Set Acl permissions UDF

[AmolT]

Finally did it 

Hope I done it correctly, as far there were no errors.

Steps I followed:

1) Read the object DACL using _GetObjectDacl

2) Excluded the required DACL which needed to be removed (exactly opposite of what's happening in _MergeDaclToArray)

3) Clear the objects DACL using _ClearObjectDacl

4) Set back the DACL using _SetFileObjectSecurity

the UDF is simply awesome, its just hard to find out the way to such new things for naives

Isn't it would be great to add a some function to remove permissions as well.

Also one more to LookupAccountSid.

 

Amol

 

 

 

 

[AdamUL]

Look in the Security UDFs that are included with AutoIt.  

_Security__GetAccountSid
_Security__LookupAccountSid
_Security__LookupAccountName

Also, could you post an example script of what you describe above?

 

Adam

Edited April 13, 2016 by AdamUL

[Valnurat]

On ‎04‎-‎11‎-‎2011 at 2:01 PM, FredAI said:

Take a look at this code:

 

 

#include 'Permissions.au3'
_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
 
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

 

You just have to create an array with the permissions you want to set:

$array[0][0] - First ace user name or Sid string

$array[0][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[0][2])

$array[0][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

 

$array[1][0] - Second ace user name or Sid string

$array[1][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[1][2])

$array[1][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

 

And so on. You can add how many aces you want. The access denied aces have priority over the allowed ones.

Then you can set the owner, clear the DACL and recurse containers and objects (for folders and registry keys), When recursing, the child objects will automatically inherit the permissions from the parent one.

 

Don't know what else you can do by modifying the security descriptor.

I tried the above code, but it do not work.

It doesn't put "username" or "everyone" on the ACL.

It is just blank.

I really need this to work. I have 300+ folders I need to set ACL for.

I have e.g. a folder called: CC120800 and I need to add a AD group called: DKSO_NTFS_CC120800 with modify access.

Hope someone can help me.

[AdamUL]

Are you using #RequireAdmin when running the script?  Also, is the account that you are running the script under have permissions to edit the ACLs of the folders?   

 

Adam

 

[Valnurat]

No I did not. When I did that it worked.

Thank you.

But I'm local admin on my computer?

[Jos]

6 minutes ago, Valnurat said:

But I'm local admin on my computer?

Guess you have some reading to do around the use of UAC in windows.

Jos

[Valnurat]

[AdamUL]

Your welcome.  Glad I could help.  As Jos mention, it is a UAC issue dealing with the Admin Token.  

 

Adam

 

[Valnurat]

How do I add access for the "modify"?

[Valnurat]

Ok. Itried this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

and it work very well.

But if I try this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = '\\servername\share\NewTestFolder'
Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'GROUPNAME' ;<---- this is an AD Groupname
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

it does not work.

The problem is that my NewTestFolder do not exists anymore or it is there in some way, because if I create a new folder with the same name, I get an error that the folder can't be renamed.

Of course the "GROUPNAME" isen't the correct one in this exampel, but I don't know if I just write the AD Group or do I need to do something special to have this to work?

"Everyone" is standard.

[Valnurat]

On ‎13‎-‎04‎-‎2016 at 3:34 PM, AmolT said:

Finally did it 

Hope I done it correctly, as far there were no errors.

Steps I followed:

1) Read the object DACL using _GetObjectDacl

2) Excluded the required DACL which needed to be removed (exactly opposite of what's happening in _MergeDaclToArray)

3) Clear the objects DACL using _ClearObjectDacl

4) Set back the DACL using _SetFileObjectSecurity

the UDF is simply awesome, its just hard to find out the way to such new things for naives

Isn't it would be great to add a some function to remove permissions as well.

Also one more to LookupAccountSid.

 

Amol

 

 

 

 

Could you show me how you did it?

I can't figure it out.

Edited April 29, 2016 by Valnurat

[Valnurat]

When I do this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

It delete the original DACL and when just add @UserName and Everyone.

But if I want to keep the original DACL and want to add @UserName and Everyone I guess I need to use _MergeDaclToArray. So I did this:

#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
Local $aDACL
Local $sTest = _GetObjectDACL($File)
MsgBox(0,"",$sTest)
If _MergeDaclToArray($sTest,$aDACL) = 0 Then
    MsgBox(0,"Faild","Merge Dacl To Array")
    Exit
EndIf
_ArrayDisplay($aDACL,"ACL")
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE+$GENERIC_WRITE+$DELETE
_ArrayDisplay($aPerm,$File)
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()

but my _MergeDaclToArray returns 0.

I don't know if this is the right way to do it.

Can someone help me?

[AdamUL]

@Valnurat this is a long post, but I hope I can answer some of your questions.  I'm not an expert with this UDF, and learned even more when I was looking at your issues.  

