Help Display Share Permission

[twdeveloper]

If one of the permission doesn't match then it should exit out with a specific output (i.e. "Nonmatch" or simply "1"). If they do match then exit out with a 0, extra permissions can be ignored. I am using SubinAcl to get the Permissions. However the script that I have developed display all permissions for the files and shares and produces no output code. I need my script to check the particular files and shares for 'builtin\authenticated users. If that permission is there then return 0, if not there then output 1. Can anybody lend me a hand with the correct scripting to complete this? I would appreciate it.

The following Script is what I have come up with so far:

' Test Script

Dim fso
Dim ws

set fso = createObject ("scripting.filesystemobject")
set ws = WScript.CreateObject("WScript.Shell")

thisfolder = Left( WScript.ScriptFullName, Len(WScript.ScriptFullName) - Len(WScript.ScriptName) ) 'this ends with a \

'Display Test Script
target = chr(34) & thisfolder & "subinacl" & Chr(34) & " /outputlog=C:\TEMP\logfile_Test_Script.txt /file C:\TestFile /verbose /display"
'WScript.Echo target
ws.Run target, 1, True

'Display Test Share
target = chr(34) & thisfolder & "subinacl" & Chr(34) & " /outputlog=C:\TEMP\logfile_TestScript.txt /share TestShare$ /verbose /display"
'WScript.Echo target
ws.Run target, 1, True

 

[Geates]

intCode = ws.Run target, 1, True

However, I'm not sure that's what your asking for. Are you, instead, wanting to know the outcome of subinacl? If so, set objStream = ws.exec(target). The ws.exec output is copied to the standard output stream in real-time, which - when subinacl is done - is available via objStream as a stream that you can iterate to discover the results of subinacl.

Example

function ping (strComputer)
	ping = false

	set objShell = WScript.CreateObject("WScript.Shell")
	set objStream = objShell.Exec("%comspec% /c ping.exe " & strComputer & " -n 1 -w 100")
	do until objStream.Stdout.AtEndOfStream
		strLine = objStream.StdOut.ReadLine
		if (inStr(strLine, "Reply")) then
			ping = true
			exit function
		end if
	loop
end function

-Geates



"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
- Martin Golding

"There are seldom good technological solutions to behavioral problems."
- Ed Crowley, Exchange guru and technology curmudgeon

 

[twdeveloper]

Hey Geates,

Thanks for the fast reply. I guess I should simplify my question.

I basically just need the piece of code/script that will display the Specific Permission (If "builtin/Administrator = FullControl -return True.) How I have it setup right now is that SubinAcl is checking my specified share and returning all Date to my text file. I just need it to return True or False as to whether or not the Share$/File has "builtin\Administrator. If it does for all then great return True. If any one of the Shares or folders does NOT contain the specified permission then return False.

Hope this helps. Thanks.

 

[Geates]

I'm not familiar with subinacl. A) Is subinacl the program making permission determinations? B) Is this permission determined by subinacl? C) If so, where is this determination reported (txt file or screen)?

It sounds like A and B are true and C is a txt file. If this is the case, open the txt file and read each line to look for the data you need. Can you post your output txt file?

-Geates

"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
- Martin Golding

"There are seldom good technological solutions to behavioral problems."
- Ed Crowley, Exchange guru and technology curmudgeon

 

[twdeveloper]

SubinAcl.exe is the tool that runs along with my Script.

"SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain."

The main issues is with my VBScript. While I am able to output all information to a txt file and could weed through and see, that is not what needs to be generated for this project.

I really am just trying to find the correct code/syntax in VBScript that will something like "IF permission is Present in //server/share or File then return true." Else return False.

 

[Geates]

I assume you want this code/syntax in your script that runs along with SubinAcl? If that's the case, the only way I would know how to interface the two is by the SubinAcl output file. The code/syntax that you're looking for can't be determined
without the data - that's why I need to see the output so that I can help find the code/syntax your want.

-Geates

"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
- Martin Golding

"There are seldom good technological solutions to behavioral problems."
- Ed Crowley, Exchange guru and technology curmudgeon

 

[twdeveloper]

Okay sounds good. Thanks Geates.
I will post the Log file shortly.
This way you can see my results.

 

[twdeveloper]

Geates,

I am pasting 2 of the log files that my script generates.
You can see what kind of information it is producing.

Thanks.

