Reekod Posted January 25, 2012 Posted January 25, 2012 (edited) Hello all i need to remove a specific user of a complete tree folders (recursive mode) i don't understand which func to user from the permissions.au3 is someone can help me to write a code to remove "users domain" from e:common_data /s thx for help. Edited January 26, 2012 by Reekod
FredAI Posted February 23, 2012 Author Posted February 23, 2012 Hi guys, sorry for the delay. I've been quite busy lately. I made another update today. See the first post, please. I'll try to find some time tomorrow to answer the questions made here. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico
intime69 Posted March 14, 2012 Posted March 14, 2012 If you have a moment to give an example with the registry like I requested, it would be so greatly appreciated. No big rush. I know you're busy... And thanks for the update! Developer and Co-OwnerInTime Applicaitons Inc.
MariusN Posted April 13, 2012 Posted April 13, 2012 Wow....what a UDF....thanks FredAI, I really LOVE this piece of work
ffdshow Posted June 23, 2012 Posted June 23, 2012 (edited) An example for registry which is similar with the example for file provided in the first post of this thread expandcollapse popup#include 'Permissions.au3' _InitiatePermissionResources() RegWrite('HKLM\SOFTWARE\Example') ; write a registry key Local $TI = TimerInit() Local $ret = _DenyAllAccess('HKLM\SOFTWARE\Example',$SE_REGISTRY_KEY,@UserName) Local $TD = TimerDiff($TI) MsgBox(0,'','Deny all access to HKLM\SOFTWARE\Example and take ownership:'&@CRLF&@CRLF& _ '_DenyAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() $ret = _GrantReadAccess('HKLM\SOFTWARE\Example',$SE_REGISTRY_KEY,'Administrators') $TD = TimerDiff($TI) MsgBox(0,'','Grant everyone read access, all access to admins and system, and set the owner: Admins group'&@CRLF&@CRLF& _ '_GrantReadAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() $ret = _GrantAllAccess('HKLM\SOFTWARE\Example') $TD = TimerDiff($TI) MsgBox(0,'','Grant everyone access'&@CRLF&@CRLF& _ '_GrantAllAccesss return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() $ret = _CopyFullDacl('HKLM\SOFTWARE\Example',$SE_REGISTRY_KEY,@ScriptDir) $TD = TimerDiff($TI) MsgBox(0,'','Restore all inherited permissions'&@CRLF&@CRLF& _ '_CopyFullDacl return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Local $aPerm[2][3] = [['Restricted',1,$GENERIC_ALL],['Users',1,$GENERIC_ALL]] $ret = _EditObjectPermissions('HKLM\SOFTWARE\Example',$aPerm) $TD = TimerDiff($TI) MsgBox(0,'','Add two granted access aces: Restricted and Users'&@CRLF&@CRLF& _ '_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Dim $aPerm[2][3] = [['Restricted',1,$GENERIC_READ],['Users',1,$GENERIC_READ]] $ret = _EditObjectPermissions('HKLM\SOFTWARE\Example',$aPerm) $TD = TimerDiff($TI) MsgBox(0,'','Give only read access to the Restricted and Users groups'&@CRLF&@CRLF& _ '_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Dim $aPerm[2][3] = [['Restricted',0,$GENERIC_ALL],['Users',0,$GENERIC_ALL]] $ret = _EditObjectPermissions('HKLM\SOFTWARE\Example',$aPerm) $TD = TimerDiff($TI) MsgBox(0,'','Deny access to the Restricted and Users groups'&@CRLF&@CRLF& _ '_EditObjectPermissions return value: '&$ret&' Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _ 'Check the registry key permissons before closing the message box.') $TI = TimerInit() Local $Hndl = _Permissions_OpenProcess(@AutoItPID) Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT) Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT) Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT) Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT) $TD = Round(TimerDiff($TI),2) MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _ '@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _ '_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _ '_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _ 'New @AutoItPID security descriptor: '&@CRLF& _ $SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.') _Permissions_CloseHandle($Hndl) RegDelete('HKLM\SOFTWARE\Example') _ClosePermissionResources() Set the owner of a registry key (the subkeys owner will not be changed) #include 'Permissions.au3' _InitiatePermissionResources() RegWrite('HKLM\SOFTWARE\Example') ; write