Jump to content
FredAI

Set Acl permissions UDF

Recommended Posts

Hi,

Thank you for this great UDF !

I'm wondering if it's possible to grant permission access to Active Directory users/groups ?

Must I specify the name of the AD user like local account user ? Group too ?

Here is a example with AD account :

; testDIR was created before the script execution
$TI = TimerInit()
Dim $aPerm[1][3]
$aPerm[0][0] = 'ADuser'
$aPerm[0][1] = 1
$aPerm[0][2] = BitOr($ACTRL_DIR_TRAVERSE, $ACTRL_DIR_LIST)
$ret = _EditObjectPermissions(@ScriptDir&'testDIR',$aPerm)
$erreur = @error
$TD = TimerDiff($TI)
MsgBox(0,'','Add access aces: '&$aPerm[0][0]&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&'    erreur='&$erreur&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

With this script, I keep geting a return code = 0 and @error = 0. Am I doing something wrong ?

 

EDIT : It was my fault. It is not @ScriptDir&'testDIR' but @ScriptDir&''&'testDIR'

           The AD user name or AD group name works too.

Yet I've got something strange with permissions. All permissions I add are set in "Specials Permissions". Is it normal ?

EDIT 2 : OK I get it. Permissions in the Security Tab are combined special permissions.

             eg : $LIST_FOLDER_CONTENTS = BitOR($FILE_TRAVERSE, $FILE_READ_DATA, $FILE_READ_ATTRIBUTES, $FILE_READ_EA, $GENERIC_READ)

Edited by tatane

Share this post


Link to post
Share on other sites

New question :

Is it possible to set Share Folder Permissions with this UDF ?

- Full control

- Modify

- Read

Share this post


Link to post
Share on other sites

Very nice UDF. But either I don't understood something, or there is something missing (at least an example).

I need to know if an user (in fact, "Everyone" or to be correct SID "{S-1-1-0}") have full access to a specific folder. Currently, I use (i)cacls to check this but it's an awfully ugly code that needs to capture the stdout of the process. I didn't find in the UDF a "_GetObjectPermissions" method (found "_Set" and "_Edit" only).

Can you help me by either adding a "_GetObjectPermissions" function and add an example of how to use it?

Thanks anyway, nice work and a lot of efforts to do such an UDF.

BTW, examples are not portable at all and won't work on non-english Windows. Examples are given directly with english names instead of using the special SID (ex: "Everyone" => replace with "_Security__LookupAccountSid($SID_EVERYONE)"). Sad, because it deserves this great work.

Share this post


Link to post
Share on other sites

I'm probably just really stupid (but I don't want to screw up my services just "testing")... does anyone have an example of setting Service security??

i'm looking to mimic the command using SUBINACL

subinacl.exe /service SERVICE_NAME /grant="DOMAINGROUP"=TOP

TOP just means Start, Stop, Pause/Continue will be granted (added for) the group. It will keep all existing security set on the service.

Edited by stamandster

Share this post


Link to post
Share on other sites

Hello Fred,

The $ACCESS_SYSTEM_SECURITY constant is now defined in the Beta version of SecurityConstants.au3.

To avoid an error, at some point, it will need to be deleted from Permissions.au3.

Thanks.

Edit: Fred hasn't been online since the end of May, so y'all may be wantin' to individually apply this fix.

Edited by Spiff59

Share this post


Link to post
Share on other sites

Block? What do you mean by block? That could mean anything.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Block a file like this:

http://img6.imagebanana.com/img/xa3fc4f4/1.png

Translated with google: File access denied.

 

You can change the security settings of a file and can set the file access anyway you want.

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Maybe I'm approaching this wrong, but I want to give a user access to a folder without changing the existing permissions. The folder has two inherited users and one explicitly added user. I'm trying to add a fourth user, but the following results in only the new user having access on the folder.

Global $aPermissions[1][3]
$aPermissions[0][0] = "[uSER]"
$aPermissions[0][1] = 1
$aPermissions[0][2] = $FILE_USERS_DEFAULT
 
_EditObjectPermissions("[FOLDER PATH]", $aPermissions, $SE_FILE_OBJECT, '', 0, 1, $SUB_CONTAINERS_AND_OBJECTS_INHERIT)
 
On another note, is a there a function to recursively set the owner on sub files and directories or do I need to write that on my own?

