Changing permissions on files, folders, and registry keys/values 1

[Roham]

Hello out there,
I am constructing a script to fix least user access bugs that I encounter for a particular legacy piece of software. I need to change security permissions on files and folders as well as registry keys and specific values.

I currently have a subroutine that calls cacls.exe to change the permissions on the files or folders, but I'd like to do it inherent to the script without having to call an executable. I haven't found a way to do that up to this point. Any ideas?

My main concern is to be able to change permissions on some registry keys and values as needed to add modify access so that limited Windows users can run the program. I can't use cacls.exe for this. I can do this manually, but am not sure how to get it done via a script.

Thanks for any ideas!

Mike

 

[markdmac]

Here are some resources you can check out. Subinacl is probably your best solution but note that it does not run against remove systems and does not support x64 platforms.

http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

http://support.microsoft.com/Default.aspx?kbid=269159

http://support.microsoft.com/kb/245031

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[Roham]

Hi Mark,
Thanks for your suggestion, I came across that program in my research. I'm sure it works great, but I'm a minimalist when it comes to scripting. I usually don't want to load extra stuff if I don't have to, since I work with isolated computer labs (public school district) and don't have a homogenous environment.

After I posted my question, I did a lot more research and found many references. Most were in VB and I had trouble translating them to VBScript. I then came across another source where the author listed the constants needed to modify permissions. They are part of my script below.

Apparently the ability to modify the registry permissions did not exist a while back, even in XP. Most of the sources refer to using ADsSecurity.dll from the ADSI 2.5 Resource Kit, but it can no longer be downloaded. After some digging, I found out that the functionality in the ADsSecurity.dll was replaced along the line (I'm guessing XP SP2) with activeds.dll. There are multiple objects (examples in my code below) that can be called in order to modify ACL's in the registry.

So without further ado, here's the script that I wrote to change registry and file settings in order to make Cakewalk Music Creator 2003 run as a limited user. It's one of those old programs that has limited user access bugs.

Option Explicit
' Define some constants:
'
' Define a ADS_RIGHTS_ENUM constants:
'
const ADS_RIGHT_DELETE = &h10000
const ADS_RIGHT_READ_CONTROL = &h20000
const ADS_RIGHT_WRITE_DAC = &h40000
const ADS_RIGHT_WRITE_OWNER = &h80000
const ADS_RIGHT_SYNCHRONIZE = &h100000
const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &h1000000
Const ADS_RIGHT_GENERIC_READ = &h80000000
const ADS_RIGHT_GENERIC_WRITE = &h40000000
const ADS_RIGHT_GENERIC_EXECUTE = &h20000000
const ADS_RIGHT_GENERIC_ALL = &h10000000
const ADS_RIGHT_DS_CREATE_CHILD = &h1
const ADS_RIGHT_DS_DELETE_CHILD = &h2
const ADS_RIGHT_ACTRL_DS_LIST = &h4
const ADS_RIGHT_DS_SELF = &h8
const ADS_RIGHT_DS_READ_PROP = &h10
const ADS_RIGHT_DS_WRITE_PROP = &h20
const ADS_RIGHT_DS_DELETE_TREE = &h40
const ADS_RIGHT_DS_LIST_OBJECT = &h80
const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Ace Type definitions
'
const ADS_ACETYPE_ACCESS_ALLOWED = 0
const ADS_ACETYPE_ACCESS_DENIED = &h1
const ADS_ACETYPE_SYSTEM_AUDIT = &h2
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &h6
const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &h7
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Ace Flag Constants
'
const ADS_ACEFLAG_UNKNOWN = &h1
const ADS_ACEFLAG_INHERIT_ACE = &h2
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
const ADS_ACEFLAG_INHERIT_ONLY_ACE = &h8
const ADS_ACEFLAG_INHERITED_ACE = &h10
const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &h1f
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &h40
const ADS_ACEFLAG_FAILED_ACCESS = &h80
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
' Flags constants for AD objects
'
const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &h2
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
' File Specific Access Rights
'
Const DELETE = &h00010000
Const READ_CONTROL = &h00020000
Const WRITE_DAC = &h00040000
Const WRITE_OWNER = &h00080000
Const SYNCHRONIZE = &h00100000
Const STANDARD_RIGHTS_REQUIRED = &h000F0000
Const STANDARD_RIGHTS_ALL = &h001F0000
Const SPECIFIC_RIGHTS_ALL = &h0000FFFF

