Set Acl permissions UDF

tatane · June 13, 2013

Hi,

Thank you for this great UDF !

I'm wondering if it's possible to grant permission access to Active Directory users/groups ?

Must I specify the name of the AD user like local account user ? Group too ?

Here is a example with AD account :

; testDIR was created before the script execution
$TI = TimerInit()
Dim $aPerm[1][3]
$aPerm[0][0] = 'ADuser'
$aPerm[0][1] = 1
$aPerm[0][2] = BitOr($ACTRL_DIR_TRAVERSE, $ACTRL_DIR_LIST)
$ret = _EditObjectPermissions(@ScriptDir&'testDIR',$aPerm)
$erreur = @error
$TD = TimerDiff($TI)
MsgBox(0,'','Add access aces: '&$aPerm[0][0]&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&'    erreur='&$erreur&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

With this script, I keep geting a return code = 0 and @error = 0. Am I doing something wrong ?

EDIT : It was my fault. It is not @ScriptDir&'testDIR' but @ScriptDir&''&'testDIR'

The AD user name or AD group name works too.

Yet I've got something strange with permissions. All permissions I add are set in "Specials Permissions". Is it normal ?

EDIT 2 : OK I get it. Permissions in the Security Tab are combined special permissions.

eg : $LIST_FOLDER_CONTENTS = BitOR($FILE_TRAVERSE, $FILE_READ_DATA, $FILE_READ_ATTRIBUTES, $FILE_READ_EA, $GENERIC_READ)

Edited June 13, 2013 by tatane

tatane · June 13, 2013

New question :

Is it possible to set Share Folder Permissions with this UDF ?

- Full control

- Modify

- Read

RCB · July 15, 2013

Very nice UDF. But either I don't understood something, or there is something missing (at least an example).

I need to know if an user (in fact, "Everyone" or to be correct SID "{S-1-1-0}") have full access to a specific folder. Currently, I use (i)cacls to check this but it's an awfully ugly code that needs to capture the stdout of the process. I didn't find in the UDF a "_GetObjectPermissions" method (found "_Set" and "_Edit" only).

Can you help me by either adding a "_GetObjectPermissions" function and add an example of how to use it?

Thanks anyway, nice work and a lot of efforts to do such an UDF.

BTW, examples are not portable at all and won't work on non-english Windows. Examples are given directly with english names instead of using the special SID (ex: "Everyone" => replace with "_Security__LookupAccountSid($SID_EVERYONE)"). Sad, because it deserves this great work.

stamandster · August 15, 2013

I'm probably just really stupid (but I don't want to screw up my services just "testing")... does anyone have an example of setting Service security??

i'm looking to mimic the command using SUBINACL

subinacl.exe /service SERVICE_NAME /grant="DOMAINGROUP"=TOP

TOP just means Start, Stop, Pause/Continue will be granted (added for) the group. It will keep all existing security set on the service.

Edited August 15, 2013 by stamandster

Spiff59 · August 21, 2013

Hello Fred,

The $ACCESS_SYSTEM_SECURITY constant is now defined in the Beta version of SecurityConstants.au3.

To avoid an error, at some point, it will need to be deleted from Permissions.au3.

Thanks.

Edit: Fred hasn't been online since the end of May, so y'all may be wantin' to individually apply this fix.

Edited August 21, 2013 by Spiff59

tuffnet · November 12, 2013

Hi

I cant get permission to win8, windows/web/screen -folder.

_InitiatePermissionResources()

            GrantAdministratorsAccess_1($win8screen, @UserName)
            GrantAllAccess($win8screen, @UserName)

Marcel789 · November 23, 2013

Can i block a file with this script ?

If yes, how ?

BrewManNH · November 23, 2013

Block? What do you mean by block? That could mean anything.

Marcel789 · November 24, 2013

Block a file like this:

http://img6.imagebanana.com/img/xa3fc4f4/1.png

Translated with google: File access denied.

Jos · November 24, 2013

Block a file like this:

http://img6.imagebanana.com/img/xa3fc4f4/1.png

Translated with google: File access denied.

You can change the security settings of a file and can set the file access anyway you want.

Jos

Marcel789 · November 24, 2013

You can change the security settings of a file and can set the file access anyway you want.

Jos

Yes, but how ?

Have you a example for me ?

Jos · November 24, 2013

Have you tried anything yet and do you understand how security works in Windows?

Marcel789 · November 24, 2013

Yes, Sir.

Edited November 24, 2013 by Marcel789

dummptyhummpty · December 19, 2013

Maybe I'm approaching this wrong, but I want to give a user access to a folder without changing the existing permissions. The folder has two inherited users and one explicitly added user. I'm trying to add a fourth user, but the following results in only the new user having access on the folder.