a registry key ; Set the Administrators group as the owner of a registry key (the subkeys owner will not be changed) _SetObjectOwner('HKLM\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators') Grants Administrators access for the given object. Replace the owner with "Replace owner on subcontainers and objects" option checked. Grant Administrators full control permissions with "Replace all child object permissions with inheritable permissions from this object" option checked. Existed DACL will be preserved by using $ClearDacl = 0 in Return _SetObjectPermissions on the penultimate line of this script. expandcollapse popup#include 'Permissions.au3' _InitiatePermissionResources() RegWrite('HKLM\SOFTWARE\Example') ; write a registry key _GrantAdministratorsAccess_1('HKLM\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators', 1) ; #FUNCTION# ==================================================================================================================== ; Name...........: _GrantAdministratorsAccess_1 ; Description ...: Grants Administrators access for the given object ; Replace the owner with "Replace owner on subcontainers and objects" option checked ; Grant Administrators full control permissions with ; "Replace all child object permissions with inheritable permissions from this object" option checked ; Permissions will be added (existed DACL will be preserved by using $ClearDacl = 0 in Return _SetObjectPermissions ; on the penultimate line of this script) ; Syntax.........: _GrantAdministratorsAccess_1($oName, $_SE_OBJECT_TYPE, $SetOwner) ; Parameters ....: $oName - The name of the object. This can be a path to a file or folder, a registry key, a service name, etc ; +See the comments on the _SE_OBJECT_TYPE enum for more info ; $_SE_OBJECT_TYPE (optional) - The type of the object to set permissions. This must be one of the values of the ; +_SE_OBJECT_TYPE enum. The default is $SE_FILE_OBJECT (a file or folder). ; $SetOwner (optional) - The user name or SID to set as the owner of the object. Setting a blank string '' will ; +make no changes to the owner. The default is the administrators group ('Administrators') ; ; Return values .: Success - 1 ; Failure - 0 and sets @error ; Author ........: FredAI ; Modified.......: ; Remarks .......: ; Related .......: _DenyAllAccess, _GrantReadAccess, _GrantReadDenyWrite, _CopyFullDacl ; Link ..........: ; Example .......: _GrantAdministratorsAccess_1('C:\example.txt', $_SE_OBJECT_TYPE, @UserName) ; =============================================================================================================================== Func _GrantAdministratorsAccess_1($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT, $SetOwner = 'Administrators', $Recurse = 1) Local $aPerm[1][3] $aPerm[0][0] = 'Administrators' $aPerm[0][1] = 1 $aPerm[0][2] = $GENERIC_ALL Return _SetObjectPermissions($oName, $aPerm, $_SE_OBJECT_TYPE, $SetOwner, 0, $Recurse) EndFunc ;==>_GrantAdministratorsAccess_1 Grants Administrators access for the given object. "Replace the owner with "Replace owner on subcontainers and objects" option checked. Grant Administrators full control permissions with "Replace all child object permissions with inheritable permissions from this object" option checked. Existed DACL will be cleared by using $ClearDacl = 1 in Return _SetObjectPermissions on the penultimate line of this script. expandcollapse popup#include 'Permissions.au3' _InitiatePermissionResources() RegWrite('HKLM\SOFTWARE\Example') ; write a registry key _GrantAdministratorsAccess_2('HKLM\SOFTWARE\Example', $SE_REGISTRY_KEY, 'Administrators', 1) ; #FUNCTION# ==================================================================================================================== ; Name...........: _GrantAdministratorsAccess_2 ; Description ...: Grants Administrators access for the given object ; Replace the owner with "Replace owner on subcontainers and objects" option checked ; Grant Administrators full control permissions with ; "Replace all child object permissions with inheritable permissions from this object" option checked ; Permissions will be changed (existed DACL will be cleared by using $ClearDacl = 1 in Return _SetObjectPermissions ; on the