Jump to content

Set Acl permissions UDF


Recommended Posts

Finally did it :sweating:

Hope I done it correctly, as far there were no errors.

Steps I followed:

1) Read the object DACL using _GetObjectDacl

2) Excluded the required DACL which needed to be removed (exactly opposite of what's happening in _MergeDaclToArray)

3) Clear the objects DACL using _ClearObjectDacl

4) Set back the DACL using _SetFileObjectSecurity

the UDF is simply awesome, its just hard to find out the way to such new things for naives :)

Isn't it would be great to add a some function to remove permissions as well.

Also one more to LookupAccountSid.

 

Amol

 

 

 

 

Link to post
Share on other sites
  • Replies 193
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hi. I've been working on this for a while. I think now it's good enough to post it here. Functions to do most everything with the DACL and ownership on all types of objects: Files or folders, Regist

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.   #RequireAdmin #include 'Permissions.au3' _InitiatePermi

@Terenz I just noticed an issue with the script I posted for you.  I didn't have the return value for _EditObjectPermissions in the MsgBox.  I edited my post to add this.   I think I was able to

Posted Images

  • 2 weeks later...
On ‎04‎-‎11‎-‎2011 at 2:01 PM, FredAI said:

Take a look at this code:

 

 

#include 'Permissions.au3'
_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
 
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

 

You just have to create an array with the permissions you want to set:

$array[0][0] - First ace user name or Sid string

$array[0][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[0][2])

$array[0][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

 

$array[1][0] - Second ace user name or Sid string

$array[1][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[1][2])

$array[1][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

 

And so on. You can add how many aces you want. The access denied aces have priority over the allowed ones.

Then you can set the owner, clear the DACL and recurse containers and objects (for folders and registry keys), When recursing, the child objects will automatically inherit the permissions from the parent one.

 

Don't know what else you can do by modifying the security descriptor.

I tried the above code, but it do not work.

It doesn't put "username" or "everyone" on the ACL.

It is just blank.

I really need this to work. I have 300+ folders I need to set ACL for.

I have e.g. a folder called: CC120800 and I need to add a AD group called: DKSO_NTFS_CC120800 with modify access.

Hope someone can help me.

ACL on test file.JPG

Yours sincerely

Kenneth.

Link to post
Share on other sites
  • Developers
6 minutes ago, Valnurat said:

But I'm local admin on my computer?

Guess you have some reading to do around the use of UAC in windows. ;)

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to post
Share on other sites

Ok. Itried this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

and it work very well.

But if I try this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = '\\servername\share\NewTestFolder'
Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'GROUPNAME' ;<---- this is an AD Groupname
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

it does not work.

The problem is that my NewTestFolder do not exists anymore or it is there in some way, because if I create a new folder with the same name, I get an error that the folder can't be renamed.

Of course the "GROUPNAME" isen't the correct one in this exampel, but I don't know if I just write the AD Group or do I need to do something special to have this to work?

"Everyone" is standard.

Yours sincerely

Kenneth.

Link to post
Share on other sites
On ‎13‎-‎04‎-‎2016 at 3:34 PM, AmolT said:

Finally did it :sweating:

Hope I done it correctly, as far there were no errors.

Steps I followed:

1) Read the object DACL using _GetObjectDacl

2) Excluded the required DACL which needed to be removed (exactly opposite of what's happening in _MergeDaclToArray)

3) Clear the objects DACL using _ClearObjectDacl

4) Set back the DACL using _SetFileObjectSecurity

the UDF is simply awesome, its just hard to find out the way to such new things for naives :)

Isn't it would be great to add a some function to remove permissions as well.

Also one more to LookupAccountSid.

 

Amol

 

 

 

 

Could you show me how you did it?

I can't figure it out.

Edited by Valnurat

Yours sincerely

Kenneth.

Link to post
Share on other sites

When I do this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

It delete the original DACL and when just add @UserName and Everyone.

But if I want to keep the original DACL and want to add @UserName and Everyone I guess I need to use _MergeDaclToArray. So I did this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
Local $aDACL
Local $sTest = _GetObjectDACL($File)
MsgBox(0,"",$sTest)
If _MergeDaclToArray($sTest,$aDACL) = 0 Then
    MsgBox(0,"Faild","Merge Dacl To Array")
    Exit
EndIf
_ArrayDisplay($aDACL,"ACL")
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

but my _MergeDaclToArray returns 0.