Dim STANDARD_RIGHTS_READ : STANDARD_RIGHTS_READ = READ_CONTROL
Dim STANDARD_RIGHTS_WRITE : STANDARD_RIGHTS_WRITE = READ_CONTROL
Dim STANDARD_RIGHTS_EXECUTE: STANDARD_RIGHTS_EXECUTE = READ_CONTROL
'
' AccessSystemAcl access type
'
Const ACCESS_SYSTEM_SECURITY = &h01000000
'
' MaximumAllowed access type
'
Const MAXIMUM_ALLOWED = &h02000000
'
' These are the generic rights.
'
Const GENERIC_READ = &h80000000
Const GENERIC_WRITE = &h40000000
Const GENERIC_EXECUTE = &h20000000
Const GENERIC_ALL = &h10000000
'
' AccessMask constants for FILE ACEs
'
Const FILE_READ_DATA = &h0001 ' file & pipe
Const FILE_LIST_DIRECTORY = &h0001 ' directory
Const FILE_WRITE_DATA = &h0002 ' file & pipe
Const FILE_ADD_FILE = &h0002 ' directory

Const FILE_APPEND_DATA = &h0004 ' file
Const FILE_ADD_SUBDIRECTORY = &h0004 ' directory
Const FILE_CREATE_PIPE_INSTANCE = &h0004 ' named pipe

Const FILE_READ_EA = &h0008 ' file & directory
Const FILE_WRITE_EA = &h0010 ' file & directory

Const FILE_EXECUTE = &h0020 ' file
Const FILE_TRAVERSE = &h0020 ' directory

Const FILE_DELETE_CHILD = &h0040 ' directory
Const FILE_READ_ATTRIBUTES = &h0080 ' all
Const FILE_WRITE_ATTRIBUTES = &h0100 ' all

Dim FILE_ALL_ACCESS : FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &h1FF

dim FILE_GENERIC_READ : FILE_GENERIC_READ = STANDARD_RIGHTS_READ Or _
FILE_READ_DATA Or _
FILE_READ_ATTRIBUTES Or _
FILE_READ_EA Or _
SYNCHRONIZE


dim FILE_GENERIC_WRITE : FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE Or _
FILE_WRITE_DATA Or _
FILE_WRITE_ATTRIBUTES Or _
FILE_WRITE_EA Or _
FILE_APPEND_DATA Or _
SYNCHRONIZE


dim FILE_GENERIC_EXECUTE : FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or _
FILE_READ_ATTRIBUTES Or _
FILE_EXECUTE Or _
SYNCHRONIZE


Const FILE_SHARE_READ = &h00000001
Const FILE_SHARE_WRITE = &h00000002
Const FILE_SHARE_DELETE = &h00000004
'
' AceFlags values for files
'
Const OBJECT_INHERIT_ACE = &H1
Const CONTAINER_INHERIT_ACE = &H2
Const NO_PROPAGATE_INHERIT_ACE = &H4
Const INHERIT_ONLY_ACE = &H8
Const INHERITED_ACE = &H10
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
'<<<<<<<<<<<<<<<<<<<<<<<<< Begin IADsSecurityUtility Constants >>>>>>>>>>>>
'
' Supported on XP
'
'typedef enum
'
' ADS_PATHTYPE_ENUM
'
Const ADS_PATH_FILE = 1
Const ADS_PATH_FILESHARE = 2
Const ADS_PATH_REGISTRY = 3
'
' ADS_SD_FORMAT_ENUM
'
Const ADS_SD_FORMAT_IID = 1
Const ADS_SD_FORMAT_RAW = 2
Const ADS_SD_FORMAT_HEXSTRING = 3
'
'<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
'
'<<<<MAIN>>>>
funcFolderPerms
funcRegPerms
'<<<<End MAIN>>>>

WScript.Echo "Cakewalk Permissions modified."

