Sign in to follow this  
Followers 0

Set ACL on windows Objects

28 posts in this topic

#1 ·  Posted (edited)

Set ACL properties in Windows

Several users in the help forum wondered how to set ACL properties in windows, by means of a script.

For those who dont know what ACL is :

Access Control List. An Access Control List is a list attached to an object such as a file, printer, AD object, ... . It consists of control expressions, each of which grants or denies some ability to a particular user or group of users or object.

More info : http://www.pluralsight.com/wiki/default.as...edSecurity.html

Well there are serveral ways of doing this. But one easy going is this using the SetACL COM Object.

SetACL in Windows

This also comes along with a commandline tool.

This is a quick example on how to get started.

;SetACL $ACCESS Modes
Const $DENY_ACCESS = 3
Const $GRANT_ACCESS = 1
Const $REVOKE_ACCESS = 4
Const $SET_ACCESS = 2
Const $SET_AUDIT_FAILURE = 6
Const $SET_AUDIT_SUCCESS = 5

;SetACL Actions
Const $ACTN_ADDACE = 1
Const $ACTN_CLEARDACL = 16
Const $ACTN_CLEARSACL = 32
Const $ACTN_COPYDOMAIN = 1024
Const $ACTN_COPYTRUSTEE = 1024
Const $ACTN_DOMAIN = 8192
Const $ACTN_LIST = 2
Const $ACTN_REMOVEDOMAIN = 512
Const $ACTN_REMOVETRUSTEE = 512
Const $ACTN_REPLACEDOMAIN = 256
Const $ACTN_REPLACETRUSTEE = 256
Const $ACTN_RESETCHILDPERMS = 128
Const $ACTN_RESTORE = 2048
Const $ACTN_SETGROUP = 8
Const $ACTN_SETINHFROMPAR = 64
Const $ACTN_SETOWNER = 4
Const $ACTN_TRUSTEE = 4096

;SetACL Inheritance Values
Const $INHPARCOPY = 2
Const $INHPARNOCHANGE = 0
Const $INHPARNOCOPY = 4
Const $INHPARYES = 1

;SetACL $LIST Formats
Const $LIST_CSV = 1
Const $LIST_SDDL = 0
Const $LIST_TAB = 2

;SetACL $LIST Names
Const $LIST_NAME = 1
Const $LIST_NAME_SID = 3
Const $LIST_SID = 2

;SetACL Recursion
Const $RECURSE_CONT = 2
Const $RECURSE_CONT_OBJ = 6
Const $RECURSE_NO = 1
Const $RECURSE_OBJ = 4

;SetACL Return COdes
Const $RTN_ERR_ADD_ACE = 32
Const $RTN_ERR_CONVERT_SD = 27
Const $RTN_ERR_COPY_ACL = 31
Const $RTN_ERR_CREATE_SD = 45
Const $RTN_ERR_DEL_ACE = 30
Const $RTN_ERR_DIS_PRIV = 13
Const $RTN_ERR_EN_PRIV = 12
Const $RTN_ERR_FINDFILE = 16
Const $RTN_ERR_GENERAL = 2
Const $RTN_ERR_GET_SD_CONTROL = 17
Const $RTN_ERR_GETSECINFO = 5
Const $RTN_ERR_IGNORED = 44
Const $RTN_ERR_INTERNAL = 18
Const $RTN_ERR_INV_DIR_PERMS = 7
Const $RTN_ERR_INV_DOMAIN = 43
Const $RTN_ERR_INV_PRN_PERMS = 8
Const $RTN_ERR_INV_REG_PERMS = 9
Const $RTN_ERR_INV_SHR_PERMS = 11
Const $RTN_ERR_INV_SVC_PERMS = 10
Const $RTN_ERR_INVALID_SD = 38
Const $RTN_ERR_LIST_ACL = 28
Const $RTN_ERR_LIST_FAIL = 15
Const $RTN_ERR_LIST_OPTIONS = 26
Const $RTN_ERR_LOOKUP_SID = 6
Const $RTN_ERR_LOOP_ACL = 29
Const $RTN_ERR_NO_LOGFILE = 33
Const $RTN_ERR_NO_NOTIFY = 14
Const $RTN_ERR_OBJECT_NOT_SET = 4
Const $RTN_ERR_OPEN_LOGFILE = 34
Const $RTN_ERR_OS_NOT_SUPPORTED = 37
Const $RTN_ERR_OUT_OF_MEMORY = 46
Const $RTN_ERR_PARAMS = 3
Const $RTN_ERR_PREPARE = 24
Const $RTN_ERR_READ_LOGFILE = 35
Const $RTN_ERR_REG_CONNECT = 21
Const $RTN_ERR_REG_ENUM = 23
Const $RTN_ERR_REG_OPEN = 22
Const $RTN_ERR_REG_PATH = 20
Const $RTN_ERR_SET_SD_DACL = 39
Const $RTN_ERR_SET_SD_GROUP = 42
Const $RTN_ERR_SET_SD_OWNER = 41
Const $RTN_ERR_SET_SD_SACL = 40
Const $RTN_ERR_SETENTRIESINACL = 19
Const $RTN_ERR_SETSECINFO = 25
Const $RTN_ERR_WRITE_LOGFILE = 36
Const $RTN_ERR_OK = 0
Const $RTN_ERR_USAGE = 1

