Guest_imported
New member
- Jan 1, 1970
- 0
just a quick one, is it possible in wsh to check/change NTFS permissions on folders??
cheers
richard
cheers
richard
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
NTFS permissions
- Thread starter Guest_imported
- Start date
- Status
- Thread starter
- #2
Guest_imported
New member
- Jan 1, 1970
- 0
You can change permissions by executing XCACLS from the shell. I don't know the exact syntax, but it would be something like below.
cmdline = "xcacls file.dat /G ... /R ..."
Set WshShell = Wscript.CreateObject("Wscript.Shell"
Return = WshShell.Run(cmdline, style, wait)
' style = 0 Hides window
' = 1 Activates/maximizes window
' wait = TRUE wait till command completes
' = FALSE do not wait till command completes
Fengshui_1998
PSS ID Number: Q266461
Article last modified on 12-05-2000
:
======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Active Directory Services Interface, System Component
- *NO USE* Microsoft Windows 2000
-------------------------------------------------------------------------------
SUMMARY
=======
File permissions that are set on files and folders using Active Directory
Services Interface (ADSI) and the ADSI resource kit utility, ADsSecurity.DLL, do
not automatically propagate down the subtree to the existing folders and files.
To accomplish automatic propagation of inheritable Access Control Entries (ACEs)
using ADSI, you need to enumerate existing subfolders and files yourself and
apply the inheritable ACEs. Alternatively, you can call the SetSecurityInfo or
SetNamedSecurityInfo function directly instead of using ADSI.
MORE INFORMATION
================
The reason that you cannot use ADSI to set ACEs to propagate down to existing
files and folders is because ADSSecurity.dll uses the low-level SetFileSecurity
function to set the security descriptor on a folder. There is no flag that can
be set by using SetFileSecurity to automatically propagate the ACEs down to
existing files and folders. The SE_DACL_AUTO_INHERIT_REQ control flag will only
set the SE_DACL_AUTO_INHERITED flag in the security descriptor that is
associated with the folder.
Automatic propagation of inheritable ACEs is done only when using the high-level
SetSecurityInfo or SetNamedSecurityInfo function. These functions propagate the
inheritable ACEs (CONTAINER_INHERIT_ACE or OBJECT_INHERIT_ACE) set on a folder
to all existing subfolders and files, as long as the child object's DACL is not
SE_DACL_PROTECTED. This is done only in the high-level access control
implementation by enumerating the subfolders as well as files, and applying all
of the inheritable ACEs.
The following sample VB Script demonstrates how to enumerate folders and files
and set file permissions using ADSI and ADsSecurity.DLL:
1. Create a file called SetPerms.vbs and paste the following code:
'====================================================================
'SetPerms.vbs
'====================================================================
'Variable Declarations
Dim sec
Dim sd
Dim Dacl
Dim ace
Dim ace1
Dim ace2
Dim oSid
Dim sidHex
'Option Explicit
'Flags: Specifies Inheritance
const ADS_ACEFLAG_INHERIT_ACE = &h2
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
const ADS_ACEFLAG_INHERIT_ONLY_ACE = &h8
const ADS_ACEFLAG_INHERITED_ACE = &h10
const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &h1f
const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &h40
const ADS_ACEFLAG_FAILED_ACCESS = &h80
'Permission Type: Allow or Deny
const ADS_ACETYPE_ACCESS_ALLOWED = &h0
const ADS_ACETYPE_ACCESS_DENIED = &h1
'Permissions: Read, Write, FullControl
const ADS_RIGHT_GENERIC_READ = &h80000000
const ADS_RIGHT_GENERIC_WRITE = &h40000000
const ADS_RIGHT_GENERIC_EXECUTE = &h20000000
const ADS_RIGHT_GENERIC_ALL = &h10000000
const ADS_SID_RAW = 0
const ADS_SID_HEXSTRING= 1
const ADS_SID_SAM = 2
const ADS_SID_UPN = 3
const ADS_SID_SDDL = 4
const ADS_SID_WINNT_PATH = 5
const ADS_SID_ACTIVE_DIRECTORY_PATH= 6
const ADS_SID_SID_BINDING = 7
const fldname = "C:\test2" '<----Change this to the top folder name
const usrname = "Domain\User" '<---Change this to the user you want to add permissions for
Dim fso, fldr, fc, f1', fldname, usrname
' Get instance of FileSystemObject.
Set fso = CreateObject("Scripting.FileSystemObject"
Call ApplyPerms (fldname)
Set fldr = fso.GetFolder(fldname)
Recurse fldr ',usrname
Set fldr = Nothing
Set fso = Nothing
wscript.echo "done"
Wscript.Quit
Public Sub Recurse( ByRef fldr)', ByRef usrname )
dim subfolders,files,folder,file
Set subfolders = fldr.SubFolders
Set files = fldr.Files
'Display the path and all of the folders.
Wscript.Echo ""
Wscript.Echo fldr.Path
For Each folder in subfolders
Wscript.Echo folder.Name
Call ApplyPerms (folder.path)', usrname)
Next
'Display all of the files.
