Home All Groups Group Topic Archive Search About

Using WMI to set share permission?

microsoft.public.windows.server.scripting


Author
10 May 2005 2:28 PM
Goshi Key
Creating a share on a Windows server with WMI is a pretty simple process,
but modifying the share level permissions has me looking for help. Anybody
know of a simple way to do this? I'd like to avoid using another tool (i.e.;
rmtshare.exe) if at all possible.

Author
10 May 2005 5:23 PM
Scott McNairy (MVP)
If I remember correctly this script worked.  It may take some modification
but it walks through the steps pretty well.

'''''''''  Begin Script '''''''''''''''
Const Path = "C:\Share"
Const Name = "NewShare"

'Access masks
Const F_List  = 1   'can read a file or list folder contents
Const F_Add  = 2   'can write to a file or add a file to a folder
Const F_Append  = 4   'can append to a file or add a subfolder to a folder
Const F_Rd_EA  = 8   'can read Extended Attributes
Const F_Wr_EA  = 16   'can write Extended Attributes
Const F_Ex_Trav  = 32   'can execute a file or traverse folders
Const F_Del_Child = 64   'can delete a folder And its contents, even RO
files
Const F_Rd_Attr  = 128  'can read attributes
Const F_Wr_Attr  = 256  'can write attributes
Const F_Delete  = 65536  'can delete files And folders
Const F_Rd_Contr = 131072  'assigns read access for this user
Const F_Wr_DAC  = 262144  'can change DACL
Const F_Wr_Owner = 524288  'can take ownership
Const F_Synch  = 1048576 'synch changes And wait for synch

WR = F_Wr_Attr + F_Wr_EA + F_Append + F_Add
Wscript.Echo "Write access = 0x" & Hex(WR)
RD = F_Rd_Contr + F_Rd_Attr + F_Rd_EA + F_List
Wscript.Echo "Read access = 0x" & Hex(RD)
RX = RD + F_Ex_Trav
Wscript.Echo "RX access = 0x" & Hex(RX)
Modify =  (RX + WR + F_Delete)
Wscript.Echo "Modify access = 0x" & Hex(Modify)
Full = Modify + F_Wr_Owner + F_Wr_DAC + F_Del_Child
Wscript.Echo "Full access = 0x" & Hex(Full)

'ACE types
Const Allow  = 0
Const Deny   = 1
Const Audit  = 2

'ACE flags
Const ObjInh  = 1 'non-container children inherit this ace
Const ContInh = 2 'container objects inherit this ace
Const NoProp = 4 'do not propagate beyond first child
Const InhOnly = 8 'only controls access to children

Set objWMI = GetObject("winmgmts:root\cimv2")


'***   Get the Win32_SecurityDescriptor class and spawn a new instance
****
Set objSecDescriptor =
objWMI.Get("Win32_SecurityDescriptor").SpawnInstance_

'******   Prepare the security descriptor for the new share   ******
objSecDescriptor.ControlFlags = 32772

' this query can be slow unless you limit it by Domain =
"YourLocalWorkStation" as well
Set Group = objWMI.ExecQuery("Select Domain, Name, SID from Win32_Group
where SID = 'S-1-5-32-544'")

Wscript.Echo "Group = " & Group.Count
For Each User in Group 'there will be only one, but it still has to be
enumerated
  Wscript.Echo User.Domain & "\" & User.Name & " = " & User.SID
  Set Trustee = SetTrustee(objWMI, _
     User.Domain, _
     User.Name, _
     User.SID _
     )
Next
objSecDescriptor.DACL = SetACE(objWMI, _
     RX, _
     0, _
     Allow, _
     Trustee _
     )

'******   set the securitydescriptor    ******
Set NewSecDescriptor =
GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" & Name & "'")
Rtn = NewSecDescriptor.SetSecurityDescriptor(objSecDescriptor)
If Err or Rtn <> 0 Then
  Wscript.Echo "Problem encountered: Error 0x" & Err.Number & ", Rtn = " &
CStr(Rtn)
Else
  Wscript.Echo "status is good.."
End If