Global $aPermissions[1][3]

$aPermissions[0][0] = "[uSER]"

$aPermissions[0][1] = 1

$aPermissions[0][2] = $FILE_USERS_DEFAULT

_EditObjectPermissions("[FOLDER PATH]", $aPermissions, $SE_FILE_OBJECT, '', 0, 1, $SUB_CONTAINERS_AND_OBJECTS_INHERIT)

On another note, is a there a function to recursively set the owner on sub files and directories or do I need to write that on my own?

Sundance · January 26, 2014

Just saw two little errors in _GetSecurityDescriptorOwner and _GetSecurityDescriptorGroup.

Within those functions there was a line: If $format= but it should be If $Format=

water · January 26, 2014

AutoIt is not case sensitive. So no difference.

Taken from the help file: "Note that all variable names are case insensitive: MyVariable() is the same as MyvARiAblE()"

zhangyc · February 7, 2014

hi ,,i'm not run the udf

not found Global Const

help me..

>"E:autoit3SciTEACNWrapperACNWrapper.exe" /run /ErrorStdOut /in "C:Documents and SettingsAdministratorMy DocumentsDownloads新建 AutoIt v3 脚本.au3" /autoit3dir "E:autoit3" /UserParams

+>05:08:41 开始执行 ACNWrapper v.1.0.1.0

+> ============================================

+>执行环境:

+> CPU构架: X64

+> 系统构架: X86

+> 系统语言: 0804

+> 键盘布局: 00000804

+> 内存总量: 3324MB

+> 内存剩余: 2540MB

+> 操作系统: WIN_XP/Service Pack 3

+> AU3版本: 3.3.7.15

+> ============================================

>运行 AU3Check (1.54.21.0) 开始目录:E:autoit3

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(188,107) : WARNING: $READ_CONTROL: 使用前并未进行声明.

Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,72) : WARNING: $WRITE_DAC: 使用前并未进行声明.

$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,85) : WARNING: $WRITE_OWNER: 使用前并未进行声明.

$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,$WRITE_OWNER)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(785,30) : WARNING: $DENY_ACCESS: 使用前并未进行声明.

$AccessMode = $DENY_ACCESS

~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(787,29) : WARNING: $SET_ACCESS: 使用前并未进行声明.

$AccessMode = $SET_ACCESS

~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(188,107) : 错误: $READ_CONTROL: 未声明的全局变量.

Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,72) : 错误: $WRITE_DAC: 未声明的全局变量.

$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,85) : 错误: $WRITE_OWNER: 未声明的全局变量.

$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,$WRITE_OWNER)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(785,30) : 错误: $DENY_ACCESS: 未声明的全局变量.

$AccessMode = $DENY_ACCESS

~~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(787,29) : 错误: $SET_ACCESS: 未声明的全局变量.

$AccessMode = $SET_ACCESS

~~~~~~~~~~~~~~~~~~~~~~~~~^

C:Documents and SettingsAdministratorMy DocumentsDownloads新建 AutoIt v3 脚本.au3 - 5 错误, 5 警告

ctPe!>05:08:41 AU3Check 完成:

:2

+>05:08:42 ACNWrapper 完成..

>退出代码: 0 运行时间: 1.507 秒

Edited February 7, 2014 by zhangyc

Factfinder · February 26, 2014

This is a great script. Thank you for providing it.

Edited April 19, 2014 by Factfinder

step887 · May 8, 2014

I have been using this UDF and it is awesome,

I ran into an issue

on win 7 64 bit

32 bit compiled app does not modify reg permissions on HKLM64

$out = _GrantAllAccess('HKEY_LOCAL_MACHINE64SOFTWAREtest',4)

returns 0

$out = _GrantAllAccess('HKEY_LOCAL_MACHINESOFTWAREtest',4)

returns 1

but modifies

HKEY_LOCAL_MACHINESOFTWAREWow6432Nodetest

any ideas

topten · May 10, 2014

Sorry if I was inattentive while reading posts, could you please explain, how can I solve this

Say, I have running program "test.exe" . How can I prevent user killing this process in the tskmngr?

I was trying this example

#RequireAdmin
#include 'Permissions.au3'
_InitiatePermissionResources()
$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI),2)
MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _
'@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _
'_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _
'_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _
'New @AutoItPID security descriptor: '&@CRLF& _
$SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.')
_Permissions_CloseHandle($Hndl)

But anyway, if I write this code into my test.exe and then run it and then if I try killing in tskmngr- it is killed very easily.

Thanx in advance!!!

Set Acl permissions UDF

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

FredAI

AdamUL

AdamUL

Posted Images

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members