Jump to content

Set Acl permissions UDF


Recommended Posts

Hi,

Thank you for this great UDF !

I'm wondering if it's possible to grant permission access to Active Directory users/groups ?

Must I specify the name of the AD user like local account user ? Group too ?

Here is a example with AD account :

; testDIR was created before the script execution
$TI = TimerInit()
Dim $aPerm[1][3]
$aPerm[0][0] = 'ADuser'
$aPerm[0][1] = 1
$aPerm[0][2] = BitOr($ACTRL_DIR_TRAVERSE, $ACTRL_DIR_LIST)
$ret = _EditObjectPermissions(@ScriptDir&'testDIR',$aPerm)
$erreur = @error
$TD = TimerDiff($TI)
MsgBox(0,'','Add access aces: '&$aPerm[0][0]&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&'    erreur='&$erreur&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

With this script, I keep geting a return code = 0 and @error = 0. Am I doing something wrong ?

 

EDIT : It was my fault. It is not @ScriptDir&'testDIR' but @ScriptDir&''&'testDIR'

           The AD user name or AD group name works too.

Yet I've got something strange with permissions. All permissions I add are set in "Specials Permissions". Is it normal ?

EDIT 2 : OK I get it. Permissions in the Security Tab are combined special permissions.

             eg : $LIST_FOLDER_CONTENTS = BitOR($FILE_TRAVERSE, $FILE_READ_DATA, $FILE_READ_ATTRIBUTES, $FILE_READ_EA, $GENERIC_READ)

Edited by tatane
Link to post
Share on other sites
  • Replies 193
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hi. I've been working on this for a while. I think now it's good enough to post it here. Functions to do most everything with the DACL and ownership on all types of objects: Files or folders, Regist

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.   #RequireAdmin #include 'Permissions.au3' _InitiatePermi

@Terenz I just noticed an issue with the script I posted for you.  I didn't have the return value for _EditObjectPermissions in the MsgBox.  I edited my post to add this.   I think I was able to

Posted Images

  • 1 month later...

Very nice UDF. But either I don't understood something, or there is something missing (at least an example).

I need to know if an user (in fact, "Everyone" or to be correct SID "{S-1-1-0}") have full access to a specific folder. Currently, I use (i)cacls to check this but it's an awfully ugly code that needs to capture the stdout of the process. I didn't find in the UDF a "_GetObjectPermissions" method (found "_Set" and "_Edit" only).

Can you help me by either adding a "_GetObjectPermissions" function and add an example of how to use it?

Thanks anyway, nice work and a lot of efforts to do such an UDF.

BTW, examples are not portable at all and won't work on non-english Windows. Examples are given directly with english names instead of using the special SID (ex: "Everyone" => replace with "_Security__LookupAccountSid($SID_EVERYONE)"). Sad, because it deserves this great work.

Link to post
Share on other sites
  • 1 month later...

I'm probably just really stupid (but I don't want to screw up my services just "testing")... does anyone have an example of setting Service security??

i'm looking to mimic the command using SUBINACL

subinacl.exe /service SERVICE_NAME /grant="DOMAINGROUP"=TOP

TOP just means Start, Stop, Pause/Continue will be granted (added for) the group. It will keep all existing security set on the service.

Edited by stamandster
Link to post
Share on other sites

Hello Fred,

The $ACCESS_SYSTEM_SECURITY constant is now defined in the Beta version of SecurityConstants.au3.

To avoid an error, at some point, it will need to be deleted from Permissions.au3.

Thanks.

Edit: Fred hasn't been online since the end of May, so y'all may be wantin' to individually apply this fix.

Edited by Spiff59
Link to post
Share on other sites
  • 2 months later...
  • 2 weeks later...

Block? What do you mean by block? That could mean anything.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to post
Share on other sites
  • Developers

Block a file like this:

http://img6.imagebanana.com/img/xa3fc4f4/1.png

Translated with google: File access denied.

 

You can change the security settings of a file and can set the file access anyway you want.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to post
Share on other sites
  • 4 weeks later...

Maybe I'm approaching this wrong, but I want to give a user access to a folder without changing the existing permissions. The folder has two inherited users and one explicitly added user. I'm trying to add a fourth user, but the following results in only the new user having access on the folder.

