Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remove a Trustee from an ACE? 1

Status
Not open for further replies.
shinedog

shinedog

MIS
Feb 24, 2004
60
US
Hey guys, been a long day. I'm having trouble wrapping my head around how to remove an ACE from a DACL if the Trustee matches a certain group. I'm opening a couple text files to read in a list of servers and a list of shares. Then I cycle through each targeted share on each server reading in the existing DACL and adding new ACEs with Trustees as the groups I need. While I am cycling through the ACEs already present in the existing DACL, I would like to remove the ACE if the Trustee is the group Everyone. I am basically reading the existing ACEs in the DACL into a new array, add the groups I need as a record in that array, and then write that array back to the DACL for the share. How can I read the Trustee object to see if its Everyone while I'm compiling this array? Relevant code is below. (BTW, existing script works perfectly for adding new groups to the existing DACL).

Code: 
		'Create a WMI connection
		Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & strServer & "\ROOT\CIMV2")
		'Create a Security Descriptor object
		Set objSecDescClass = objWMIService.Get("Win32_SecurityDescriptor")
		'Spawn a new Security Descriptor object
		Set objSecDesc = objSecDescClass.SpawnInstance_
		'Get the Security Descriptor for the share
		Set objShareSecuritySettings = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" & strShare & "'")
		intRetVal = objShareSecuritySettings.GetSecurityDescriptor(objDescriptor)
		'Get the DACL for the Security Descriptor
		objDACL = objDescriptor.DACL
	
		'Cycle through the DACL storing its properties in an array
		i = 0
		max = UBound(objDACL) + 1
	
		ReDim arrACE(max)
	
		For Each objACE in objDACL
			Set arrACE(i) = objWMIService.Get("Win32_Ace").SpawnInstance_
			arrACE(i).Properties_.Item("AccessMask") = objACE.AccessMask
			arrACE(i).Properties_.Item("AceFlags") = objACE.AceFlags
			arrACE(i).Properties_.Item("AceType") = objACE.AceType
			arrACE(i).Properties_.Item("Trustee") = objACE.Trustee
			i = i + 1
		Next
	
		'Spawn a new Trustee object
		Set objTrustee = getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Trustee").Spawninstance_
		'Create an Account object for the account to be added to the share
		Set objAccount = getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Account.Name='" & strUser & "',Domain='" & strDomain &"'")
		'Create a SID object from the Account object
		Set objAccountSID = getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_SID.SID='" & objAccount.SID &"'")
		'Set the properties of the new Trustee object
		objTrustee.Domain = strDomain
		objTrustee.Name = strUser
		objTrustee.Properties_.item("SID") = objAccountSID.BinaryRepresentation
	
		Set objAccountSID = Nothing
		Set objAccount = Nothing
	
		'Spawn a new ACE object
		Set arrACE(max) = objWMIService.Get("Win32_Ace").SpawnInstance_
		'Store the properties of the new ACE into the array of the existing ACEs
		arrACE(max).Properties_.Item("AccessMask") = AccessFull
		arrACE(max).Properties_.Item("AceFlags") = 3
		arrACE(max).Properties_.Item("AceType") = 0
		arrACE(max).Properties_.Item("Trustee") = objTrustee
		'Store the new ACE in the new Security Descriptor
		objSecDesc.Properties_.Item("DACL") = arrACE
 
Sort by date Sort by votes
[tt] [red]'[/red]ReDim arrACE(max)
[blue]dim arrACE()
redim arrACE(-1)[/blue]

For Each objACE in objDACL
[blue]if strcomp(objACE.Trustee.SidString,"S-1-1-0",1)=0 then
redim preserve arrACE(ubound(arrACE)+1)
i=ubound(arrACE)[/blue]
Set arrACE(i) = objWMIService.Get("Win32_Ace").SpawnInstance_
arrACE(i).Properties_.Item("AccessMask") = objACE.AccessMask
arrACE(i).Properties_.Item("AceFlags") = objACE.AceFlags
arrACE(i).Properties_.Item("AceType") = objACE.AceType
arrACE(i).Properties_.Item("Trustee") = objACE.Trustee
[red]'[/red]i = i + 1
[blue]end if[/blue]
Next
[blue]redim preserve arrACE(ubound(arrACE)+1)
max=ubound(arrACE)[/blue]
[/tt]
 
Upvote 0 Downvote
Correction
For strcomp() line, by =0, I meant <>0!
>[self]if strcomp(objACE.Trustee.SidString,"S-1-1-0",1)=0 then
It should be read:
[tt]if strcomp(objACE.Trustee.SidString,"S-1-1-0",1)[red]<>[/red]0 then[/tt]
 
Upvote 0 Downvote

Wow that worked like a champ right out of the box. I knew it was an issue with the array and I was trying something similar before I gave up Friday night. Beat my head into the wall for a while on that one. Thanks a lot tsuji!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bdwilcox
  • Locked
  • Question
Trying to adapt VBScript to search if machine is in an AD group 6
Replies
8
Views
1K
SoftwareRT
SoftwareRT
Michastro
  • Locked
  • Question
Send an order to an IP power in VBS
Replies
0
Views
214
Michastro
Michastro
Z3braa
  • Locked
  • Question
Remove specific computer name in Logon Workstation from from all users in AD, with VBScript
Replies
0
Views
174
Z3braa
Z3braa
S
  • Locked
  • Question
Need to submit page when clicking a checkbox
Replies
0
Views
241
shbr5413
S
Katto
  • Locked
  • Question
Paste picture from clipboard into aslide of an opened powerpoint file
Replies
0
Views
160
Katto
Katto

Part and Inventory Search

Sponsor

Back
Top