For Each file in files
wscript.echo file.name
Call ApplyPerms (file.path)', usrname)
Next
'Recurse all of the subfolders.
For Each folder in subfolders
Recurse folder', usrname
Next
Set subfolders = Nothing
Set files = Nothing
End Sub
Sub ApplyPerms(ByRef path)' , Byref usrname)
Set sec = CreateObject("AdsSecurity"
Set sd = sec.GetSecurityDescriptor("FILE://" & path)
Set Dacl = sd.DiscretionaryAcl
Set oSid = CreateObject("AdsSid"
oSid.SetAs ADS_SID_SAM, Cstr(usrname)
sidHex = oSid.GetAs(ADS_SID_SDDL)
Wscript.Echo sidHex
'----Add a new ACE so User has Full Control on Files.
Set ace1 = CreateObject ("AccessControlEntry"
ace1.Trustee = sidHex
ace1.AccessMask = ADS_RIGHT_GENERIC_ALL
ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace1.AceFlags = ADS_ACEFLAG_INHERIT_ACE Or ADS_ACEFLAG_INHERIT_ONLY_ACE Or 1
dacl.AddAce ace1
'----Add a new ACE so User has Full Control on Folders.
Set ace2 = CreateObject ("AccessControlEntry"
ace2.Trustee = sidHex
ace2.AccessMask = ADS_RIGHT_GENERIC_ALL
ace2.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace2.AceFlags = ADS_ACEFLAG_INHERIT_ACE Or 1
dacl.AddAce ace2
sd.DiscretionaryAcl = dacl
sec.SetSecurityDescriptor sd
End Sub
2. Set the constant "fldname" to the folder where you want to start applying the
permissions.
3. Set the constant "usrname" to the name of the Domain account that you are
adding the permissions for.
4. Register ADsSecurity.dll (which is in the Platform SDK) by running regsvr32
ADsSecurity.dll at a command prompt.
5. Run SetPerms.vbs by double-clicking it on a computer that has Windows
Scripting Host (WSH) installed.
REFERENCES
==========
For operating system specific ADSI run-time downloads and additional
information, see the following Microsoft Web site:
(
The ADsSecurity.dll file is available as a resource kit object at the Platform
SDK documentation in the ADSI SDK.
For additional information on using ADSI, see the following Web site:
(
For more information on SetSecurityInfo, see the following article in the
Microsoft Knowledge Base:
Q254373 INFO: Inherited ACEs Are Not Propagated Through SetSecurityInfo() to
Existing Child Objects
and "Modifying an Object's ACL's" at the following Microsoft Developer Network
(MSDN) Web site:
Modifying an Object's ACL's
(
For more information on Windows Scripting Host, see the following article:
Q188135 Description of Windows Script Host (WSH)
Additional query words:
======================================================================
Keywords : kbADSI kbMsg kbGrpMsg kbDSupport
Version : :
Issue type : kbhowto
=============================================================================
Copyright Microsoft Corporation 2000.
Article last modified on 12-05-2000
:
======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Active Directory Services Interface, System Component
- *NO USE* Microsoft Windows 2000
-------------------------------------------------------------------------------
SUMMARY
=======
File permissions that are set on files and folders using Active Directory
Services Interface (ADSI) and the ADSI resource kit utility, ADsSecurity.DLL, do
not automatically propagate down the subtree to the existing folders and files.
To accomplish automatic propagation of inheritable Access Control Entries (ACEs)
using ADSI, you need to enumerate existing subfolders and files yourself and
apply the inheritable ACEs. Alternatively, you can call the SetSecurityInfo or
SetNamedSecurityInfo function directly instead of using ADSI.
MORE INFORMATION
================
The reason that you cannot use ADSI to set ACEs to propagate down to existing
files and folders is because ADSSecurity.dll uses the low-level SetFileSecurity
function to set the security descriptor on a folder. There is no flag that can
be set by using SetFileSecurity to automatically propagate the ACEs down to
existing files and folders. The SE_DACL_AUTO_INHERIT_REQ control flag will only
set the SE_DACL_AUTO_INHERITED flag in the security descriptor that is
associated with the folder.
Automatic propagation of inheritable ACEs is done only when using the high-level
SetSecurityInfo or SetNamedSecurityInfo function. These functions propagate the
inheritable ACEs (CONTAINER_INHERIT_ACE or OBJECT_INHERIT_ACE) set on a folder
to all existing subfolders and files, as long as the child object's DACL is not
SE_DACL_PROTECTED. This is done only in the high-level access control
implementation by enumerating the subfolders as well as files, and applying all
of the inheritable ACEs.