Global $aPermissions[1][3]
$aPermissions[0][0] = "[uSER]"
$aPermissions[0][1] = 1
$aPermissions[0][2] = $FILE_USERS_DEFAULT
 
_EditObjectPermissions("[FOLDER PATH]", $aPermissions, $SE_FILE_OBJECT, '', 0, 1, $SUB_CONTAINERS_AND_OBJECTS_INHERIT)
 
On another note, is a there a function to recursively set the owner on sub files and directories or do I need to write that on my own?
Link to post
Share on other sites
  • 1 month later...

AutoIt is not case sensitive. So no difference.

Taken from the help file: "Note that all variable names are case insensitive: MyVariable() is the same as MyvARiAblE()"

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to post
Share on other sites
  • 2 weeks later...

hi ,,i'm not run the udf 

not found Global Const  

help me..

>"E:autoit3SciTEACNWrapperACNWrapper.exe" /run /ErrorStdOut /in "C:Documents and SettingsAdministratorMy DocumentsDownloads新建 AutoIt v3 脚本.au3" /autoit3dir "E:autoit3" /UserParams    
+>05:08:41 开始执行 ACNWrapper v.1.0.1.0
+> ============================================
+>执行环境:
+> CPU构架: X64
+> 系统构架: X86
+> 系统语言: 0804
+> 键盘布局: 00000804
+> 内存总量: 3324MB
+> 内存剩余: 2540MB
+> 操作系统: WIN_XP/Service Pack 3
+> AU3版本: 3.3.7.15
+> ============================================
>运行 AU3Check (1.54.21.0)  开始目录:E:autoit3
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(188,107) : WARNING: $READ_CONTROL: 使用前并未进行声明.
Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,72) : WARNING: $WRITE_DAC: 使用前并未进行声明.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,85) : WARNING: $WRITE_OWNER: 使用前并未进行声明.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,$WRITE_OWNER)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(785,30) : WARNING: $DENY_ACCESS: 使用前并未进行声明.
$AccessMode = $DENY_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(787,29) : WARNING: $SET_ACCESS: 使用前并未进行声明.
$AccessMode = $SET_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(188,107) : 错误: $READ_CONTROL: 未声明的全局变量.
Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,72) : 错误: $WRITE_DAC: 未声明的全局变量.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(509,85) : 错误: $WRITE_OWNER: 未声明的全局变量.
$aPerm[0][2] = BitOR($ACTRL_REG_SET,$ACTRL_REG_CREATE_CHILD,$WRITE_DAC,$WRITE_OWNER)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(785,30) : 错误: $DENY_ACCESS: 未声明的全局变量.
$AccessMode = $DENY_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloadsPermissions.au3(787,29) : 错误: $SET_ACCESS: 未声明的全局变量.
$AccessMode = $SET_ACCESS
~~~~~~~~~~~~~~~~~~~~~~~~~^
C:Documents and SettingsAdministratorMy DocumentsDownloads新建 AutoIt v3 脚本.au3 - 5 错误, 5 警告
ctPe!>05:08:41 AU3Check 完成:
:2
+>05:08:42 ACNWrapper 完成..
>退出代码: 0 运行时间: 1.507 秒
Edited by zhangyc
Link to post
Share on other sites
  • 3 weeks later...
  • 2 months later...

I have been using this UDF and it is awesome, 

I ran into an issue

on win 7 64 bit 

32 bit compiled app does not modify reg permissions on HKLM64

$out = _GrantAllAccess('HKEY_LOCAL_MACHINE64SOFTWAREtest',4) 

returns 0 

 

$out = _GrantAllAccess('HKEY_LOCAL_MACHINESOFTWAREtest',4) 

returns 1

but modifies 

HKEY_LOCAL_MACHINESOFTWAREWow6432Nodetest

any ideas

 
Link to post
Share on other sites

Sorry if I was inattentive while reading posts, could you please explain, how can I solve this

Say, I have running program "test.exe" . How can I prevent user killing this process in the tskmngr?

I was trying this example

#RequireAdmin
#include 'Permissions.au3'
_InitiatePermissionResources()
$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI),2)
MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _
'@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _
'_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _
'_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _
'New @AutoItPID security descriptor: '&@CRLF& _
$SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.')
_Permissions_CloseHandle($Hndl)

But anyway, if I write this code into my test.exe and then run it and then if I try killing in tskmngr- it is killed very easily.

Thanx in advance!!!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...