Your $aDACL is an empty array in your _MergeDaclToArray function call, that is why you get 0.  You only declare the variable, but did not set a value to it.  That is not what your problem is.  You are using an incorrect function to do what I think you want to do.  You need to use _EditObjectPermissions. This will allow you to add new ACEs to the existing ACL using a permissions array.  Also, the script needs to be run with #RequireAdmin for it to work, or it will fail to set the permissions at all.  Here is an edited version of you script that works for me.  

#RequireAdmin
#include 'Permissions.au3'
#include <Array.au3>

_InitiatePermissionResources()

Local $File = @ScriptDir & '\test.txt'
FileWrite($File,'test')

Local $TI = TimerInit()

Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT
_ArrayDisplay($aPerm,$File)

Local $ret = _EditObjectPermissions($File, $aPerm)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '& $ret & @CRLF & '   Time: '&Round($TD,2) & ' miliseconds.')

_ClosePermissionResources()

I also found a bug in the _EditObjectPermissions function.  On line 602, change the following.

_MergeDaclToArray($Dacl, $aPermissions)

to

If $ClearDacl Then _MergeDaclToArray($Dacl, $aPermissions)

If you do not change it, you will have the inherited ACEs duplicated as non-inherited ACEs on the object.  In addition to the ACEs that you added.  This is not completely correct.  The aces are duplicated. If you do what I specify above, you will loose all the local ACEs along with the duplicated ACEs.  I'm not sure what is causing this, and in which function.  I have read the whole thread, and this is a know issue that has not been corrected.

 

Quote

How do I add access for the "modify"?

I see you found it out by doing it explicitly in your last post, but it is define in the UDF as $FILE_AUTH_USERS_DEFAULT.  

 

Quote

Of course the "GROUPNAME" isn't the correct one in this example, but I don't know if I just write the AD Group or do I need to do something special to have this to work?

When adding a domain group, you have to have it in the format "domain\groupname" e.g. AD\Group_Name, if not, it will look for the group on the local PC.  You could also use the group's SID as well.  Here is an example array, using the array used in the example script above.  

Global $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'AD\Group_Name'
$aPerm[1][1] = 1
$aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT

Hope that helps.  

 

Adam

 

Edited May 2, 2016 by AdamUL

[Valnurat]

Thank you for the feedback.

Yes, my mistake not to put in #RequireAdmin in my test. It was part of my test.

It seems it works now. thank you.

 

Edited April 30, 2016 by Valnurat

[AdamUL]

@Valnurat  Your welcome.  Glad I could help.  

See my edited post above for the issue with _EditObjectPermissions.  

 

Adam

[Terenz]

Hello. I have try to play with this UDF but i can't get my goal. I'd like to do:

1) Get the file permission of the file

2) Add to my user full access to that file

3) Do some task

4) When i'm finish, restore the file permission to the original one at point 1)

Someone has an example to play with it and experiment? I think is involved in some way _CopyFullDacl but i don't have understand where it take the original file permission. Thanks

[Kaimberex]

getting this error when trying to do a syntax check 

 

error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'.
Global Const $ACCESS_SYSTEM_SECURITY     = 0x01000000

[Surf243]

On 8/1/2016 at 11:11 AM, Kaimberex said:

getting this error when trying to do a syntax check 

 

error: $ACCESS_SYSTEM_SECURITY previously declared as a 'Const'.
Global Const $ACCESS_SYSTEM_SECURITY     = 0x01000000

I just commented it out as it's already declared in SecurityConstants.au3

[AdamUL]

I think I have found the solution to the issue that I posed in #133 about inherited ACEs being added to the ACL when you use the _EditObjectPermissions function.   

The issue is with the _MergeDaclToArray function.  if you look in post #50, FredAl posts an updated _MergeDaclToArray function that was never added to the UDF.  

If you replace the _MergeDaclToArray in the UDF with the updated _MergeDaclToArray, this issue is resolved.  

 

Adam

 

[AdamUL]

@Terenz Now with the change to the UDF above mentioned above.  Here is an example that I think will do what you need.  

#RequireAdmin
#include 'Permissions.au3'

_InitiatePermissionResources()

Global $sFile = @ScriptDir & '\test.txt'
FileWrite($sFile, 'test')
MsgBox(0, "File", "Created")

Global $aPerm[1][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL

Global $pDACL = _GetObjectDacl($sFile)

Global $iRet = _EditObjectPermissions($sFile, $aPerm)
MsgBox(0, '', '_EditObjectPermissions return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

$iRet = _SetObjectSecurity($sFile, $SE_FILE_OBJECT, $DACL_SECURITY_INFORMATION, 0, 0, $pDACL, 0)
MsgBox(0, '', 'Restore all permissions' & @CRLF & @CRLF & _
        '_SetObjectSecurity return value: ' & $iRet & @CRLF & _
        'Check the file permissons before closing the message box.')

FileDelete($sFile)
MsgBox(0, "File", "Deleted")

_ClosePermissionResources()

 

Adam

 

Edited September 22, 2016 by AdamUL