Jump to content
Sign in to follow this  
kosamja

How to disable inheritance for folder when changing permissions with ADsSecurityUtility?

Recommended Posts

kosamja
Posted (edited)

How to disable inheritance for folder when changing permissions with ADsSecurityUtility? I think that Control property (https://msdn.microsoft.com/en-us/library/aa706131(v=vs.85).aspx) needs to be changed, but I cant find any example of how to change it to disable inheritance, can someone write some example of how that can be done? thanks

SnapCrab_No-0001.png.8b1325591c197b5d752e4787a52838a5.png

#NoTrayIcon
#RequireAdmin
#include <Constants.au3>
#include <GUIConstants.au3>
#include <MenuConstants.au3>
#include <SecurityConstants.au3>
#include <APIErrorsConstants.au3>
#include <WinAPIReg.au3>
#include <WinAPIFiles.au3>
#include <WinAPIHObj.au3>
#include <Security.au3>
#include <Debug.au3>
#include <Array.au3>
#include <File.au3>

_EnableAccessTokenPrivileges()
_ObjectSHFolder('C:\Users\Administrator\Desktop\AAA 2')
;~ _ObjectSHFolder('C:\Windows\System32\adsldpc.dll')
MsgBox(0,'','')
Exit

Func _ObjectSHFolder($sPath)
   $ADS_PATH_FILE = 1
   $ADS_PATH_REGISTRY = 3
   $ADS_SD_FORMAT_IID = 1
   $ADS_ACEFLAG_UNKNOWN = 0x1
   $ADS_ACEFLAG_INHERIT_ACE = 0x2
   $ADS_ACETYPE_ACCESS_DENIED = 0x1
   $ADS_ACETYPE_ACCESS_ALLOWED = 0
   $ADS_RIGHT_GENERIC_ALL = 0x10000000
   $ADS_RIGHT_GENERIC_READ = 0x80000000
   $ADS_RIGHT_GENERIC_WRITE = 0x40000000
   $ADS_RIGHT_GENERIC_EXECUTE = 0x20000000
   $oADsSecurityUtility = ObjCreate('ADsSecurityUtility')
   If not IsObj($oADsSecurityUtility) Then Return SetError(1, 0, False)
   $oSecurityDescriptor = $oADsSecurityUtility.GetSecurityDescriptor($sPath, $ADS_PATH_FILE, $ADS_SD_FORMAT_IID)
   If not IsObj($oSecurityDescriptor) Then Return SetError(2, 0, False)
   $oSecurityDescriptor.Owner = $SID_ADMINISTRATORS
   $oDacl = $oSecurityDescriptor.DiscretionaryAcl()
   If not IsObj($oDacl) Then Return SetError(3, 0, False)
;~ For $oAceItem in $oDacl
;~    $oDacl.RemoveACE($oAceItem)
;~    Next
   $oAceList = ObjCreate('AccessControlList')
   $oAce = ObjCreate('AccessControlEntry')
   If not IsObj($oAce) Then Return SetError(4, 0, False)
   $oAce.AccessMask = $ADS_RIGHT_GENERIC_ALL
   $oAce.AceType = $ADS_ACETYPE_ACCESS_ALLOWED
   $oAce.AceFlags = BitOR($ADS_ACEFLAG_UNKNOWN, $ADS_ACEFLAG_INHERIT_ACE)
   $oAce.Trustee = $SID_EVERYONE
   $oDacl.AddACE($oAce)
   $oAce = ObjCreate('AccessControlEntry')
   $oAce.AccessMask = $ADS_RIGHT_GENERIC_READ
   $oAce.AceType = $ADS_ACETYPE_ACCESS_ALLOWED
   $oAce.AceFlags = BitOR($ADS_ACEFLAG_UNKNOWN, $ADS_ACEFLAG_INHERIT_ACE)
   $oAce.Trustee = $SID_ADMINISTRATORS
   $oDacl.AddACE($oAce)
;~ For $oAceItem in $oAceList
;~    $oDacl.AddACE($oAceItem)
;~    Next
   $oSecurityDescriptor.DiscretionaryAcl = $oDacl
   $oADsSecurityUtility.SetSecurityDescriptor($sPath, $ADS_PATH_FILE, $oSecurityDescriptor, $ADS_SD_FORMAT_IID)
EndFunc

Func _EnableAccessTokenPrivileges()
   $sProcessToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS)
   If $sProcessToken = 0 Then Return SetError(1, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_RESTORE_NAME, True) = False Then Return SetError(2, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_TAKE_OWNERSHIP_NAME, True) = False Then Return SetError(3, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_DEBUG_NAME, True) = False Then Return SetError(4, 0, False)
   If _Security__SetPrivilege($sProcessToken, $SE_SECURITY_NAME, True) = False Then Return SetError(5, 0, False)
   _WinAPI_CloseHandle($sProcessToken)
   Return True
EndFunc

I know about Set Acl UDF but cant use it because of 2 problems i sometimes get: recursion level exceeded and sometimes instead of changing permissions it just deletes them (clear dacl works but setting new dacl fails) resulting in this:

SnapCrab_No-0000.png.b85a44e3c1ae6de6d3de5ebc814726df.png

Edited by kosamja

Share this post


Link to post
Share on other sites
kosamja
$SE_DACL_PRESENT = 0x0004
$SE_DACL_PROTECTED = 0x1000
   $oSecurityDescriptor.Control = BitOR($SE_DACL_PRESENT, $SE_DACL_PROTECTED)

This work on windows 7 for disabling inheritance, but not on windows 10. Any way to make it work on windows 10?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×