penultimate line of this script) ; Syntax.........: _GrantAdministratorsAccess_2($oName, $_SE_OBJECT_TYPE, $SetOwner) ; Parameters ....: $oName - The name of the object. This can be a path to a file or folder, a registry key, a service name, etc ; +See the comments on the _SE_OBJECT_TYPE enum for more info ; $_SE_OBJECT_TYPE (optional) - The type of the object to set permissions. This must be one of the values of the ; +_SE_OBJECT_TYPE enum. The default is $SE_FILE_OBJECT (a file or folder). ; $SetOwner (optional) - The user name or SID to set as the owner of the object. Setting a blank string '' will ; +make no changes to the owner. The default is the administrators group ('Administrators') ; ; Return values .: Success - 1 ; Failure - 0 and sets @error ; Author ........: FredAI ; Modified.......: ; Remarks .......: ; Related .......: _DenyAllAccess, _GrantReadAccess, _GrantReadDenyWrite, _CopyFullDacl ; Link ..........: ; Example .......: _GrantAdministratorsAccess_2('C:\example.txt', $_SE_OBJECT_TYPE, @UserName) ; =============================================================================================================================== Func _GrantAdministratorsAccess_2($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT, $SetOwner = 'Administrators', $Recurse = 1) Local $aPerm[1][3] $aPerm[0][0] = 'Administrators' $aPerm[0][1] = 1 $aPerm[0][2] = $GENERIC_ALL Return _SetObjectPermissions($oName, $aPerm, $_SE_OBJECT_TYPE, $SetOwner, 1, $Recurse) EndFunc ;==>_GrantAdministratorsAccess_2 Edited June 24, 2012 by ffdshow
stamandster Posted August 1, 2012 Posted August 1, 2012 (edited) Great UDF! I noticed though when using the _InheritParentPermissions function on a folder that it will clear the existing DACL (when set) of the files within the folder, but, it will not clear the DACL of the folder itself. Also, I see the option to add security to an object for a user, but what about for a Group? Edited August 1, 2012 by kickarse
Michahe Posted August 29, 2012 Posted August 29, 2012 (edited) Great job... Great UDF. I look for some like this over 1-2 years. But.... I would deny one user in the security of a folder. Like this: But my example does not work: #include <permissions.au3> Global $aPerm [1][3] $aPerm[0][0] = 'Username' $aPerm[0][1] = 0 $aPerm[0][2] = BitOr($FILE_WRITE_DATA, $FILE_ADD_SUBDIRECTORY) _SetObjectPermissions("D:Test1", $aPerm) What is wrong ? Better: Deny User-Write only for the folder "D:Test1", not for subfolders that are exists ! Greetings from Germany... Micha Edit: I found a solution... #include <Permissions.au3> Global $sFolder = 'D:Test' Global $sUser = 'xx' Global $aPerm [2][4] $aPerm[0][0] = $sUser $aPerm[0][1] = 0 ; deny $aPerm[0][2] = BitOr($FILE_WRITE_DATA, $FILE_APPEND_DATA) ; new Files & Folders $aPerm[0][3] = $INHERIT_NO_PROPAGATE ; only this folder $aPerm[1][0] = $sUser $aPerm[1][1] = 1 ; allow $aPerm[1][2] = $FILE_AUTH_USERS_DEFAULT ; modify $aPerm[1][3] = $SUB_CONTAINERS_AND_OBJECTS_INHERIT ; Folder, Files, Subfolder _EditObjectPermissions($sFolder, $aPerm) Edited September 12, 2012 by Michahe
ptrex Posted August 29, 2012 Posted August 29, 2012 FYIFor those who are more into COM you can use the for Files / Directory / Registry / AD objectsObjCreate("ADsSecurityUtility") And ObjCreate("AccessControlEntry")Examples on how to http://msdn.microsoft.com/en-us/library/windows/desktop/aa705922(v=vs.85).aspxRgdsptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New
Michahe Posted September 12, 2012 Posted September 12, 2012 ... but i found a new problem. When i used the function _EditObjectPermissions() to (e.g.) add a new user to a folder that inherit his acl from his parent, then all of the inherit-rights are doubled. One from inherit and one from the _EditObjectPermissions()-function. The problem is, the _EditObjectPermission() use the _MergeDaclToarray() to merge the rights (also the inherited) with the new right(s) and then set the complete DACL with the function _SetObjectSecurity() to the folder. I have already tried the function _SetObjectPermission() instead. But when i used this function and the folder had been non-inherit rights, then the old rights were lost. Only the inherit rights and the new one remains. Does anyone have a tip for me ?
