ,$_SE_OBJECT_TYPE , _

'DWORD' ,$SECURITY_INFORMATION , _

'ptr' ,0 , _

'ptr' ,0 , _

'ptr' ,0 , _

'ptr' ,0 , _

'ptr*' ,0 )

EndIf

local $er = @ERROR,$ex =@extended

MsgBox(0, "GetObjectSecurityDescriptor", $er &@cr &$ex &@cr &$aRet[0])

_ArrayDisplay($aRet)

If $er Then Return SetError(@error,0,0)

Return SetError($aRet[0],0,$aRet[8])

EndFunc ;==>_GetObjectSecurityDescriptor

The DllCall to 'GetNamedSecurityInfo' should return the information, but only returns the error code 1314 ($aRet[0]) and the $Dacl are empty. (NUL) ($aRet[8])

The error code means "A required privilege is not held by the client".

The path of the file was ok. File created before and FileExists() accept it.

Did any know the reason why GetNamedSecurityInfo not return the $Dacl of the File ?

PS: run on win2000-SP4

Share this post


Link to post
Share on other sites

I am trying to acheive this.

Posted Image

AFAIK there is not $DENY_READ constant. The best I can do is to deny everything, however I only want to deny read and allow write and nothing else.

The best I can do is to deny everything with below code, however this is not desirable.

Func _disablereadadmin($sFolder)
If Not FileExists($sFolder) Then
Return 0
EndIf
ConsoleWrite("Locking folder"& @CRLF)
_InitiatePermissionResources()
; Edit ACLs, don't SET new ones
; Set Administrators group as admin
; Set Administrators group as full deny permissions
Local $aPerm[2][3]
$aPerm[1][0] = 'Administrators'
$aPerm[1][1] = 0
$aPerm[1][2] = $GENERIC_ALL
$ret = _EditObjectPermissions($sFolder, $aPerm, $SE_FILE_OBJECT, 'Administrators', 1, 1)
_ClosePermissionResources()
EndFunc ;==>_disablereadadmin

Share this post


Link to post
Share on other sites

@NDog,

You have to create an ace with granted write access, and another one with denied read access:

Func _disablereadadmin($sFolder)
    If Not FileExists($sFolder) Then
      Return 0
   EndIf
   ConsoleWrite("Locking folder"& @CRLF)
   _InitiatePermissionResources()
   ; Edit ACLs, don't SET new ones
   ; Set Administrators group as admin
   ; Set Administrators group as full deny permissions
   Local $aPerm[2][3]
   $aPerm[0][0] = 'Administrators'
   $aPerm[0][1] = 0
   $aPerm[0][2] = $ACTRL_FILE_READ
   $aPerm[1][0] = 'Administrators'
   $aPerm[1][1] = 1
   $aPerm[1][2] = $GENERIC_ALL
   $ret = _EditObjectPermissions($sFolder, $aPerm, $SE_FILE_OBJECT, 'Administrators', 1, 1)
   _ClosePermissionResources()
EndFunc ;==>_disablereadadmin

Access denied aces take priority over the access granted ones, so granting full controll and denying read will do what you want.

Also you were createing an array with two aces and only assigning one. That's not a good idea, and can make your script fail.

Share this post


Link to post
Share on other sites

Hello,

I am trying to using _MergeDACLToArray function, and I am getting from the permissions array the following.

[NULL] 1 2032127

[NULL] 1 1245631

it means the first element in my array is empty.

Can someone deliver an example to read DACL into an array, so that I am seeing username, grant/deny(or 1/0), and the access-type as a string ?

Would be very nice, because I am trying since days to get it useable. But without success.

Thanks a lot.

amuboj

Share this post


Link to post
Share on other sites

>"C:Program FilesAutoIt3SciTE..autoit3.exe" /ErrorStdOut "C:UsersmarekDesktopPrzemek 2PBBBYPASSgg.au3"

C:\Program Files\AutoIt3\Include\Permissions.au3 (188) : ==> Variable used without being declared.:

Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)

Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,^ ERROR

>Exit code: 1 Time: 0.209

WTF Is that :C ? I cant run this udf please help me !

Share this post


Link to post
Share on other sites

Post a reproducer script so we can see what the issue is. The error tells you what the problem is, did you look at the UDF to see if the variable name is declared anywhere in it? If not, then maybe figure out what value it needs to be and declare it.

By the way, it's helpful being polite in your posts, so far you're 0 for 2 as far as that goes.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

@Keniger,

In stead of putting any effort in reaching out to me via PM, which I do not want and is in general not appreciated, you could try to make your issue clearer by posting some coherent sentences and the requested snippet.

So stop your moaning about no replies and just do as requested.

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Wow, it seems I've been away from the forums for too long :ermm:

@Keniger, updating AutoIt to the latest version should solve your issue.

@amuboj, _MergeDACLToArray returns the user SID in a dllstruct, which outputs an empty string.

If you want a string, use

$aPerm[0][0] = _SidToStringSid(DllStructGetPtr($aPerm[0][0]))
Edited by FredAI

Share this post


Link to post
Share on other sites

I've been trying to use the _GetObjectOwner function, but I don't know if it's returning the correct data nor do I know what to do with it if it is since it seems to return "0".  I tried breaking down my usage of the function to its component parts, _GetObjectSecurityDescriptor and _GetSecurityDescriptorOwner, but the script bombs when I do that.  Below is an example of that script:

#include "Permissions.au3"
_InitiatePermissionResources()
$sd = _GetObjectSecurityDescriptor(@ScriptDir & "\test.txt")
$owner = _GetSecurityDescriptorOwner($sd)
_ClosePermissionResources()

I get exit code -1073741819 whenever I run this.

Am I being an idiot, or is this not working properly?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...