;SetACL $SD Info
Const $ACL_DACL = 1
Const $ACL_SACL = 2
Const $SD_GROUP = 8
Const $SD_OWNER = 4

;SetACL $OBJECT Types
Const $SE_FILE_OBJECT = 1
Const $SE_LMSHARE = 5
Const $SE_PRINTER = 3
Const $SE_REGISTRY_KEY = 4
Const $SE_SERVICE = 2

$strFileName = "C:TmpResults1.txt"
$strUsername = "Users"
$strPermission = "change"

$SetACL1 = ObjCreate("SetACL.SetACLCtrl.1")

If IsObj($SetACL1) then

With $SetACL1
$nError = .SetObject($strFileName, $SE_FILE_OBJECT)
$nError = .SetAction($ACTN_ADDACE)
$nError = .ADDACE($strUsername, 0, $strPermission, $INHPARNOCHANGE, 0, $GRANT_ACCESS, $ACL_DACL)
$nError = .Run
Endwith

Else
    Msgbox(0,"Error","No Object Found")
EndIf

An other tool is ofcourse the famous MS CACLS

Enjoy !!

regards

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Nice! I was hoping to find how to internalize SetACL.exe command line functions into a script without the need for the external executable.

New toy to play with! Merry Christmas!

:)

P.S. Requires SetACL ActiveX (SetACL.ocx) to provide the COM interface.

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

#3 ·  Posted

Very nice! Thank you for this find :)


www.itoady.com (Go here to download the MacroGamer installer)[list][*]A* (A-star) Searching Algorithm - A.I. Artificial Intelligence bot path finding[*]MacroGamer - (Please Like this AutoIt thread on Facebook)[/list]

Share this post


Link to post
Share on other sites

#5 ·  Posted

a script good

Share this post


Link to post
Share on other sites

#6 ·  Posted

@all

You are welcome !!

See you all around. :)

regards,

pterex

Great ptrex :P How about registry permisions? Is there similar vbs script which can be translated?

Share this post


Link to post
Share on other sites

#7 ·  Posted

Share this post


Link to post
Share on other sites

#8 ·  Posted

@Microsoft

Lot's of good stuff around here :P

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)

Be carefull messing around with the REGISTRY !! :)

Best make a restore point before playing around.

Regards

ptrex

Hehe :) Ever thought about making this uDF ?:)

Share this post


Link to post
Share on other sites

#10 ·  Posted

Hello ptrex,

Do you knows how to remove an account with the SID "everyone" ?

Like this that works :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("Everyone", "", False, False, 512, True, False)  
$nError = .Run

...but if i put the SID for everyone (in french "Tout le monde") like this :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("S-1-1-0", 1, False, False, 512, True, False)  
$nError = .Run

...that don't work.

