Jump to content
Sign in to follow this  

Get/Set ACL on shared folder in Windows Server OS

Recommended Posts


I would like to know how to set (or get) ACL on a shared folder on Windows Server.

I found a VBA script here : http://gallery.technet.microsoft.com/scriptcenter/b3961e31-3843-4163-9e39-633518d3a362

It seems it can do what I want. I tryed to convert it but unfortunatly I'm blocked on the line "SecDesc.Properties_.Item("DACL") = Array(ACE)". I don't know how to handle the array function.

My goal is to develop a soft which can manipulate Active Directory (create/modify/delete users/groups) and create shared folders with rights.

I played with the AD UDF. It is perfect. Now I'm looking for shared folder rights.

I'll be happy if you can help me :).

Thank you in advance.

Share this post

Link to post
Share on other sites

The Array func in vbscript creates an array object on-the-fly.

I think you can just create the array and feed it to the object function.

SecDesc.Properties_.Item("DACL") = $arr

Share this post

Link to post
Share on other sites

Indeed you're right. Thanks.

Here is the code :

$Foldername="d:\test"    ;folder to share
$sharename="Partage de test"    ;Share Name
$strDesc="Un petit test réussi."    ;Share Description
$strUser="beau"        ;User to set permissions for

$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
; Connects to the WMI service with security privileges
$SecDescClass = $objWMIService.Get("Win32_SecurityDescriptor")
; Need an instance of the Win32_SecurityDescriptor so we can create an instance of a Security Descriptor.
$SecDesc = $SecDescClass.SpawnInstance_()
; Create an instance of a Security Descriptor.

$colWinAcc = $objWMIService.ExecQuery("SELECT * FROM Win32_ACCOUNT WHERE Name='" & $strUser & "'")
If $colWinAcc.Count < 1 Then
    ConsoleWrite("User " & $strUser & "Not Found - quitting"&@cr)
; Find the WMI representation of a particular Windows Account

For $refItem in $colWinAcc
    $refSID = $objWMIService.Get("Win32_SID='" & $refItem.SID & "'")
    ; Get the SID for the choosen Windows account.

$refTrustee = $objWMIService.Get("Win32_Trustee").spawnInstance_()
; Creates an instance of a Windows Security Trustee (usually a user but anything with a SID I guess...)

With $refTrustee
    .Domain = $refSID.ReferencedDomainName
    .Name = $refSID.AccountName
    .SID = $refSID.BinaryRepresentation
    .SidLength = $refSID.SidLength
    .SIDString = $refSID.SID
; Sets the trustee object up with the SID & all that malarkey from the user object we have choosen to work on

$ACE = $objWMIService.Get("Win32_Ace").SpawnInstance_
; Creates an instance of an Access Control Entry Object(this will be one entry on the access list on an object)

$ACE.Properties_.Item("AccessMask") = 2032127
; This is full Control
; (bitflag) full list here: http://blogs.msdn.com/b/helloworld/archive/2008/06/10/common-accessmask-value-when-configuring-share-permission-programmatically.aspx

$ACE.Properties_.Item("AceFlags") = 3
; what to apply ACE to inc
; inhehitance 3 - means files & folders get permssions & pass onto children

$ACE.Properties_.Item("AceType") = 0
; 0=allow access 1=deny access

$ACE.Properties_.Item("Trustee") = $refTrustee
; Set the Trustee (user) that this Access control Entry will refer to.

Local $array[1] = [$ACE]
$SecDesc.Properties_.Item("DACL") = $array
; Get the DACL property of the Security Descriptor object
; Add the ACE to the Dynamic Access Control List on the object (an array) it will overwrite the old entries
; unless you retreive & save 'em first & add them to a big array with the new entry as well as the old ones

$Share = $objWMIService.Get("Win32_Share")
; Get a WMI share Object

$InParam = $Share.Methods_("Create").InParameters.SpawnInstance_()
; Create an instance of a WMI input Parameters object

$InParam.Properties_.Item("Access") = $SecDesc
; Set the Access Parameter to the Security Descriptor Object we configured above

$InParam.Properties_.Item("Description") = $strDesc
$InParam.Properties_.Item("Name") = $ShareName
$InParam.Properties_.Item("Path") = $FolderName
$InParam.Properties_.Item("Type") = 0
$outParams=$Share.ExecMethod_("Create", $InParam)

; Create the share with all the parameters we have set up
ConsoleWrite("OUT: " & $outParams.returnValue&@cr)
If $outParams.returnValue <> 0 Then
    ConsoleWrite("Failed to Create Share, return Code:" & $outParams.returnValue&@cr)
    ConsoleWrite("Folder " & $Foldername & " sucessfully shared as: " & $sharename & " with FULL CONTROL Permissions for user " & $strUser&@cr)

This script creates a shared folder and applies Shared Rights from the specified user to it.

But like I said it is the Shared Rights and not the NTFS Rights.

Do you know a way to set NTFS rights permission ?

Share this post

Link to post
Share on other sites

I know this tool (or SetACL.exe/COM) but I would like to do it with AutoIt. It seems I'm not far from what i'm looking for with the above code...

Share this post

Link to post
Share on other sites

>This UDF might be of some use to you.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post

Link to post
Share on other sites


I was interested in the fact of set ACL on a shared folder, but I think WMI way is too complicated.

I tried another way I didn't know until now : "net share"

With that, you can create a shared folder, and grant users you want.

Example with an existing folder "C:\MyShare" and if I wish to have "Administrators" group with full rights and "Everyone" Read only.

net share ExampleShare="C:\MyShare" /GRANT:Administrators:FULL /GRANT:Everyone,READ


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...