'************************* HELPER FUNCTIONS *********************
Function SetTrustee(objWMI, _
   strDomain, _
   strName, _
   strSID _
   )
Dim objTrustee

Set objTrustee = objWMI.Get("Win32_Trustee").SpawnInstance_
objTrustee.Domain = strDomain
objTrustee.Name = strName
objTrustee.SIDString = strSID
Wscript.Echo "SetTrustee = " & _
   objTrustee.Domain & _
   "\" & objTrustee.Name & _
   " = " & _
   objTrustee.SIDString
Set SetTrustee = objTrustee
End Function

Function SetACE(objWMI, _
  AccessMask, _
  AceFlags, _
  AceType, _
  objTrustee _
  )
Dim objAce

Set objAce = objWMI.Get("Win32_Ace").SpawnInstance_
objAce.AccessMask = AccessMask
objAce.AceFlags = AceFlags
objAce.AceType = AceType
objAce.Trustee = objTrustee
Wscript.Echo "SetACE = " & _
   Hex(objAce.AccessMask) & "; " & _
   Hex(objAce.AceFlags) & "; " & _
   CInt(objAce.AceType) & _
   " for: " & objTrustee.Name
Set SetACE = objAce
End Function

--
Scott McNairy
Microsoft MVP - Windows Server Management Infrastructure


"Goshi Key" <kgo***@cox.net> wrote in message
news:Sz3ge.40256$_K.39501@fed1read03...
Show quote
> Creating a share on a Windows server with WMI is a pretty simple process,
> but modifying the share level permissions has me looking for help. Anybody
> know of a simple way to do this? I'd like to avoid using another tool
> (i.e.;
> rmtshare.exe) if at all possible.
>
>
Author
11 May 2005 5:33 PM
Al Dunbar [MS-MVP]
Good stuff, great example! thanks.

