Set ACL on windows Objects

[ptrex]

Set ACL properties in Windows

Several users in the help forum wondered how to set ACL properties in windows, by means of a script.

For those who dont know what ACL is :

Access Control List. An Access Control List is a list attached to an object such as a file, printer, AD object, ... . It consists of control expressions, each of which grants or denies some ability to a particular user or group of users or object.

More info : http://www.pluralsight.com/wiki/default.as...edSecurity.html

Well there are serveral ways of doing this. But one easy going is this using the SetACL COM Object.

SetACL in Windows

This also comes along with a commandline tool.

This is a quick example on how to get started.

expandcollapse popup

;SetACL $ACCESS Modes
Const $DENY_ACCESS = 3
Const $GRANT_ACCESS = 1
Const $REVOKE_ACCESS = 4
Const $SET_ACCESS = 2
Const $SET_AUDIT_FAILURE = 6
Const $SET_AUDIT_SUCCESS = 5

;SetACL Actions
Const $ACTN_ADDACE = 1
Const $ACTN_CLEARDACL = 16
Const $ACTN_CLEARSACL = 32
Const $ACTN_COPYDOMAIN = 1024
Const $ACTN_COPYTRUSTEE = 1024
Const $ACTN_DOMAIN = 8192
Const $ACTN_LIST = 2
Const $ACTN_REMOVEDOMAIN = 512
Const $ACTN_REMOVETRUSTEE = 512
Const $ACTN_REPLACEDOMAIN = 256
Const $ACTN_REPLACETRUSTEE = 256
Const $ACTN_RESETCHILDPERMS = 128
Const $ACTN_RESTORE = 2048
Const $ACTN_SETGROUP = 8
Const $ACTN_SETINHFROMPAR = 64
Const $ACTN_SETOWNER = 4
Const $ACTN_TRUSTEE = 4096

;SetACL Inheritance Values
Const $INHPARCOPY = 2
Const $INHPARNOCHANGE = 0
Const $INHPARNOCOPY = 4
Const $INHPARYES = 1

;SetACL $LIST Formats
Const $LIST_CSV = 1
Const $LIST_SDDL = 0
Const $LIST_TAB = 2

;SetACL $LIST Names
Const $LIST_NAME = 1
Const $LIST_NAME_SID = 3
Const $LIST_SID = 2

;SetACL Recursion
Const $RECURSE_CONT = 2
Const $RECURSE_CONT_OBJ = 6
Const $RECURSE_NO = 1
Const $RECURSE_OBJ = 4

;SetACL Return COdes
Const $RTN_ERR_ADD_ACE = 32
Const $RTN_ERR_CONVERT_SD = 27
Const $RTN_ERR_COPY_ACL = 31
Const $RTN_ERR_CREATE_SD = 45
Const $RTN_ERR_DEL_ACE = 30
Const $RTN_ERR_DIS_PRIV = 13
Const $RTN_ERR_EN_PRIV = 12
Const $RTN_ERR_FINDFILE = 16
Const $RTN_ERR_GENERAL = 2
Const $RTN_ERR_GET_SD_CONTROL = 17
Const $RTN_ERR_GETSECINFO = 5
Const $RTN_ERR_IGNORED = 44
Const $RTN_ERR_INTERNAL = 18
Const $RTN_ERR_INV_DIR_PERMS = 7
Const $RTN_ERR_INV_DOMAIN = 43
Const $RTN_ERR_INV_PRN_PERMS = 8
Const $RTN_ERR_INV_REG_PERMS = 9
Const $RTN_ERR_INV_SHR_PERMS = 11
Const $RTN_ERR_INV_SVC_PERMS = 10
Const $RTN_ERR_INVALID_SD = 38
Const $RTN_ERR_LIST_ACL = 28
Const $RTN_ERR_LIST_FAIL = 15
Const $RTN_ERR_LIST_OPTIONS = 26
Const $RTN_ERR_LOOKUP_SID = 6
Const $RTN_ERR_LOOP_ACL = 29
Const $RTN_ERR_NO_LOGFILE = 33
Const $RTN_ERR_NO_NOTIFY = 14
Const $RTN_ERR_OBJECT_NOT_SET = 4
Const $RTN_ERR_OPEN_LOGFILE = 34
Const $RTN_ERR_OS_NOT_SUPPORTED = 37
Const $RTN_ERR_OUT_OF_MEMORY = 46
Const $RTN_ERR_PARAMS = 3
Const $RTN_ERR_PREPARE = 24
Const $RTN_ERR_READ_LOGFILE = 35
Const $RTN_ERR_REG_CONNECT = 21
Const $RTN_ERR_REG_ENUM = 23
Const $RTN_ERR_REG_OPEN = 22
Const $RTN_ERR_REG_PATH = 20
Const $RTN_ERR_SET_SD_DACL = 39
Const $RTN_ERR_SET_SD_GROUP = 42
Const $RTN_ERR_SET_SD_OWNER = 41
Const $RTN_ERR_SET_SD_SACL = 40
Const $RTN_ERR_SETENTRIESINACL = 19
Const $RTN_ERR_SETSECINFO = 25
Const $RTN_ERR_WRITE_LOGFILE = 36
Const $RTN_ERR_OK = 0
Const $RTN_ERR_USAGE = 1

;SetACL $SD Info
Const $ACL_DACL = 1
Const $ACL_SACL = 2
Const $SD_GROUP = 8
Const $SD_OWNER = 4

;SetACL $OBJECT Types
Const $SE_FILE_OBJECT = 1
Const $SE_LMSHARE = 5
Const $SE_PRINTER = 3
Const $SE_REGISTRY_KEY = 4
Const $SE_SERVICE = 2