Function funcRegPerms
'<<<<<<<<<<<<<<<< Registry Keys to be modified >>>>>>>>>>>>>>>>>>>>>>>>>>
Dim arrRegKeys(25)
arrRegKeys(0) = "HKCR\Cakewalk.Application"
arrRegKeys(1) = "HKCR\Cakewalk.Application\CLSID"
arrRegKeys(2) = "HKCR\CakewalkProjectFile\CLSID"
arrRegKeys(3) = "HKCR\CakewalkProjectFile\Insertable"
arrRegKeys(4) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\server"
arrRegKeys(5) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\verb\0"
arrRegKeys(6) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}"
arrRegKeys(7) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\2"
arrRegKeys(8) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\3"
arrRegKeys(9) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\DefaultIcon"
arrRegKeys(10) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\InprocHandler32"
arrRegKeys(11) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Insertable"
arrRegKeys(12) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\LocalServer32"
arrRegKeys(13) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\MiscStatus"
arrRegKeys(14) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\ProgID"
arrRegKeys(15) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\0"
arrRegKeys(16) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\1"
arrRegKeys(17) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}"
arrRegKeys(18) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\InprocHandler32"
arrRegKeys(19) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\LocalServer32"
arrRegKeys(20) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\ProgID"
arrRegKeys(21) = "HKLM\System\CurrentControlSet\Control\MediaResources"
arrRegKeys(22) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound"
arrRegKeys(23) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Device Presence"
arrRegKeys(24) = "HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF\DirectSound"
arrRegKeys(25) = "HKLM\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF"
'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Dim dacl, sd, newAce, sdutil, strRegKey

set dacl = createobject("AccessControlList")
set sd = createobject("SecurityDescriptor")
set newAce = CreateObject("AccessControlEntry")
set sdutil = createobject("ADsSecurityUtility")

For Each strRegKey In arrRegKeys
WScript.Echo strRegKey
Set sd = sdUtil.GetSecurityDescriptor (strRegKey, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)
Set dacl = sd.DiscretionaryAcl
newAce.Trustee = "NT AUTHORITY\Authenticated Users"
newAce.AccessMask = ADS_RIGHT_GENERIC_READ Or _
ADS_RIGHT_GENERIC_EXECUTE Or _
ADS_RIGHT_GENERIC_WRITE Or _
ADS_RIGHT_DELETE Or _
ADS_RIGHT_WRITE_DAC Or _
ADS_RIGHT_WRITE_OWNER

newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
dacl.AddAce newAce

sdutil.SetSecurityDescriptor strRegKey, ADS_PATH_REGISTRY, sd, ADS_SD_FORMAT_IID
Next
WScript.Echo "Set Registry permissions."
End Function


Function funcFolderPerms
Dim objFSO, strSourceFile, strDestLoc
Set objFSO = CreateObject("Scripting.FileSystemObject")
strDestLoc = "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"

'Check for and change folder permissions
If objFSO.FolderExists(strDestLoc) Then
'Set Full permissions on the folder
subSetFolderPerms(strDestLoc)
WScript.Echo "Set Cakewalk folder permissions."
End If
End Function
Sub subSetFolderPerms(folderPath)
Dim dacl, sd, newAce, sdutil, strFile
Dim arrFiles(0)
arrFiles(0)= "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"

set dacl = createobject("AccessControlList")
set sd = createobject("SecurityDescriptor")
set newAce = CreateObject("AccessControlEntry")
set sdutil = createobject("ADsSecurityUtility")

For Each strFile In arrFiles
Set sd = sdUtil.GetSecurityDescriptor (strFile, ADS_PATH_FILE, ADS_SD_FORMAT_IID)
Set dacl = sd.DiscretionaryAcl
newAce.Trustee = "NT AUTHORITY\Authenticated Users"
newAce.AccessMask = GENERIC_ALL

newAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
dacl.AddAce newAce

sdutil.SetSecurityDescriptor strFile, ADS_PATH_FILE, sd, ADS_SD_FORMAT_IID
Next
End Sub