Problem calling oADsSecurityUtility.SetSecurityDescriptor from VBScript

Discussion in 'Scripting' started by Gregory Bartholomew, Nov 20, 2008.

  1. Hi,

    I found a vb code sample for setting ntfs file permissions here:
    http://msdn.microsoft.com/en-us/library/aa705922(VS.85).aspx.

    It looked simple enought to be made into a vbscript which I could then
    further modify to do some fancy stuff with a bunch of home directories and
    accounts.

    I made the few symantic changes that I though would be necessary to get it
    to work under vbscript, but now I get the error:

    "E:\Temp\ace.vbs(217, 5) (null): The security ID structure is invalid."

    Why does the line:

    oADsSecurityUtility.SetSecurityDescriptor sFile, ADS_PATH_FILE, oSD,
    ADS_SD_FORMAT_IID

    not work? Why is the "oSD" variable invalid?

    Below is the full script that I am using.

    Thanks,
    Greg

    ' Beginning of Code Modified to work as VBScript

    ' Define constants:
    '

    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Define the ADS_RIGHTS_ENUM values.
    '
    Const ADS_RIGHT_DELETE = &H10000
    Const ADS_RIGHT_READ_CONTROL = &H20000
    Const ADS_RIGHT_WRITE_DAC = &H40000
    Const ADS_RIGHT_WRITE_OWNER = &H80000
    Const ADS_RIGHT_SYNCHRONIZE = &H100000
    Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
    Const ADS_RIGHT_GENERIC_READ = &H80000000
    Const ADS_RIGHT_GENERIC_WRITE = &H40000000
    Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
    Const ADS_RIGHT_GENERIC_ALL = &H10000000
    Const ADS_RIGHT_DS_CREATE_CHILD = &H1
    Const ADS_RIGHT_DS_DELETE_CHILD = &H2
    Const ADS_RIGHT_ACTRL_DS_LIST = &H4
    Const ADS_RIGHT_DS_SELF = &H8
    Const ADS_RIGHT_DS_READ_PROP = &H10
    Const ADS_RIGHT_DS_WRITE_PROP = &H20
    Const ADS_RIGHT_DS_DELETE_TREE = &H40
    Const ADS_RIGHT_DS_LIST_OBJECT = &H80
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Type definitions
    '
    Const ADS_ACETYPE_ACCESS_ALLOWED = 0
    Const ADS_ACETYPE_ACCESS_DENIED = &H1
    Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Flag Constants
    '
    Const ADS_ACEFLAG_UNKNOWN = &H1
    Const ADS_ACEFLAG_INHERIT_ACE = &H2
    Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
    Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
    Const ADS_ACEFLAG_INHERITED_ACE = &H10
    Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
    Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
    Const ADS_ACEFLAG_FAILED_ACCESS = &H80
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Flags constants for AD objects
    '
    Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
    Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' From WinNT.h
    '------------------------------------------------------------------------------
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ' File Specific Access Rights
    '
    Const DELETE = &H10000
    Const READ_CONTROL = &H20000
    Const WRITE_DAC = &H40000
    Const WRITE_OWNER = &H80000
    Const SYNCHRONIZE = &H100000

    Const STANDARD_RIGHTS_REQUIRED = &HF0000

    Const STANDARD_RIGHTS_READ = &H20000
    Const STANDARD_RIGHTS_WRITE = &H20000
    Const STANDARD_RIGHTS_EXECUTE = &H20000

    Const STANDARD_RIGHTS_ALL = &H1F0000

    Const SPECIFIC_RIGHTS_ALL = &HFFFF

    '
    ' AccessSystemAcl access type
    '

    Const ACCESS_SYSTEM_SECURITY = &H1000000

    '
    ' MaximumAllowed access type
    '

    Const MAXIMUM_ALLOWED = &H2000000

    '
    ' These are the generic rights
    '

    Const GENERIC_READ = &H80000000
    Const GENERIC_WRITE = &H40000000
    Const GENERIC_EXECUTE = &H20000000
    Const GENERIC_ALL = &H10000000

    '
    ' AccessMask constants for FILE ACEs
    '
    Const FILE_READ_DATA = &H1 ' file & pipe
    Const FILE_LIST_DIRECTORY = &H1 ' directory

    Const FILE_WRITE_DATA = &H2 ' file & pipe
    Const FILE_ADD_FILE = &H2 ' directory

    Const FILE_APPEND_DATA = &H4 ' file
    Const FILE_ADD_SUBDIRECTORY = &H4 ' directory
    Const FILE_CREATE_PIPE_INSTANCE = &H4 ' named pipe