I don't know if this is the right way to do it.

Can someone help me?

Yours sincerely

Kenneth.

Link to post
Share on other sites

@Valnurat this is a long post, but I hope I can answer some of your questions.  I'm not an expert with this UDF, and learned even more when I was looking at your issues.  

Your $aDACL is an empty array in your _MergeDaclToArray function call, that is why you get 0.  You only declare the variable, but did not set a value to it.  That is not what your problem is.  You are using an incorrect function to do what I think you want to do.  You need to use _EditObjectPermissions. This will allow you to add new ACEs to the existing ACL using a permissions array.  Also, the script needs to be run with #RequireAdmin for it to work, or it will fail to set the permissions at all.  Here is an edited version of you script that works for me.  

#RequireAdmin
#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()

Local $File = @ScriptDir & '\test.txt'
FileWrite($File,'test')

Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT
_ArrayDisplay($aPerm,$File)

Local $ret = _EditObjectPermissions($File, $aPerm)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '& $ret & @CRLF & '   Time: '&Round($TD,2) & ' miliseconds.')

_ClosePermissionResources()

I also found a bug in the _EditObjectPermissions function.  On line 602, change the following.

_MergeDaclToArray($Dacl, $aPermissions)

to

If $ClearDacl Then _MergeDaclToArray($Dacl, $aPermissions)

If you do not change it, you will have the inherited ACEs duplicated as non-inherited ACEs on the object.  In addition to the ACEs that you added.  This is not completely correct.  The aces are duplicated. If you do what I specify above, you will loose all the local ACEs along with the duplicated ACEs.  I'm not sure what is causing this, and in which function.  I have read the whole thread, and this is a know issue that has not been corrected.

 

Quote

How do I add access for the "modify"?

I see you found it out by doing it explicitly in your last post, but it is define in the UDF as $FILE_AUTH_USERS_DEFAULT.  

 

Quote

Of course the "GROUPNAME" isn't the correct one in this example, but I don't know if I just write the AD Group or do I need to do something special to have this to work?

When adding a domain group, you have to have it in the format "domain\groupname" e.g. AD\Group_Name, if not, it will look for the group on the local PC.  You could also use the group's SID as well.  Here is an example array, using the array used in the example script above.  

Global $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'AD\Group_Name'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT

Hope that helps.  

 

Adam

 

Edited by AdamUL
Link to post
Share on other sites
  • 2 months later...

Hello. I have try to play with this UDF but i can't get my goal. I'd like to do:

1) Get the file permission of the file

2) Add to my user full access to that file

3) Do some task

4) When i'm finish, restore the file permission to the original one at point 1)

Someone has an example to play with it and experiment? I think is involved in some way _CopyFullDacl but i don't have understand where it take the original file permission. Thanks

Nothing is so strong as gentleness. Nothing is so gentle as real strength

 

Link to post
Share on other sites
  • 4 weeks later...
On 8/1/2016 at 11:11 AM, Kaimberex said:

getting this error when trying to do a syntax check 

 

error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'.
Global Const $ACCESS_SYSTEM_SECURITY     = 0x01000000

I just commented it out as it's already declared in SecurityConstants.au3

Link to post
Share on other sites
  • 3 weeks later...

I think I have found the solution to the issue that I posed in #133 about inherited ACEs being added to the ACL when you use the _EditObjectPermissions function.   

The issue is with the _MergeDaclToArray function.  if you look in post #50, FredAl posts an updated _MergeDaclToArray function that was never added to the UDF.  

If you replace the _MergeDaclToArray in the UDF with the updated _MergeDaclToArray, this issue is resolved.  

 

Adam

 

Link to post
Share on other sites

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.  

#RequireAdmin
#include 'Permissions.au3'

_InitiatePermissionResources()

Global $sFile = @ScriptDir & '\test.txt'
FileWrite($sFile, 'test')
MsgBox(0, "File", "Created")

Global $aPerm[1][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL

Global $pDACL = _GetObjectDacl($sFile)

Global $iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

$iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0)
MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _
        '_SetObjectSecurity return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

FileDelete($sFile)
MsgBox(0, "File", "Deleted")

_ClosePermissionResources()

 

Adam

 

Edited by AdamUL
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...