TW

Logfile#1
===================
+Share TestShare$
===================
/control=0x0
/audit ace count =0
/perm. ace count =2
/pace =builtin\administrations ACCESS_ALLOWED_ACE_TYPE-0x0
Full Control
/pace =system ACCESS_ALLOWED_ACE_TYPE -OXO
Full Control



Logfile #2
================
+File C:\TestShare
================
/control=0x1400 SE_DACL_AUTO_INHERITED-0x0400 SE
/owner =wdv\Myself-adm
/primary group =wdv\domain users
/audit ace count =0
/perm. ace count =4
/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
Type of access:
Special access : -Read -Write -Execute -Delete -Change Permissions -Take Ownership
Detailed Access Flags :
FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4
FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40
FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000 READ_CONTROL-0x20000
WRITE_DAC-0x40000 WRITE_OWNER-0x80000 SYNCHRONIZE-0x100000 READ_CONTROL-0x20000

/pace =dev\Myself ACCESS_ALLOWED_ACE_TYPE-0x0
CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
Type of access:
Special access : -Read -Write -Execute -Delete -Change Permissions -Take Ownership
Detailed Access Flags :
FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4
FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40
FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000 READ_CONTROL-0x20000
WRITE_DAC-0x40000 WRITE_OWNER-0x80000 SYNCHRONIZE-0x100000 READ_CONTROL-0x20000


/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
Directory - Type of access:
Full Control
Detailed Access Flags :
FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4
FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40
FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000 READ_CONTROL-0x20000
WRITE_DAC-0x40000 WRITE_OWNER-0x80000 SYNCHRONIZE-0x100000 READ_CONTROL-0x20000

 

[Geates]

This is ugly. There's got to be a more elegant solution.

Basically, I wrote a function that accepts 3 arguments: a log file, a user/group, a permission (eg "full control"). The functions opens the log file and iterates the data line by line. Because data returned by subinacl differs between file and share, the function looks for either and parses a group and permission couple from each line containing a permission list ("/pace"). Then function compares the arguments passed with the parsed group/permissions couple. If they agree, the function returns true and bails. Otherwise, it return false.

function verifyPermissions(strLogFile, strGroup, strPermissions)
	'set the functions result to false.
	'if the group/permission is verified, verifyPermissions = true
	verifyPermissions = false
	
	'open log file for reading
	set objFSO = CreateObject("Scripting.FileSystemObject")
	set objLog = objFSO.OpenTextFile(strLogFile, 1, true, 0)
	
	'iterate log line by line
	do while NOT (objLog.AtEndOfStream)
		strLine = objLog.ReadLine
		'is the log identifing a share or file
		select case (left(strLine, inStr(strLine, " ")))
			case "+Share "
				'keep iterating to get all the "/pace" (object permissions list)
				do while NOT (objLog.AtEndOfStream)
					strLine = objLog.ReadLine
					if (left(strLine, 5) = "/pace") then
						strParsedGroup = trim(mid(strLine, inStr(strLine, "=") + 1, inStr(inStr(strLine, "="), strLine, " ") - inStr(strLine, "=")))
						strParsedPermissions = trim(right(strLine, len(strLine) - inStrRev(strLine, "  ")))
						if (lcase(strParsedGroup) = lcase(strGroup)) then
							if (lcase(strParsedPermissions) = lcase(strPermissions)) then
								verifyPermissions = true
								exit function
							end if
						end if
					end if
				loop 
			case "+File "
				'keep iterating to get all the "/pace" (object permissions list)
				do while NOT (objLog.AtEndOfStream)
					strLine = objLog.ReadLine
					if (left(strLine, 5) = "/pace") then
						strParsedGroup = trim(mid(strLine, inStr(strLine, "=") + 1, inStr(inStr(strLine, "="), strLine, " ") - inStr(strLine, "=")))
						strParsedPermissions = trim(mid(strLine, inStr(strLine, "Type of access:"), inStr(strLine, "Detailed Access") - inStr(strLine, "Type of access:")))
						arrPermissions = split(strParsedPermissions, "  ")
						strParsedPermissions = arrPermissions(ubound(arrPermissions))
						if (lcase(strParsedGroup) = lcase(strGroup)) then
							if (lcase(strParsedPermissions) = lcase(strPermissions)) then
								verifyPermissions = true
								exit function
							end if
						end if
					end if
				loop 
		end select
	loop
end function

'usage	
boolHasPermission = verifyPermissions("c:\test\twdeveloper\logShare.txt", "builtin\administrations", "Full Control")
msgbox boolHasPermission

boolHasPermission = verifyPermissions("c:\test\twdeveloper\logFile.txt", "system", "Full Control")
msgbox boolHasPermission

-Geates



"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live."
- Martin Golding

"There are seldom good technological solutions to behavioral problems."
- Ed Crowley, Exchange guru and technology curmudgeon