    Const FILE_READ_EA = &H8 ' file & directory

    Const FILE_WRITE_EA = &H10 ' file & directory

    Const FILE_EXECUTE = &H20 ' file
    Const FILE_TRAVERSE = &H20 ' directory

    Const FILE_DELETE_CHILD = &H40 ' directory

    Const FILE_READ_ATTRIBUTES = &H80 ' all

    Const FILE_WRITE_ATTRIBUTES = &H100 ' all

    FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H1FF
    FILE_GENERIC_READ = STANDARD_RIGHTS_READ Or FILE_READ_DATA Or
    FILE_READ_ATTRIBUTES Or FILE_READ_EA Or SYNCHRONIZE
    FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE Or FILE_WRITE_DATA Or
    FILE_WRITE_ATTRIBUTES Or FILE_WRITE_EA Or FILE_APPEND_DATA Or SYNCHRONIZE
    FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or FILE_READ_ATTRIBUTES Or
    FILE_EXECUTE Or SYNCHRONIZE

    Const FILE_SHARE_READ = &H1
    Const FILE_SHARE_WRITE = &H2
    Const FILE_SHARE_DELETE = &H4
    '
    ' AceFlags values for files
    '
    Const OBJECT_INHERIT_ACE = &H1
    Const CONTAINER_INHERIT_ACE = &H2
    Const NO_PROPAGATE_INHERIT_ACE = &H4
    Const INHERIT_ONLY_ACE = &H8
    Const INHERITED_ACE = &H10

    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    '<<<<<<<<<<<<<<<<<<<<<<<<< BEGIN IADsSecurityUtility Constants >>>>>>>>>>>>
    '
    '
    ' ADS_PATHTYPE_ENUM
    '
    Const ADS_PATH_FILE = 1
    Const ADS_PATH_FILESHARE = 2
    Const ADS_PATH_REGISTRY = 3
    '
    ' ADS_SD_FORMAT_ENUM
    '
    Const ADS_SD_FORMAT_IID = 1
    Const ADS_SD_FORMAT_RAW = 2
    Const ADS_SD_FORMAT_HEXSTRING = 3
    '
    '<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
    '

    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' AddACEToFile
    '
    ' Adds an ACE to the specified file or folder that grants the trustee
    ' modify rights on the file.
    '
    Sub AddACEToFile(sFile, sTrustee)
    Dim oAce ' As AccessControlEntry ' variable for the new ACE
    Dim oSD ' As SecurityDescriptor ' variable for the Security Descriptor
    of the object
    Dim oDacl ' As AccessControlList ' variable for the DACL of the object
    Dim oADsSecurityUtility ' As ADsSecurityUtility
    '
    ' Create an ADsSecurityUtlity object.
    '
    Set oADsSecurityUtility = CreateObject("ADsSecurityUtility")
    '
    ' Get the Security Descriptor for the given NTFS File path.
    '
    Set oSD = oADsSecurityUtility.GetSecurityDescriptor(sFile,
    ADS_PATH_FILE, ADS_SD_FORMAT_IID)
    '
    ' Get the Discrectionary ACL for the key.
    '
    Set oDacl = oSD.DiscretionaryAcl
    '
    ' Create an ACE object.
    '
    Set oAce = CreateObject("AccessControlEntry")
    '
    ' Set the IADsAccessControlEntry::Trustee attribute.
    '
    oAce.Trustee = Trustee
    '
    ' Set the IADsAccessControlEntry::AccessMask attribute.
    '
    oAce.AccessMask = FILE_GENERIC_READ Or FILE_GENERIC_WRITE Or
    FILE_GENERIC_EXECUTE Or DELETE
    '
    ' Set the IADsAccessControlEntry::AceType attribute.
    '
    oAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
    '
    ' Set the IADsAccessControlEntry::AceFlags attribute.
    '
    oAce.AceFlags = OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE
    '
    ' Place the ACE on the DACL.
    '
    oDacl.AddACE oAce
    '
    ' Place the DACL back onto the SD.
    '
    oSD.DiscretionaryAcl = oDacl
    '
    ' Place the SD back onto the file.
    '
    oADsSecurityUtility.SetSecurityDescriptor sFile, ADS_PATH_FILE, oSD,
    ADS_SD_FORMAT_IID
    '
    ' Cleanup.
    '
    Set oAce = Nothing
    Set oDacl = Nothing
    Set oSD = Nothing
    Set oADsSecurityUtility = Nothing
    End Sub

    AddACEToFile "E:\Home\gbartho", "CAMPUS\gbartho"

    ' End of Code Modified for VBScript
     
    Gregory Bartholomew, Nov 20, 2008
    #1
    1. Advertisements

  2. Just ran into the same thing. Make sure that the trustee name is valid --
    having a name that doesn't resolve results in the error you described.
     
    Aaron Margosis [MSFT], Dec 19, 2008
    #2
    1. Advertisements

  3. The trustee can be a SID too. E.g., to set access for NT
    AUTHORITY\INTERACTIVE, you can do this:

    oACE.Trustee = "S-1-5-4"
     
    Aaron Margosis [MSFT], Dec 19, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.