The following sample VB Script demonstrates how to enumerate folders and files
and set file permissions using ADSI and ADsSecurity.DLL:
1. Create a file called SetPerms.vbs and paste the following code:
'====================================================================
'SetPerms.vbs
'====================================================================
'Variable Declarations
Dim sec
Dim sd
Dim Dacl
Dim ace
Dim ace1
Dim ace2
Dim oSid
Dim sidHex
'Option Explicit
'Flags: Specifies Inheritance
const ADS_ACEFLAG_INHERIT_ACE = &h2
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
const ADS_ACEFLAG_INHERIT_ONLY_ACE = &h8
const ADS_ACEFLAG_INHERITED_ACE = &h10
const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &h1f
const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &h40
const ADS_ACEFLAG_FAILED_ACCESS = &h80
'Permission Type: Allow or Deny
const ADS_ACETYPE_ACCESS_ALLOWED = &h0
const ADS_ACETYPE_ACCESS_DENIED = &h1
'Permissions: Read, Write, FullControl
const ADS_RIGHT_GENERIC_READ = &h80000000
const ADS_RIGHT_GENERIC_WRITE = &h40000000
const ADS_RIGHT_GENERIC_EXECUTE = &h20000000
const ADS_RIGHT_GENERIC_ALL = &h10000000
const ADS_SID_RAW = 0
const ADS_SID_HEXSTRING= 1
const ADS_SID_SAM = 2
const ADS_SID_UPN = 3
const ADS_SID_SDDL = 4
const ADS_SID_WINNT_PATH = 5
const ADS_SID_ACTIVE_DIRECTORY_PATH= 6
const ADS_SID_SID_BINDING = 7
const fldname = "C:\test2" '<----Change this to the top folder name
const usrname = "Domain\User" '<---Change this to the user you want to add permissions for
Dim fso, fldr, fc, f1', fldname, usrname
' Get instance of FileSystemObject.
Set fso = CreateObject("Scripting.FileSystemObject"
Call ApplyPerms (fldname)
Set fldr = fso.GetFolder(fldname)
Recurse fldr ',usrname
Set fldr = Nothing
Set fso = Nothing
wscript.echo "done"
Wscript.Quit
Public Sub Recurse( ByRef fldr)', ByRef usrname )
dim subfolders,files,folder,file
Set subfolders = fldr.SubFolders
Set files = fldr.Files
'Display the path and all of the folders.
Wscript.Echo ""
Wscript.Echo fldr.Path
For Each folder in subfolders
Wscript.Echo folder.Name
Call ApplyPerms (folder.path)', usrname)
Next
'Display all of the files.
For Each file in files
wscript.echo file.name
Call ApplyPerms (file.path)', usrname)
Next
'Recurse all of the subfolders.
For Each folder in subfolders
Recurse folder', usrname
Next
Set subfolders = Nothing
Set files = Nothing
End Sub
Sub ApplyPerms(ByRef path)' , Byref usrname)
Set sec = CreateObject("AdsSecurity"
Set sd = sec.GetSecurityDescriptor("FILE://" & path)
Set Dacl = sd.DiscretionaryAcl
Set oSid = CreateObject("AdsSid"
oSid.SetAs ADS_SID_SAM, Cstr(usrname)
sidHex = oSid.GetAs(ADS_SID_SDDL)
Wscript.Echo sidHex
'----Add a new ACE so User has Full Control on Files.
Set ace1 = CreateObject ("AccessControlEntry"
ace1.Trustee = sidHex
ace1.AccessMask = ADS_RIGHT_GENERIC_ALL
ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace1.AceFlags = ADS_ACEFLAG_INHERIT_ACE Or ADS_ACEFLAG_INHERIT_ONLY_ACE Or 1
dacl.AddAce ace1
'----Add a new ACE so User has Full Control on Folders.
Set ace2 = CreateObject ("AccessControlEntry"
ace2.Trustee = sidHex
ace2.AccessMask = ADS_RIGHT_GENERIC_ALL
ace2.AceType = ADS_ACETYPE_ACCESS_ALLOWED
ace2.AceFlags = ADS_ACEFLAG_INHERIT_ACE Or 1
dacl.AddAce ace2
sd.DiscretionaryAcl = dacl
sec.SetSecurityDescriptor sd
End Sub
2. Set the constant "fldname" to the folder where you want to start applying the
permissions.
3. Set the constant "usrname" to the name of the Domain account that you are
adding the permissions for.
4. Register ADsSecurity.dll (which is in the Platform SDK) by running regsvr32
ADsSecurity.dll at a command prompt.
5. Run SetPerms.vbs by double-clicking it on a computer that has Windows
Scripting Host (WSH) installed.
REFERENCES
==========
For operating system specific ADSI run-time downloads and additional
information, see the following Microsoft Web site:
(
The ADsSecurity.dll file is available as a resource kit object at the Platform
SDK documentation in the ADSI SDK.
For additional information on using ADSI, see the following Web site:
(
For more information on SetSecurityInfo, see the following article in the
Microsoft Knowledge Base:
Q254373 INFO: Inherited ACEs Are Not Propagated Through SetSecurityInfo() to
Existing Child Objects
and "Modifying an Object's ACL's" at the following Microsoft Developer Network
(MSDN) Web site:
Modifying an Object's ACL's
(
For more information on Windows Scripting Host, see the following article:
Q188135 Description of Windows Script Host (WSH)
Additional query words:
======================================================================
Keywords : kbADSI kbMsg kbGrpMsg kbDSupport
Version : :
Issue type : kbhowto
=============================================================================
Copyright Microsoft Corporation 2000.
- Status