/Al

Show quote
"Scott McNairy (MVP)" <v-sco***@online.microsoft.com> wrote in message
news:Ob7REUYVFHA.2616@TK2MSFTNGP14.phx.gbl...
> If I remember correctly this script worked.  It may take some modification
> but it walks through the steps pretty well.
>
> '''''''''  Begin Script '''''''''''''''
> Const Path = "C:\Share"
> Const Name = "NewShare"
>
> 'Access masks
> Const F_List  = 1   'can read a file or list folder contents
> Const F_Add  = 2   'can write to a file or add a file to a folder
> Const F_Append  = 4   'can append to a file or add a subfolder to a folder
> Const F_Rd_EA  = 8   'can read Extended Attributes
> Const F_Wr_EA  = 16   'can write Extended Attributes
> Const F_Ex_Trav  = 32   'can execute a file or traverse folders
> Const F_Del_Child = 64   'can delete a folder And its contents, even RO
> files
> Const F_Rd_Attr  = 128  'can read attributes
> Const F_Wr_Attr  = 256  'can write attributes
> Const F_Delete  = 65536  'can delete files And folders
> Const F_Rd_Contr = 131072  'assigns read access for this user
> Const F_Wr_DAC  = 262144  'can change DACL
> Const F_Wr_Owner = 524288  'can take ownership
> Const F_Synch  = 1048576 'synch changes And wait for synch
>
> WR = F_Wr_Attr + F_Wr_EA + F_Append + F_Add
> Wscript.Echo "Write access = 0x" & Hex(WR)
> RD = F_Rd_Contr + F_Rd_Attr + F_Rd_EA + F_List
> Wscript.Echo "Read access = 0x" & Hex(RD)
> RX = RD + F_Ex_Trav
> Wscript.Echo "RX access = 0x" & Hex(RX)
> Modify =  (RX + WR + F_Delete)
> Wscript.Echo "Modify access = 0x" & Hex(Modify)
> Full = Modify + F_Wr_Owner + F_Wr_DAC + F_Del_Child
> Wscript.Echo "Full access = 0x" & Hex(Full)
>
> 'ACE types
> Const Allow  = 0
> Const Deny   = 1
> Const Audit  = 2
>
> 'ACE flags
> Const ObjInh  = 1 'non-container children inherit this ace
> Const ContInh = 2 'container objects inherit this ace
> Const NoProp = 4 'do not propagate beyond first child
> Const InhOnly = 8 'only controls access to children
>
> Set objWMI = GetObject("winmgmts:root\cimv2")
>
>
> '***   Get the Win32_SecurityDescriptor class and spawn a new instance
> ****
>  Set objSecDescriptor =
> objWMI.Get("Win32_SecurityDescriptor").SpawnInstance_
>
> '******   Prepare the security descriptor for the new share   ******
>  objSecDescriptor.ControlFlags = 32772
>
>  ' this query can be slow unless you limit it by Domain =
> "YourLocalWorkStation" as well
>  Set Group = objWMI.ExecQuery("Select Domain, Name, SID from Win32_Group
> where SID = 'S-1-5-32-544'")
>
>  Wscript.Echo "Group = " & Group.Count
>  For Each User in Group 'there will be only one, but it still has to be
> enumerated
>   Wscript.Echo User.Domain & "\" & User.Name & " = " & User.SID
>   Set Trustee = SetTrustee(objWMI, _
>      User.Domain, _
>      User.Name, _
>      User.SID _
>      )
>  Next
>  objSecDescriptor.DACL = SetACE(objWMI, _
>      RX, _
>      0, _
>      Allow, _
>      Trustee _
>      )
>
> '******   set the securitydescriptor    ******
>  Set NewSecDescriptor =
> GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" & Name &
"'")
>  Rtn = NewSecDescriptor.SetSecurityDescriptor(objSecDescriptor)
>  If Err or Rtn <> 0 Then
>   Wscript.Echo "Problem encountered: Error 0x" & Err.Number & ", Rtn = " &
> CStr(Rtn)
>  Else
>   Wscript.Echo "status is good.."
>  End If
>
> '************************* HELPER FUNCTIONS *********************
> Function SetTrustee(objWMI, _
>    strDomain, _
>    strName, _
>    strSID _
>    )
>  Dim objTrustee
>
>  Set objTrustee = objWMI.Get("Win32_Trustee").SpawnInstance_
>  objTrustee.Domain = strDomain
>  objTrustee.Name = strName
>  objTrustee.SIDString = strSID
>  Wscript.Echo "SetTrustee = " & _
>    objTrustee.Domain & _
>    "\" & objTrustee.Name & _
>    " = " & _
>    objTrustee.SIDString
>  Set SetTrustee = objTrustee
> End Function
>
> Function SetACE(objWMI, _
>   AccessMask, _
>   AceFlags, _
>   AceType, _
>   objTrustee _
>   )
>  Dim objAce
>
>  Set objAce = objWMI.Get("Win32_Ace").SpawnInstance_
>  objAce.AccessMask = AccessMask
>  objAce.AceFlags = AceFlags
>  objAce.AceType = AceType
>  objAce.Trustee = objTrustee
>  Wscript.Echo "SetACE = " & _
>    Hex(objAce.AccessMask) & "; " & _
>    Hex(objAce.AceFlags) & "; " & _
>    CInt(objAce.AceType) & _
>    " for: " & objTrustee.Name
>  Set SetACE = objAce
> End Function
>
> --
> Scott McNairy
> Microsoft MVP - Windows Server Management Infrastructure
>
>
> "Goshi Key" <kgo***@cox.net> wrote in message
> news:Sz3ge.40256$_K.39501@fed1read03...
> > Creating a share on a Windows server with WMI is a pretty simple
process,
> > but modifying the share level permissions has me looking for help.
Anybody
> > know of a simple way to do this? I'd like to avoid using another tool
> > (i.e.;
> > rmtshare.exe) if at all possible.
> >
> >
>
>

AddThis Social Bookmark Button

Post Other interesting topics
Safe Mode detection
Homedrive field in Active Directory
Add a domain user group to local computer administrator group
Problem with script to add printers ports, need help.
Text Script