BerndH Posted September 22, 2012 Posted September 22, 2012 Hello Programmers, I try this nice UDF and found out that the Sub __GetObjectDacl not return the $Dacl of the File they called by. Local $Dacl = __GetObjectDacl($oName, $_SE_OBJECT_TYPE) _MergeDaclToArray($Dacl, $aPermissions) I Follow the way of $Dacl, and detected that Func _GetObjectSecurityDescriptor should return them. If $_SE_OBJECT_TYPE = $SE_REGISTRY_KEY Then $oName = __Security_RegKeyName($oName) $aRet = DllCall( $h__Advapi32Dll, _ 'DWORD' ,'GetNamedSecurityInfo' , _ 'str' ,$oName , _ 'dword' ,$_SE_OBJECT_TYPE , _ 'DWORD' ,$SECURITY_INFORMATION , _ 'ptr' ,0 , _ 'ptr' ,0 , _ 'ptr' ,0 , _ 'ptr' ,0 , _ 'ptr*' ,0 ) EndIf local $er = @ERROR,$ex =@extended MsgBox(0, "GetObjectSecurityDescriptor", $er &@cr &$ex &@cr &$aRet[0]) _ArrayDisplay($aRet) If $er Then Return SetError(@error,0,0) Return SetError($aRet[0],0,$aRet[8]) EndFunc ;==>_GetObjectSecurityDescriptor The DllCall to 'GetNamedSecurityInfo' should return the information, but only returns the error code 1314 ($aRet[0]) and the $Dacl are empty. (NUL) ($aRet[8]) The error code means "A required privilege is not held by the client". The path of the file was ok. File created before and FileExists() accept it. Did any know the reason why GetNamedSecurityInfo not return the $Dacl of the File ? PS: run on win2000-SP4
NDog Posted November 28, 2012 Posted November 28, 2012 I am trying to acheive this.AFAIK there is not $DENY_READ constant. The best I can do is to deny everything, however I only want to deny read and allow write and nothing else.The best I can do is to deny everything with below code, however this is not desirable.Func _disablereadadmin($sFolder) If Not FileExists($sFolder) Then Return 0 EndIf ConsoleWrite("Locking folder"& @CRLF) _InitiatePermissionResources() ; Edit ACLs, don't SET new ones ; Set Administrators group as admin ; Set Administrators group as full deny permissions Local $aPerm[2][3] $aPerm[1][0] = 'Administrators' $aPerm[1][1] = 0 $aPerm[1][2] = $GENERIC_ALL $ret = _EditObjectPermissions($sFolder, $aPerm, $SE_FILE_OBJECT, 'Administrators', 1, 1) _ClosePermissionResources() EndFunc ;==>_disablereadadmin
FredAI Posted December 5, 2012 Author Posted December 5, 2012 @NDog, You have to create an ace with granted write access, and another one with denied read access: Func _disablereadadmin($sFolder) If Not FileExists($sFolder) Then Return 0 EndIf ConsoleWrite("Locking folder"& @CRLF) _InitiatePermissionResources() ; Edit ACLs, don't SET new ones ; Set Administrators group as admin ; Set Administrators group as full deny permissions Local $aPerm[2][3] $aPerm[0][0] = 'Administrators' $aPerm[0][1] = 0 $aPerm[0][2] = $ACTRL_FILE_READ $aPerm[1][0] = 'Administrators' $aPerm[1][1] = 1 $aPerm[1][2] = $GENERIC_ALL $ret = _EditObjectPermissions($sFolder, $aPerm, $SE_FILE_OBJECT, 'Administrators', 1, 1) _ClosePermissionResources() EndFunc ;==>_disablereadadmin Access denied aces take priority over the access granted ones, so granting full controll and denying read will do what you want. Also you were createing an array with two aces and only assigning one. That's not a good idea, and can make your script fail. My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico
amuboj Posted February 1, 2013 Posted February 1, 2013 Hello, I am trying to using _MergeDACLToArray function, and I am getting from the permissions array the following. [NULL] 1 2032127 [NULL] 1 1245631 it means the first element in my array is empty. Can someone deliver an example to read DACL into an array, so that I am seeing username, grant/deny(or 1/0), and the access-type as a string ? Would be very nice, because I am trying since days to get it useable. But without success. Thanks a lot. amuboj
Keniger Posted March 1, 2013 Posted March 1, 2013 >"C:Program FilesAutoIt3SciTE..autoit3.exe" /ErrorStdOut "C:UsersmarekDesktopPrzemek 2PBBBYPASSgg.au3" C:\Program Files\AutoIt3\Include\Permissions.au3 (188) : ==> Variable used without being declared.: Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,$READ_CONTROL) Global Const $REG_GENERIC_READ = BitOR($ACTRL_REG_QUERY,$ACTRL_REG_LIST,$ACTRL_REG_NOTIFY,^ ERROR >Exit code: 1 Time: 0.209 WTF Is that :C ? I cant run this udf please help me !
BrewManNH Posted March 4, 2013 Posted March 4, 2013 Post a reproducer script so we can see what the issue is. The error tells you what the problem is, did you look at the UDF to see if the variable name is declared anywhere in it? If not, then maybe figure out what value it needs to be and declare it. By the way, it's helpful being polite in your posts, so far you're 0 for 2 as far as that goes. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator
Developers Jos Posted March 5, 2013 Developers Posted March 5, 2013 @Keniger,In stead of putting any effort in reaching out to me via PM, which I do not want and is in general not appreciated, you could try to make your issue clearer by posting some coherent sentences and the requested snippet.So stop your moaning about no replies and just do as requested.Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
FredAI Posted March 8, 2013 Author Posted March 8, 2013 (edited) Wow, it seems I've been away from the forums for too long @Keniger, updating AutoIt to the latest version should solve your issue.@amuboj, _MergeDACLToArray returns the user SID in a dllstruct, which outputs an empty string.If you want a string, use $aPerm[0][0] = _SidToStringSid(DllStructGetPtr($aPerm[0][0])) Edited March 8, 2013 by FredAI My UDFs: SetAcl permissions | System restore Examples: File version info editor | GetIp() improved Programs: UVK - Ultra virus killer | ExeFixer | Recent file seeker | SHIcon | Quick_Any2Ico
Jim Dandy Posted June 3, 2013 Posted June 3, 2013 I've been trying to use the _GetObjectOwner function, but I don't know if it's returning the correct data nor do I know what to do with it if it is since it seems to return "0". I tried breaking down my usage of the function to its component parts, _GetObjectSecurityDescriptor and _GetSecurityDescriptorOwner, but the script bombs when I do that. Below is an example of that script: #include "Permissions.au3" _InitiatePermissionResources() $sd = _GetObjectSecurityDescriptor(@ScriptDir & "\test.txt") $owner = _GetSecurityDescriptorOwner($sd) _ClosePermissionResources() I get exit code -1073741819 whenever I run this. Am I being an idiot, or is this not working properly?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now