|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Problem calling oADsSecurityUtility.SetSecurityDescriptor from VBScriptI found a vb code sample for setting ntfs file permissions here: http://msdn.microsoft.com/en-us/library/aa705922(VS.85).aspx. It looked simple enought to be made into a vbscript which I could then further modify to do some fancy stuff with a bunch of home directories and accounts. I made the few symantic changes that I though would be necessary to get it to work under vbscript, but now I get the error: "E:\Temp\ace.vbs(217, 5) (null): The security ID structure is invalid." Why does the line: oADsSecurityUtility.SetSecurityDescriptor sFile, ADS_PATH_FILE, oSD, ADS_SD_FORMAT_IID not work? Why is the "oSD" variable invalid? Below is the full script that I am using. Thanks, Greg ' Beginning of Code Modified to work as VBScript ' Define constants: ' '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' ' Define the ADS_RIGHTS_ENUM values. ' Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_SYNCHRONIZE = &H100000 Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000 Const ADS_RIGHT_GENERIC_READ = &H80000000 Const ADS_RIGHT_GENERIC_WRITE = &H40000000 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 Const ADS_RIGHT_GENERIC_ALL = &H10000000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' ' Ace Type definitions ' Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_SYSTEM_AUDIT = &H2 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7 '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' ' Ace Flag Constants ' Const ADS_ACEFLAG_UNKNOWN = &H1 Const ADS_ACEFLAG_INHERIT_ACE = &H2 Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4 Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8 Const ADS_ACEFLAG_INHERITED_ACE = &H10 Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40 Const ADS_ACEFLAG_FAILED_ACCESS = &H80 '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' ' Flags constants for AD objects ' Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1 Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' ' From WinNT.h '------------------------------------------------------------------------------ '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' File Specific Access Rights ' Const DELETE = &H10000 Const READ_CONTROL = &H20000 Const WRITE_DAC = &H40000 Const WRITE_OWNER = &H80000 Const SYNCHRONIZE = &H100000 Const STANDARD_RIGHTS_REQUIRED = &HF0000 Const STANDARD_RIGHTS_READ = &H20000 Const STANDARD_RIGHTS_WRITE = &H20000 Const STANDARD_RIGHTS_EXECUTE = &H20000 Const STANDARD_RIGHTS_ALL = &H1F0000 Const SPECIFIC_RIGHTS_ALL = &HFFFF ' ' AccessSystemAcl access type ' Const ACCESS_SYSTEM_SECURITY = &H1000000 ' ' MaximumAllowed access type ' Const MAXIMUM_ALLOWED = &H2000000 ' ' These are the generic rights ' Const GENERIC_READ = &H80000000 Const GENERIC_WRITE = &H40000000 Const GENERIC_EXECUTE = &H20000000 Const GENERIC_ALL = &H10000000 ' ' AccessMask constants for FILE ACEs ' Const FILE_READ_DATA = &H1 ' file & pipe Const FILE_LIST_DIRECTORY = &H1 ' directory Const FILE_WRITE_DATA = &H2 ' file & pipe Const FILE_ADD_FILE = &H2 ' directory Const FILE_APPEND_DATA = &H4 ' file Const FILE_ADD_SUBDIRECTORY = &H4 ' directory Const FILE_CREATE_PIPE_INSTANCE = &H4 ' named pipe Const FILE_READ_EA = &H8 ' file & directory Const FILE_WRITE_EA = &H10 ' file & directory Const FILE_EXECUTE = &H20 ' file Const FILE_TRAVERSE = &H20 ' directory Const FILE_DELETE_CHILD = &H40 ' directory Const FILE_READ_ATTRIBUTES = &H80 ' all Const FILE_WRITE_ATTRIBUTES = &H100 ' all FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H1FF FILE_GENERIC_READ = STANDARD_RIGHTS_READ Or FILE_READ_DATA Or FILE_READ_ATTRIBUTES