How to disable inheritance for folder when changing permissions with ADsSecurityUtility?

[kosamja]

How to disable inheritance for folder when changing permissions with ADsSecurityUtility? I think that Control property (https://msdn.microsoft.com/en-us/library/aa706131(v=vs.85).aspx) needs to be changed, but I cant find any example of how to change it to disable inheritance, can someone write some example of how that can be done? thanks

expandcollapse popup

#NoTrayIcon
#RequireAdmin
#include <Constants.au3>
#include <GUIConstants.au3>
#include <MenuConstants.au3>
#include <SecurityConstants.au3>
#include <APIErrorsConstants.au3>
#include <WinAPIReg.au3>
#include <WinAPIFiles.au3>
#include <WinAPIHObj.au3>
#include <Security.au3>
#include <Debug.au3>
#include <Array.au3>
#include <File.au3>

_EnableAccessTokenPrivileges()
_ObjectSHFolder('C:\Users\Administrator\Desktop\AAA 2')
;~ _ObjectSHFolder('C:\Windows\System32\adsldpc.dll')
MsgBox(0,'','')
Exit

Func _ObjectSHFolder($sPath)
   $ADS_PATH_FILE = 1
   $ADS_PATH_REGISTRY = 3
   $ADS_SD_FORMAT_IID = 1
   $ADS_ACEFLAG_UNKNOWN = 0x1
   $ADS_ACEFLAG_INHERIT_ACE = 0x2
   $ADS_ACETYPE_ACCESS_DENIED = 0x1
   $ADS_ACETYPE_ACCESS_ALLOWED = 0
   $ADS_RIGHT_GENERIC_ALL = 0x10000000
   $ADS_RIGHT_GENERIC_READ = 0x80000000
   $ADS_RIGHT_GENERIC_WRITE = 0x40000000
   $ADS_RIGHT_GENERIC_EXECUTE = 0x20000000
   $oADsSecurityUtility = ObjCreate('ADsSecurityUtility')
   If not IsObj($oADsSecurityUtility) Then Return SetError(1, 0, False)
   $oSecurityDescriptor = $oADsSecurityUtility.GetSecurityDescriptor($sPath, $ADS_PATH_FILE, $ADS_SD_FORMAT_IID)
   If not IsObj($oSecurityDescriptor) Then Return SetError(2, 0, False)
   $oSecurityDescriptor.Owner = $SID_ADMINISTRATORS
   $oDacl = $oSecurityDescriptor.DiscretionaryAcl()
   If not IsObj($oDacl) Then Return SetError(3, 0, False)
;~ For $oAceItem in $oDacl
;~    $oDacl.RemoveACE($oAceItem)
;~    Next
   $oAceList = ObjCreate('AccessControlList')
   $oAce = ObjCreate('AccessControlEntry')
   If not IsObj($oAce) Then Return SetError(4, 0, False)
   $oAce.AccessMask = $ADS_RIGHT_GENERIC_ALL
   $oAce.AceType = $ADS_ACETYPE_ACCESS_ALLOWED
   $oAce.AceFlags = BitOR($ADS_ACEFLAG_UNKNOWN, $ADS_ACEFLAG_INHERIT_ACE)
   $oAce.Trustee = $SID_EVERYONE
   $oDacl.AddACE($oAce)
   $oAce = ObjCreate('AccessControlEntry')
   $oAce.AccessMask = $ADS_RIGHT_GENERIC_READ
   $oAce.AceType = $ADS_ACETYPE_ACCESS_ALLOWED
   $oAce.AceFlags = BitOR($ADS_ACEFLAG_UNKNOWN, $ADS_ACEFLAG_INHERIT_ACE)
   $oAce.Trustee = $SID_ADMINISTRATORS
   $oDacl.AddACE($oAce)
;~ For $oAceItem in $oAceList
;~    $oDacl.AddACE($oAceItem)
;~    Next
   $oSecurityDescriptor.DiscretionaryAcl = $oDacl
   $oADsSecurityUtility.SetSecurityDescriptor($sPath, $ADS_PATH_FILE, $oSecurityDescriptor, $ADS_SD_FORMAT_IID)
EndFunc

Func _EnableAccessTokenPrivileges()
   $sProcessToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
   If $sProcessToken = 0 Then Return SetError(1, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_RESTORE_NAME, True) = False Then Return SetError(2, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_TAKE_OWNERSHIP_NAME, True) = False Then Return SetError(3, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_DEBUG_NAME, True) = False Then Return SetError(4, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_SECURITY_NAME, True) = False Then Return SetError(5, 0, False)
   _WinAPI_CloseHandle($sProcessToken)
   Return True
EndFunc

I know about Set Acl UDF but cant use it because of 2 problems i sometimes get: recursion level exceeded and sometimes instead of changing permissions it just deletes them (clear dacl works but setting new dacl fails) resulting in this:

Edited March 23, 2018 by kosamja

[kosamja]

$SE_DACL_PRESENT = 0x0004
$SE_DACL_PROTECTED = 0x1000
   $oSecurityDescriptor.Control = BitOR($SE_DACL_PRESENT, $SE_DACL_PROTECTED)

This work on windows 7 for disabling inheritance, but not on windows 10. Any way to make it work on windows 10?