Jump to content

Get/Set ACL on shared folder in Windows Server OS


Recommended Posts

Hi,

I would like to know how to set (or get) ACL on a shared folder on Windows Server.

I found a VBA script here : http://gallery.technet.microsoft.com/scriptcenter/b3961e31-3843-4163-9e39-633518d3a362

It seems it can do what I want. I tryed to convert it but unfortunatly I'm blocked on the line "SecDesc.Properties_.Item("DACL") = Array(ACE)". I don't know how to handle the array function.

My goal is to develop a soft which can manipulate Active Directory (create/modify/delete users/groups) and create shared folders with rights.

I played with the AD UDF. It is perfect. Now I'm looking for shared folder rights.

I'll be happy if you can help me :).

Thank you in advance.

Link to comment
Share on other sites

The Array func in vbscript creates an array object on-the-fly.

I think you can just create the array and feed it to the object function.

$arr[1]=["ACE"]
SecDesc.Properties_.Item("DACL") = $arr
Link to comment
Share on other sites

Indeed you're right. Thanks.

Here is the code :

$Foldername="d:\test"    ;folder to share
$sharename="Partage de test"    ;Share Name
$strDesc="Un petit test réussi."    ;Share Description
$strUser="beau"        ;User to set permissions for

$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")
; Connects to the WMI service with security privileges
$SecDescClass = $objWMIService.Get("Win32_SecurityDescriptor")
; Need an instance of the Win32_SecurityDescriptor so we can create an instance of a Security Descriptor.
$SecDesc = $SecDescClass.SpawnInstance_()
; Create an instance of a Security Descriptor.

$colWinAcc = $objWMIService.ExecQuery("SELECT * FROM Win32_ACCOUNT WHERE Name='" & $strUser & "'")
If $colWinAcc.Count < 1 Then
    ConsoleWrite("User " & $strUser & "Not Found - quitting"&@cr)
EndIf
; Find the WMI representation of a particular Windows Account

For $refItem in $colWinAcc
    $refSID = $objWMIService.Get("Win32_SID='" & $refItem.SID & "'")
    ; Get the SID for the choosen Windows account.
Next

$refTrustee = $objWMIService.Get("Win32_Trustee").spawnInstance_()
; Creates an instance of a Windows Security Trustee (usually a user but anything with a SID I guess...)

With $refTrustee
    .Domain = $refSID.ReferencedDomainName
    .Name = $refSID.AccountName
    .SID = $refSID.BinaryRepresentation
    .SidLength = $refSID.SidLength
    .SIDString = $refSID.SID
EndWith
; Sets the trustee object up with the SID & all that malarkey from the user object we have choosen to work on

$ACE = $objWMIService.Get("Win32_Ace").SpawnInstance_
; Creates an instance of an Access Control Entry Object(this will be one entry on the access list on an object)

$ACE.Properties_.Item("AccessMask") = 2032127
; This is full Control
; (bitflag) full list here: http://blogs.msdn.com/b/helloworld/archive/2008/06/10/common-accessmask-value-when-configuring-share-permission-programmatically.aspx

$ACE.Properties_.Item("AceFlags") = 3
; what to apply ACE to inc
; inhehitance 3 - means files & folders get permssions & pass onto children

$ACE.Properties_.Item("AceType") = 0
; 0=allow access 1=deny access

$ACE.Properties_.Item("Trustee") = $refTrustee
; Set the Trustee (user) that this Access control Entry will refer to.

Local $array[1] = [$ACE]
$SecDesc.Properties_.Item("DACL") = $array
; Get the DACL property of the Security Descriptor object
; Add the ACE to the Dynamic Access Control List on the object (an array) it will overwrite the old entries
; unless you retreive & save 'em first & add them to a big array with the new entry as well as the old ones

$Share = $objWMIService.Get("Win32_Share")
; Get a WMI share Object

$InParam = $Share.Methods_("Create").InParameters.SpawnInstance_()
; Create an instance of a WMI input Parameters object

$InParam.Properties_.Item("Access") = $SecDesc
; Set the Access Parameter to the Security Descriptor Object we configured above

$InParam.Properties_.Item("Description") = $strDesc
$InParam.Properties_.Item("Name") = $ShareName
$InParam.Properties_.Item("Path") = $FolderName
$InParam.Properties_.Item("Type") = 0
$outParams=$Share.ExecMethod_("Create", $InParam)

; Create the share with all the parameters we have set up
ConsoleWrite("OUT: " & $outParams.returnValue&@cr)
If $outParams.returnValue <> 0 Then
    ConsoleWrite("Failed to Create Share, return Code:" & $outParams.returnValue&@cr)
Else
    ConsoleWrite("Folder " & $Foldername & " sucessfully shared as: " & $sharename & " with FULL CONTROL Permissions for user " & $strUser&@cr)
EndIf

This script creates a shared folder and applies Shared Rights from the specified user to it.

But like I said it is the Shared Rights and not the NTFS Rights.

Do you know a way to set NTFS rights permission ?

Link to comment
Share on other sites

>This UDF might be of some use to you.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

  • 2 years later...

Hi,

I was interested in the fact of set ACL on a shared folder, but I think WMI way is too complicated.

I tried another way I didn't know until now : "net share"

With that, you can create a shared folder, and grant users you want.

Example with an existing folder "C:\MyShare" and if I wish to have "Administrators" group with full rights and "Everyone" Read only.

net share ExampleShare="C:\MyShare" /GRANT:Administrators:FULL /GRANT:Everyone,READ

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...