$strFileName = "C:TmpResults1.txt"
$strUsername = "Users"
$strPermission = "change"

$SetACL1 = ObjCreate("SetACL.SetACLCtrl.1")

If IsObj($SetACL1) then

With $SetACL1
$nError = .SetObject($strFileName, $SE_FILE_OBJECT)
$nError = .SetAction($ACTN_ADDACE)
$nError = .ADDACE($strUsername, 0, $strPermission, $INHPARNOCHANGE, 0, $GRANT_ACCESS, $ACL_DACL)
$nError = .Run
Endwith

Else
    Msgbox(0,"Error","No Object Found")
EndIf

An other tool is ofcourse the famous MS CACLS

Enjoy !!

regards

ptrex

Edited September 14, 2012 by ptrex

[PsaltyDS]

Nice! I was hoping to find how to internalize SetACL.exe command line functions into a script without the need for the external executable.

New toy to play with! Merry Christmas!

P.S. Requires SetACL ActiveX (SetACL.ocx) to provide the COM interface.

Edited August 7, 2007 by PsaltyDS

[Toady]

Very nice! Thank you for this find

[ptrex]

@all

You are welcome !!

See you all around.

regards,

pterex

[microsoft]

a script good

[MadBoy]

@all

You are welcome !!

See you all around.

regards,

pterex

Great ptrex How about registry permisions? Is there similar vbs script which can be translated?

[ptrex]

@Microsoft

Lot's of good stuff around here

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)

Be carefull messing around with the REGISTRY !!

Best make a restore point before playing around.

Regards

ptrex

[MadBoy]

@Microsoft

Lot's of good stuff around here

@MadBoy

Change :

.SetObject($strFileName, $SE_FILE_OBJECT)

Be carefull messing around with the REGISTRY !!

Best make a restore point before playing around.

Regards

ptrex

Hehe Ever thought about making this uDF ?

[ptrex]

@MadBoy

Time is my only enemy

So give it a try.

regards,

ptrex

[FrenchTroll]

Hello ptrex,

Do you knows how to remove an account with the SID "everyone" ?

Like this that works :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("Everyone", "", False, False, 512, True, False)  
$nError = .Run

...but if i put the SID for everyone (in french "Tout le monde") like this :

$nError = .SetObject("C:\1.txt", 1)  
$nError = .SetAction(4096)  
$nError = .AddTrustee("S-1-1-0", 1, False, False, 512, True, False)  
$nError = .Run

...that don't work.

I asked the question on SetACL's forum but it looks like dead

Thanks for any idea

[Klaatu]

Where do you find documentation on the functions of the COM object? I looked all over the project's pages, but could not find any docs on it, just the command line version. TIA

[FrenchTroll]

There's no doc for this ActiveX, not much example and no support. That is the problem

[FrenchTroll]

Well, the autor give me the answer :

The correct syntax to remove a SID on a file (with the SID) is like this :

$nError = .SetObject("C:\1.txt", 1)
  $nError = .SetAction(4096)
  $nError = .AddTrustee("S-1-1-0", "", True, False, 512, True, False)
  $nError = .Run

You can find on this page the differents SID : http://support.microsoft.com/kb/243330/en

I hope this helps.

[ken82m]

This looks very interesting and something I could use in most of my scripts.

The large amount of AutoIT script are used for deploying applications here at work.

CACLS works but this looks much nicer to work with. However I have never implmented a COM object in one of my scripts.

I think I can understand how to make a change but I don't understand how AutoIT knows where to find the OCX. do I need ot register it somehow first?

Would someone mind posting an quick example of how I would integrate set an actual ACL entry within an AutoIT Script.

Thanks,

Kenny

Edited October 11, 2007 by ken82m

[ptrex]

@ken82m

Indead after downloading the COM file.

You will have to register it in your machine using the "Regsvr32" command.

This needs to be done on each PC, that you intend to use the scripts on.

Regards

ptrex

[ken82m]

Got it, great work on this!

Definitely gonna make my life easier.

Do you know of any RC's to verify the ACL has been changed?

I tried checking the $nError after .Run but it always seems to return 0 no matter what happens.

Thanks,

Kenny

[ptrex]

@ken82m

Is't that what the Security Event Log is meant for ?

How to set Security Event Logs - ACE

regards

ptrex

Edited October 12, 2007 by ptrex

[Gigglestick]

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers, where we currently use robocopy to make ACL/ACE backups to zero-byte files off-site (robo switches: /copy:ATSOU /create) due to a particular site's local info sec not fully understanding security (always falls on my group to correct their mistakes), and that CHKDSK bug awhile back that reset all ACL's on an entire volume to defaults.

I use AutoIt to run multiple concurrent robo's to expedite the process (then parse the logs and email a summary of errors), and that seems fairly efficient, but that would be very cool if I could grab the ACL/ACE's with AutoIt and store them in a database or something without registering an external DLL/OCX.

Alternatively, is it possible to use this DLL as a plugin, so its functionality could be tapped without registering it? Edit: Nevermind, I see ptrex's RegFreeCOM Au3X Example.

I just came across this topic via ptrex's sig, so if there's already an answer to this problem, I apologize.

Edited August 8, 2008 by c0deWorm

[Confuzzled]

I'm pretty sure I know the answer, but what is the possibility of the Autoit dev's using this guy's source code and implementing internal ACL/ACE functionality in AutoIt so we don't have to use external EXE's or register DLL's.

For one thing, there is absolutely no possibility that my company will let me register this DLL on our servers...

Isn't CACLS already on each and every computer and well documented by Microsoft? Why reinvent the wheel?

[stones]

i need example complete please