I asked the question on SetACL's forum but it looks like dead :)

Thanks for any idea ;)

Share this post


Link to post
Share on other sites

#11 ·  Posted

Where do you find documentation on the functions of the COM object? I looked all over the project's pages, but could not find any docs on it, just the command line version. TIA


My Projects:DebugIt - Debug your AutoIt scripts with DebugIt!

Share this post


Link to post
Share on other sites

#12 ·  Posted

There's no doc for this ActiveX, not much example and no support. That is the problem :)

Share this post


Link to post
Share on other sites

#13 ·  Posted

Well, the autor give me the answer :

The correct syntax to remove a SID on a file (with the SID) is like this :

$nError = .SetObject("C:\1.txt", 1)
  $nError = .SetAction(4096)
  $nError = .AddTrustee("S-1-1-0", "", True, False, 512, True, False)
  $nError = .Run

You can find on this page the differents SID : http://support.microsoft.com/kb/243330/en

I hope this helps.

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

This looks very interesting and something I could use in most of my scripts.

The large amount of AutoIT script are used for deploying applications here at work.

CACLS works but this looks much nicer to work with. However I have never implmented a COM object in one of my scripts.

I think I can understand how to make a change but I don't understand how AutoIT knows where to find the OCX. do I need ot register it somehow first?

Would someone mind posting an quick example of how I would integrate set an actual ACL entry within an AutoIT Script.

Thanks,

Kenny

Edited by ken82m

My Contributions PC Builders Console - Secure PDF Creator - Cisco VPN Installer MS DNS Server Backup Script - MS DHCP Backup Script IT Admin Console - Toggle Admin Mode - MyMovies-Add Discs Script - IT Help Desk and System Information Tool - Set On Lid Close Power Option - Streaming Media Server & Website "I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains."

Share this post


Link to post
Share on other sites

#15 ·  Posted

Share this post


Link to post
Share on other sites

#16 ·  Posted

Got it, great work on this! :)

Definitely gonna make my life easier.

Do you know of any RC's to verify the ACL has been changed?

I tried checking the $nError after .Run but it always seems to return 0 no matter what happens.

Thanks,

Kenny


My Contributions PC Builders Console - Secure PDF Creator - Cisco VPN Installer MS DNS Server Backup Script - MS DHCP Backup Script IT Admin Console - Toggle Admin Mode - MyMovies-Add Discs Script - IT Help Desk and System Information Tool - Set On Lid Close Power Option - Streaming Media Server & Website "I believe that when we leave a place, part of it goes with us and part of us remains... Go anywhere, when it is quiet, and just listen.. After a while, you will hear the echoes of all our conversations, every thought and word we've exchanged.... Long after we are gone our voices will linger in these walls for as long as this place remains."

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers, where we currently use robocopy to make ACL/ACE backups to zero-byte files off-site (robo switches: /copy:ATSOU /create) due to a particular site's local info sec not fully understanding security (always falls on my group to correct their mistakes), and that CHKDSK bug awhile back that reset all ACL's on an entire volume to defaults.

I use AutoIt to run multiple concurrent robo's to expedite the process (then parse the logs and email a summary of errors), and that seems fairly efficient, but that would be very cool if I could grab the ACL/ACE's with AutoIt and store them in a database or something without registering an external DLL/OCX.

Alternatively, is it possible to use this DLL as a plugin, so its functionality could be tapped without registering it? Edit: Nevermind, I see ptrex's RegFreeCOM Au3X Example.

I just came across this topic via ptrex's sig, so if there's already an answer to this problem, I apologize.

Edited by c0deWorm

My UDFs: ExitCodes

Share this post


Link to post
Share on other sites

#19 ·  Posted

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers...

Isn't CACLS already on each and every computer and well documented by Microsoft? Why reinvent the wheel?

Share this post


Link to post
Share on other sites

#20 ·  Posted

i need example complete :P please

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0