Or FILE_READ_EA Or SYNCHRONIZE FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE Or FILE_WRITE_DATA Or FILE_WRITE_ATTRIBUTES Or FILE_WRITE_EA Or FILE_APPEND_DATA Or SYNCHRONIZE FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or FILE_READ_ATTRIBUTES Or FILE_EXECUTE Or SYNCHRONIZE Const FILE_SHARE_READ = &H1 Const FILE_SHARE_WRITE = &H2 Const FILE_SHARE_DELETE = &H4 ' ' AceFlags values for files ' Const OBJECT_INHERIT_ACE = &H1 Const CONTAINER_INHERIT_ACE = &H2 Const NO_PROPAGATE_INHERIT_ACE = &H4 Const INHERIT_ONLY_ACE = &H8 Const INHERITED_ACE = &H10 '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' '<<<<<<<<<<<<<<<<<<<<<<<<< BEGIN IADsSecurityUtility Constants >>>>>>>>>>>> ' ' ' ADS_PATHTYPE_ENUM ' Const ADS_PATH_FILE = 1 Const ADS_PATH_FILESHARE = 2 Const ADS_PATH_REGISTRY = 3 ' ' ADS_SD_FORMAT_ENUM ' Const ADS_SD_FORMAT_IID = 1 Const ADS_SD_FORMAT_RAW = 2 Const ADS_SD_FORMAT_HEXSTRING = 3 ' '<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>> ' '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ' ' AddACEToFile ' ' Adds an ACE to the specified file or folder that grants the trustee ' modify rights on the file. ' Sub AddACEToFile(sFile, sTrustee) Dim oAce ' As AccessControlEntry ' variable for the new ACE Dim oSD ' As SecurityDescriptor ' variable for the Security Descriptor of the object Dim oDacl ' As AccessControlList ' variable for the DACL of the object Dim oADsSecurityUtility ' As ADsSecurityUtility ' ' Create an ADsSecurityUtlity object. ' Set oADsSecurityUtility = CreateObject("ADsSecurityUtility") ' ' Get the Security Descriptor for the given NTFS File path. ' Set oSD = oADsSecurityUtility.GetSecurityDescriptor(sFile, ADS_PATH_FILE, ADS_SD_FORMAT_IID) ' ' Get the Discrectionary ACL for the key. ' Set oDacl = oSD.DiscretionaryAcl ' ' Create an ACE object. ' Set oAce = CreateObject("AccessControlEntry") ' ' Set the IADsAccessControlEntry::Trustee attribute. ' oAce.Trustee = Trustee ' ' Set the IADsAccessControlEntry::AccessMask attribute. ' oAce.AccessMask = FILE_GENERIC_READ Or FILE_GENERIC_WRITE Or FILE_GENERIC_EXECUTE Or DELETE ' ' Set the IADsAccessControlEntry::AceType attribute. ' oAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED ' ' Set the IADsAccessControlEntry::AceFlags attribute. ' oAce.AceFlags = OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE ' ' Place the ACE on the DACL. ' oDacl.AddACE oAce ' ' Place the DACL back onto the SD. ' oSD.DiscretionaryAcl = oDacl ' ' Place the SD back onto the file. ' oADsSecurityUtility.SetSecurityDescriptor sFile, ADS_PATH_FILE, oSD, ADS_SD_FORMAT_IID ' ' Cleanup. ' Set oAce = Nothing Set oDacl = Nothing Set oSD = Nothing Set oADsSecurityUtility = Nothing End Sub AddACEToFile "E:\Home\gbartho", "CAMPUS\gbartho" ' End of Code Modified for VBScript Just ran into the same thing. Make sure that the trustee name is valid --
having a name that doesn't resolve results in the error you described. The trustee can be a SID too. E.g., to set access for NT
AUTHORITY\INTERACTIVE, you can do this: oACE.Trustee = "S-1-5-4" Show quoteHide quote "Aaron Margosis [MSFT]" wrote: > Just ran into the same thing. Make sure that the trustee name is valid -- > having a name that doesn't resolve results in the error you described. > 
Other interesting topics
What is error '80041003', please?
Command Script variable value lost during execution accesschk script to include datestamp querying wmi - recommended structure when iteration seems unnecessary? Simple Ping Script How can I do a WMI Bulk data retrieval ? managing NTFS permissions - cacls or wmi? How to create a unique samaccountname in AD chech group User on the system Start up |
|||||||||||||||||||||||
