Werbung: SecurityConsole.de verwaltet Ihre Computer mit Security Essentails aus der Cloud!
30 Tage kostenfrei testen und 20% Rabatt für Ihre Bestellung mit Promocode: WBF2685582
(Promocode gültig bis 31.12.2011)

Group:  English: Windows Server » microsoft.public.windows.server.scripting
Thread: Problem calling oADsSecurityUtility.SetSecurityDescriptor from VBScript

HTVi
TV Discussion Newsgroups

Problem calling oADsSecurityUtility.SetSecurityDescriptor from VBScript
"Gregory Bartholomew" <gbartho[ at ]siue.edu> 11/20/2008 7:02:05 PM
Hi,

I found a vb code sample for setting ntfs file permissions here:
http://msdn.microsoft.com/en-us/library/aa705922(VS.85).aspx.

It looked simple enought to be made into a vbscript which I could then
further modify to do some fancy stuff with a bunch of home directories and
accounts.

I made the few symantic changes that I though would be necessary to get it
to work under vbscript, but now I get the error:

"E:\Temp\ace.vbs(217, 5) (null): The security ID structure is invalid."

Why does the line:

oADsSecurityUtility.SetSecurityDescriptor sFile, ADS_PATH_FILE, oSD,
ADS_SD_FORMAT_IID

not work? Why is the "oSD" variable invalid?

Below is the full script that I am using.

Thanks,
Greg

' Beginning of Code Modified to work as VBScript

' Define constants:
'

'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Define the ADS_RIGHTS_ENUM values.
'
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Ace Type definitions
'
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Ace Flag Constants
'
Const ADS_ACEFLAG_UNKNOWN = &H1
Const ADS_ACEFLAG_INHERIT_ACE = &H2
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Flags constants for AD objects
'
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' From WinNT.h
'------------------------------------------------------------------------------
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
' File Specific Access Rights
'
Const DELETE = &H10000
Const READ_CONTROL = &H20000
Const WRITE_DAC = &H40000
Const WRITE_OWNER = &H80000
Const SYNCHRONIZE = &H100000

Const STANDARD_RIGHTS_REQUIRED = &HF0000

Const STANDARD_RIGHTS_READ = &H20000
Const STANDARD_RIGHTS_WRITE = &H20000
Const STANDARD_RIGHTS_EXECUTE = &H20000

Const STANDARD_RIGHTS_ALL = &H1F0000

Const SPECIFIC_RIGHTS_ALL = &HFFFF

'
' AccessSystemAcl access type
'

Const ACCESS_SYSTEM_SECURITY = &H1000000

'
' MaximumAllowed access type
'

Const MAXIMUM_ALLOWED = &H2000000

'
' These are the generic rights
'

Const GENERIC_READ = &H80000000
Const GENERIC_WRITE = &H40000000
Const GENERIC_EXECUTE = &H20000000
Const GENERIC_ALL = &H10000000

'
' AccessMask constants for FILE ACEs
'
Const FILE_READ_DATA = &H1 ' file & pipe
Const FILE_LIST_DIRECTORY = &H1 ' directory

Const FILE_WRITE_DATA = &H2 ' file & pipe
Const FILE_ADD_FILE = &H2 ' directory

Const FILE_APPEND_DATA = &H4 ' file
Const FILE_ADD_SUBDIRECTORY = &H4 ' directory
Const FILE_CREATE_PIPE_INSTANCE = &H4 ' named pipe

Const FILE_READ_EA = &H8 ' file & directory

Const FILE_WRITE_EA = &H10 ' file & directory

Const FILE_EXECUTE = &H20 ' file
Const FILE_TRAVERSE = &H20 ' directory

Const FILE_DELETE_CHILD = &H40 ' directory

Const FILE_READ_ATTRIBUTES = &H80 ' all

Const FILE_WRITE_ATTRIBUTES = &H100 ' all

FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H1FF
FILE_GENERIC_READ = STANDARD_RIGHTS_READ Or FILE_READ_DATA Or
FILE_READ_ATTRIBUTES Or FILE_READ_EA Or SYNCHRONIZE
FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE Or FILE_WRITE_DATA Or
FILE_WRITE_ATTRIBUTES Or FILE_WRITE_EA Or FILE_APPEND_DATA Or SYNCHRONIZE
FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or FILE_READ_ATTRIBUTES Or
FILE_EXECUTE Or SYNCHRONIZE

