Jump to content
FredAI

Set Acl permissions UDF

Recommended Posts

Finally did it :sweating:

Hope I done it correctly, as far there were no errors.

Steps I followed:

1) Read the object DACL using _GetObjectDacl

2) Excluded the required DACL which needed to be removed (exactly opposite of what's happening in _MergeDaclToArray)

3) Clear the objects DACL using _ClearObjectDacl

4) Set back the DACL using _SetFileObjectSecurity

the UDF is simply awesome, its just hard to find out the way to such new things for naives :)

Isn't it would be great to add a some function to remove permissions as well.

Also one more to LookupAccountSid.

 

Amol

 

 

 

 

Share this post


Link to post
Share on other sites
On ‎04‎-‎11‎-‎2011 at 2:01 PM, FredAI said:

Take a look at this code:

 

 

#include 'Permissions.au3'
_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
 
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

 

You just have to create an array with the permissions you want to set:

$array[0][0] - First ace user name or Sid string

$array[0][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[0][2])

$array[0][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

 

$array[1][0] - Second ace user name or Sid string

$array[1][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[1][2])

$array[1][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

 

And so on. You can add how many aces you want. The access denied aces have priority over the allowed ones.

Then you can set the owner, clear the DACL and recurse containers and objects (for folders and registry keys), When recursing, the child objects will automatically inherit the permissions from the parent one.

 

Don't know what else you can do by modifying the security descriptor.

I tried the above code, but it do not work.

It doesn't put "username" or "everyone" on the ACL.

It is just blank.

I really need this to work. I have 300+ folders I need to set ACL for.

I have e.g. a folder called: CC120800 and I need to add a AD group called: DKSO_NTFS_CC120800 with modify access.

Hope someone can help me.

ACL on test file.JPG


Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites

Are you using #RequireAdmin when running the script?  Also, is the account that you are running the script under have permissions to edit the ACLs of the folders?   

 

Adam

 

Share this post


Link to post
Share on other sites
6 minutes ago, Valnurat said:

But I'm local admin on my computer?

Guess you have some reading to do around the use of UAC in windows. ;)

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Your welcome.  Glad I could help.  As Jos mention, it is a UAC issue dealing with the Admin Token.  

 

Adam

 

Share this post


Link to post
Share on other sites

Ok. Itried this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

and it work very well.

But if I try this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = '\\servername\share\NewTestFolder'
Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'GROUPNAME' ;<---- this is an AD Groupname
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

it does not work.

The problem is that my NewTestFolder do not exists anymore or it is there in some way, because if I create a new folder with the same name, I get an error that the folder can't be renamed.

Of course the "GROUPNAME" isen't the correct one in this exampel, but I don't know if I just write the AD Group or do I need to do something special to have this to work?

"Everyone" is standard.


Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites
On ‎13‎-‎04‎-‎2016 at 3:34 PM, AmolT said:

Finally did it :sweating:

Hope I done it correctly, as far there were no errors.

Steps I followed:

1) Read the object DACL using _GetObjectDacl

2) Excluded the required DACL which needed to be removed (exactly opposite of what's happening in _MergeDaclToArray)

3) Clear the objects DACL using _ClearObjectDacl

4) Set back the DACL using _SetFileObjectSecurity

the UDF is simply awesome, its just hard to find out the way to such new things for naives :)

Isn't it would be great to add a some function to remove permissions as well.

Also one more to LookupAccountSid.

 

Amol

 

 

 

 

Could you show me how you did it?

I can't figure it out.

Edited by Valnurat

Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites

When I do this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

It delete the original DACL and when just add @UserName and Everyone.

But if I want to keep the original DACL and want to add @UserName and Everyone I guess I need to use _MergeDaclToArray. So I did this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
Local $aDACL
Local $sTest = _GetObjectDACL($File)
MsgBox(0,"",$sTest)
If _MergeDaclToArray($sTest,$aDACL) = 0 Then
    MsgBox(0,"Faild","Merge Dacl To Array")
    Exit
EndIf
_ArrayDisplay($aDACL,"ACL")
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

but my _MergeDaclToArray returns 0.

I don't know if this is the right way to do it.

Can someone help me?


Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites

@Valnurat this is a long post, but I hope I can answer some of your questions.  I'm not an expert with this UDF, and learned even more when I was looking at your issues.  