Share this post


Link to post
Share on other sites

Just saw two little errors in _GetSecurityDescriptorOwner and _GetSecurityDescriptorGroup.

Within those functions there was a line:  If $format=     but it should be   If $Format=

Share this post


Link to post
Share on other sites

AutoIt is not case sensitive. So no difference.

Taken from the help file: "Note that all variable names are case insensitive: MyVariable() is the same as MyvARiAblE()"


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2020-07-21 - Version 1.5.1.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2020-06-27 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (NEW 2020-06-27 - Version 1.3.2.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Task Scheduler (2019-12-03 - Version 1.5.1.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki, WebDriver - Wiki

 

Share this post


Link to post
Share on other sites

hi ,,i'm not run the udf 

not found Global Const  

help me..

>"E:autoit3SciTEACNWrapperACNWrapper.exe" /run /ErrorStdOut /in "C:Documents and SettingsAdministratorMy DocumentsDownloads新建 AutoIt v3 脚本.au3" /autoit3dir "E:autoit3" /UserParams    
+>05:08:41 开始执行 ACNWrapper v.1.0.1.0
+> ============================================
+>执行环境:
+> CPU构架: X64
+> 系统构架: X86
+> 系统语言: 0804
+> 键盘布局: 00000804
+> 内存总量: 3324MB
+> 内存剩余: 2540MB
+> 操作系统: WIN_XP/Service Pack 3
+> AU3版本: 3.3.7.15
+> ============================================
>运行 AU3Check (1.54.21.0)  开始目录:E:autoit3
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(188,107) : WARNING: $READ_CONTROL: 使用前并未进行声明.
Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,72) : WARNING: $WRITE_DAC: 使用前并未进行声明.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,85) : WARNING: $WRITE_OWNER: 使用前并未进行声明.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,$WRITE_OWNER)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(785,30) : WARNING: $DENY_ACCESS: 使用前并未进行声明.
$AccessMode = $DENY_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(787,29) : WARNING: $SET_ACCESS: 使用前并未进行声明.
$AccessMode = $SET_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(188,107) : 错误: $READ_CONTROL: 未声明的全局变量.
Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,72) : 错误: $WRITE_DAC: 未声明的全局变量.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,85) : 错误: $WRITE_OWNER: 未声明的全局变量.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,$WRITE_OWNER)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(785,30) : 错误: $DENY_ACCESS: 未声明的全局变量.
$AccessMode = $DENY_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(787,29) : 错误: $SET_ACCESS: 未声明的全局变量.
$AccessMode = $SET_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloads新建 AutoIt v3 脚本.au3 - 5 错误, 5 警告
ctPe!>05:08:41 AU3Check 完成:
:2
+>05:08:42 ACNWrapper 完成..
>退出代码: 0 运行时间: 1.507 秒
Edited by zhangyc

Share this post


Link to post
Share on other sites

I have been using this UDF and it is awesome, 

I ran into an issue

on win 7 64 bit 

32 bit compiled app does not modify reg permissions on HKLM64

$out = _GrantAllAccess('HKEY_LOCAL_MACHINE64SOFTWAREtest',4) 

returns 0 

 

$out = _GrantAllAccess('HKEY_LOCAL_MACHINESOFTWAREtest',4) 

returns 1

but modifies 

HKEY_LOCAL_MACHINESOFTWAREWow6432Nodetest

any ideas

 

Share this post


Link to post
Share on other sites

Sorry if I was inattentive while reading posts, could you please explain, how can I solve this

Say, I have running program "test.exe" . How can I prevent user killing this process in the tskmngr?

I was trying this example

#RequireAdmin
#include 'Permissions.au3'
_InitiatePermissionResources()
$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI),2)
MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _
'@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _
'_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _
'_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _
'New @AutoItPID security descriptor: '&@CRLF& _
$SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.')
_Permissions_CloseHandle($Hndl)

But anyway, if I write this code into my test.exe and then run it and then if I try killing in tskmngr- it is killed very easily.

Thanx in advance!!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...