Const FILE_SHARE_READ = &H1
Const FILE_SHARE_WRITE = &H2
Const FILE_SHARE_DELETE = &H4
'
' AceFlags values for files
'
Const OBJECT_INHERIT_ACE = &H1
Const CONTAINER_INHERIT_ACE = &H2
Const NO_PROPAGATE_INHERIT_ACE = &H4
Const INHERIT_ONLY_ACE = &H8
Const INHERITED_ACE = &H10

'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
'<<<<<<<<<<<<<<<<<<<<<<<<< BEGIN IADsSecurityUtility Constants >>>>>>>>>>>>
'
'
' ADS_PATHTYPE_ENUM
'
Const ADS_PATH_FILE = 1
Const ADS_PATH_FILESHARE = 2
Const ADS_PATH_REGISTRY = 3
'
' ADS_SD_FORMAT_ENUM
'
Const ADS_SD_FORMAT_IID = 1
Const ADS_SD_FORMAT_RAW = 2
Const ADS_SD_FORMAT_HEXSTRING = 3
'
'<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
'

'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' AddACEToFile
'
' Adds an ACE to the specified file or folder that grants the trustee
' modify rights on the file.
'
Sub AddACEToFile(sFile, sTrustee)
Dim oAce ' As AccessControlEntry ' variable for the new ACE
Dim oSD ' As SecurityDescriptor ' variable for the Security Descriptor
of the object
Dim oDacl ' As AccessControlList ' variable for the DACL of the object
Dim oADsSecurityUtility ' As ADsSecurityUtility
'
' Create an ADsSecurityUtlity object.
'
Set oADsSecurityUtility = CreateObject("ADsSecurityUtility")
'
' Get the Security Descriptor for the given NTFS File path.
'
Set oSD = oADsSecurityUtility.GetSecurityDescriptor(sFile,
ADS_PATH_FILE, ADS_SD_FORMAT_IID)
'
' Get the Discrectionary ACL for the key.
'
Set oDacl = oSD.DiscretionaryAcl
'
' Create an ACE object.
'
Set oAce = CreateObject("AccessControlEntry")
'
' Set the IADsAccessControlEntry::Trustee attribute.
'
oAce.Trustee = Trustee
'
' Set the IADsAccessControlEntry::AccessMask attribute.
'
oAce.AccessMask = FILE_GENERIC_READ Or FILE_GENERIC_WRITE Or
FILE_GENERIC_EXECUTE Or DELETE
'
' Set the IADsAccessControlEntry::AceType attribute.
'
oAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
'
' Set the IADsAccessControlEntry::AceFlags attribute.
'
oAce.AceFlags = OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE
'
' Place the ACE on the DACL.
'
oDacl.AddACE oAce
'
' Place the DACL back onto the SD.
'
oSD.DiscretionaryAcl = oDacl
'
' Place the SD back onto the file.
'
oADsSecurityUtility.SetSecurityDescriptor sFile, ADS_PATH_FILE, oSD,
ADS_SD_FORMAT_IID
'
' Cleanup.
'
Set oAce = Nothing
Set oDacl = Nothing
Set oSD = Nothing
Set oADsSecurityUtility = Nothing
End Sub

AddACEToFile "E:\Home\gbartho", "CAMPUS\gbartho"

' End of Code Modified for VBScript


RE: Problem calling oADsSecurityUtility.SetSecurityDescriptor from VBS
Aaron Margosis [MSFT] 12/19/2008 5:44:04 AM
Just ran into the same thing. Make sure that the trustee name is valid --
having a name that doesn't resolve results in the error you described.
RE: Problem calling oADsSecurityUtility.SetSecurityDescriptor from
Aaron Margosis [MSFT] 12/19/2008 5:52:08 AM
The trustee can be a SID too. E.g., to set access for NT
AUTHORITY\INTERACTIVE, you can do this:

oACE.Trustee = "S-1-5-4"


"Aaron Margosis [MSFT]" wrote:

[Quoted Text]
> Just ran into the same thing. Make sure that the trustee name is valid --
> having a name that doesn't resolve results in the error you described.
>

Home | Search | Terms | Imprint Contact
Newsgroups Reader - provided by WiredBox.Net
Suche nach Orten, Städten, Postleitzahlen, Vorwahlen, Kfz-Kennzeichen