Your $aDACL is an empty array in your _MergeDaclToArray function call, that is why you get 0.  You only declare the variable, but did not set a value to it.  That is not what your problem is.  You are using an incorrect function to do what I think you want to do.  You need to use _EditObjectPermissions. This will allow you to add new ACEs to the existing ACL using a permissions array.  Also, the script needs to be run with #RequireAdmin for it to work, or it will fail to set the permissions at all.  Here is an edited version of you script that works for me.  

#RequireAdmin
#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()

Local $File = @ScriptDir & '\test.txt'
FileWrite($File,'test')

Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT
_ArrayDisplay($aPerm,$File)

Local $ret = _EditObjectPermissions($File, $aPerm)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '& $ret & @CRLF & '   Time: '&Round($TD,2) & ' miliseconds.')

_ClosePermissionResources()

I also found a bug in the _EditObjectPermissions function.  On line 602, change the following.

_MergeDaclToArray($Dacl, $aPermissions)

to

If $ClearDacl Then _MergeDaclToArray($Dacl, $aPermissions)

If you do not change it, you will have the inherited ACEs duplicated as non-inherited ACEs on the object.  In addition to the ACEs that you added.  This is not completely correct.  The aces are duplicated. If you do what I specify above, you will loose all the local ACEs along with the duplicated ACEs.  I'm not sure what is causing this, and in which function.  I have read the whole thread, and this is a know issue that has not been corrected.

 

Quote

How do I add access for the "modify"?

I see you found it out by doing it explicitly in your last post, but it is define in the UDF as $FILE_AUTH_USERS_DEFAULT.  

 

Quote

Of course the "GROUPNAME" isn't the correct one in this example, but I don't know if I just write the AD Group or do I need to do something special to have this to work?

When adding a domain group, you have to have it in the format "domain\groupname" e.g. AD\Group_Name, if not, it will look for the group on the local PC.  You could also use the group's SID as well.  Here is an example array, using the array used in the example script above.  

Global $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'AD\Group_Name'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT

Hope that helps.  

 

Adam

 

Edited by AdamUL

Share this post


Link to post
Share on other sites

Thank you for the feedback.

Yes, my mistake not to put in #RequireAdmin in my test. It was part of my test.

It seems it works now. thank you.

 

Edited by Valnurat

Yours sincerely

Kenneth.

Share this post


Link to post
Share on other sites

Hello. I have try to play with this UDF but i can't get my goal. I'd like to do:

1) Get the file permission of the file

2) Add to my user full access to that file

3) Do some task

4) When i'm finish, restore the file permission to the original one at point 1)

Someone has an example to play with it and experiment? I think is involved in some way _CopyFullDacl but i don't have understand where it take the original file permission. Thanks


Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Share this post


Link to post
Share on other sites

getting this error when trying to do a syntax check 

 

error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'.
Global Const $ACCESS_SYSTEM_SECURITY     = 0x01000000

Share this post


Link to post
Share on other sites
On 8/1/2016 at 11:11 AM, Kaimberex said:

getting this error when trying to do a syntax check 

 

error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'.
Global Const $ACCESS_SYSTEM_SECURITY     = 0x01000000

I just commented it out as it's already declared in SecurityConstants.au3

Share this post


Link to post
Share on other sites

I think I have found the solution to the issue that I posed in #133 about inherited ACEs being added to the ACL when you use the _EditObjectPermissions function.   

The issue is with the _MergeDaclToArray function.  if you look in post #50, FredAl posts an updated _MergeDaclToArray function that was never added to the UDF.  

If you replace the _MergeDaclToArray in the UDF with the updated _MergeDaclToArray, this issue is resolved.  

 

Adam

 

Share this post


Link to post
Share on other sites

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.  

#RequireAdmin
#include 'Permissions.au3'

_InitiatePermissionResources()

Global $sFile = @ScriptDir & '\test.txt'
FileWrite($sFile, 'test')
MsgBox(0, "File", "Created")

Global $aPerm[1][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL

Global $pDACL = _GetObjectDacl($sFile)

Global $iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

$iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0)
MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _
        '_SetObjectSecurity return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

FileDelete($sFile)
MsgBox(0, "File", "Deleted")

_ClosePermissionResources()

 

Adam

 

Edited by AdamUL

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...