Setting folder permissions using WMI instead of cacls.exe? 
Author Message
 Setting folder permissions using WMI instead of cacls.exe?

Hi Chris!

Thanks a lot for your help, really appreciated.

I believe I have gotten your code to work for me so far as that I have been
able to retrieve the path to the folder's security settings (in this case
I'm just testing on a folder on my D:, the extension is really helpful), the
security descriptor for this path and the DACL and trustees for the same
(look at code further down in this mail).

Now I only(?) need to create a new ACE and add it to the DACL but I have no
idea about how to do this, do you have any ideas?

Now to the code. I am using VB.NET at the moment (customer's wish) and am
trying with a Console Application, hope the code is readable.
============CODE======================

Sub Main()

'Create ManagementPath to the folder

Dim objPath As New ManagementPath()

objPath.Server = "guidegotsc035"

objPath.NamespacePath = "root\cimv2"

objPath.RelativePath = "Win32_LogicalFileSecuritySetting.Path='D:\test'"

Dim mo As New ManagementObject(objPath)

Dim mbo As ManagementBaseObject

Dim outParams As ManagementBaseObject

outParams = mo.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)

If System.Convert.ToInt32(outParams.Properties("ReturnValue").Value) = 0
Then

Dim descriptor As ManagementBaseObject =
outParams.Properties("Descriptor").Value

Dim mbo2 As ManagementBaseObject

'Retrieve and print out DACL and trustees for folder

For Each mbo2 In descriptor.Properties("DACL").Value

Console.WriteLine("Mask: {0} - aceflags: {1} - acetype: {2}",
mbo2("AccessMask"), mbo2("AceFlags"), mbo2("AceType"))

Dim Trustee As ManagementBaseObject

Trustee = mbo2("Trustee")

Console.WriteLine("Name: {0} - Domain: {1} - SID {2}",
Trustee.Properties("Name").Value, Trustee.Properties("Domain").Value,
Trustee.Properties("SIDString").Value)

Next

End If

Dim inParams As ManagementBaseObject =
mo.GetMethodParameters("SetSecurityDescriptor")

Console.Read()

End Sub

============END CODE==================

Best regards
Martin



Quote:
> I've been struggling with the same issue. It's apparently
> much simpler in COM, but I'm pretty much committed to .Net
> at this point...

> Basically, you will specify a path to the folder's
> security settings. To figure out this path, I highly
> recommend the WMI extensions for Server Explorer in Visual
> Studio. Search on that phrase and you should get a hit for
> download. This gives you a WMI class browser, which is
> really helpful.

> Once you have this path, you retrieve the security
> descriptor for the path. One of the children of this
> descriptor will be a Discretionary Access Control List, or
> DACL. This is a list of the all the trustees to that path.
> To add or revoke a trustee, you create what's called an
> Access Control Entry, or ACE, add it to the DACL, and then
> re-set the security descriptor. Here, at least, is a code
> snippet for retrieving the security descriptor in .Net:

>     Private Function getSD(ByRef mo As ManagementObject)
> As ManagementBaseObject
>         Dim szBoxName As String = Environment.MachineName
>         Dim szPath As String = "\\" & szBoxName
> & "\ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path=""" &
> Replace(m_szPath, "\", "\\") & """"
>         Dim objPath As New ManagementPath(szPath)
>         mo = New ManagementObject(objPath)
>         Dim objOptions As ManagementBaseObject
>         Dim objResult As ManagementBaseObject =
> mo.InvokeMethod("getSecurityDescriptor", objOptions,
> Nothing)
>         Return objResult.Properties("Descriptor").Value
>     End Function

> This doesn't get you all the way; you still need to create
> the ACE, and add it to the DACL. Once you've figured that
> out, it's basically just as it is above, except
> with "setSecurityDescriptor".

> And good luck with this; it's almost totally undocumented.

> If you figure out the missing pieces, please let me know.

> Thanks,

> Chris B. Behrens

> >-----Original Message-----
> >Hi all!

> >I'm looking for a way to set folder security and
> permissions and really
> >could use some  help. I've tried using cacls.exe but I
> can't get it to work
> >when I try setting permissions on a folder on another
> server than the server
> >where my app is running.

> >So if anyone could give me a hint of how WMI works when
> it comes to setting
> >security on folders I would really appreciate it.

> >Best regards
> >Martin Emanuelsson

> >.



Sun, 26 Dec 2004 21:20:32 GMT  
 Setting folder permissions using WMI instead of cacls.exe?
Hi Chris (and everybody else)...

I have been able to figure out the missing pieces to be able to change
permissions on folders using WMI. In this case I give permissions to the
Domain Admins and one user.

In this case I've used a ASP.NET application which demands the first part of
the code where I use impersonation. The code looks like this:

=========Start code===============
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
AddFileAccessControlEntry("D:\test\test2")

End Sub

Public Sub AddFileAccessControlEntry(ByVal path As String)

Try

'Code for impersonation

Dim impersonationContext As WindowsImpersonationContext

Dim currentWindowsIdentity As WindowsIdentity

currentWindowsIdentity = CType(User.Identity, WindowsIdentity)

impersonationContext = currentWindowsIdentity.Impersonate()

'Path to folder to change permissions for

Dim mp As New ManagementPath()

mp.Server = "servername"

mp.NamespacePath = "root\cimv2"

mp.RelativePath = "Win32_LogicalFileSecuritySetting.Path='" +
path.Replace("\", "\\") + "'"

Dim objFile As New ManagementObject(mp)

Dim options As New InvokeMethodOptions(Nothing, New TimeSpan(0, 0, 0, 5))

Dim outparams As ManagementBaseObject =
objFile.InvokeMethod("GetSecurityDescriptor", Nothing, options)

Dim securityDescriptor As ManagementBaseObject = outparams("Descriptor")

lblMessage.Text += "Got SD...<br>"

Dim dacl As ManagementBaseObject() = securityDescriptor("DACL")

Dim oldACE As ManagementBaseObject

Dim trustee As ManagementBaseObject

lblMessage.Text += "Print old DACL<br>"

For Each oldACE In dacl

trustee = CType(oldACE("Trustee"), ManagementBaseObject)

lblMessage.Text += trustee("Name").ToString() & " " &
oldACE("AccessMask").ToString() & " " & oldACE("AceType").ToString() &
"<br>"

Next

Dim win32Trustee As New ManagementClass("Win32_Trustee")

'Create Trustee for User

Dim newTrusteeUser As ManagementObject = win32Trustee.CreateInstance

Dim UserAcct As String = "LDAP string to user in AD (without LDAP://)"

Dim UserNamePath As String = "LDAP://" & UserAcct

Dim dirEnt As New DirectoryEntry(UserNamePath)

Dim UserName As String = dirEnt.Properties("sAMAccountName")(0)

Dim UserSid As Byte() = dirEnt.Properties("objectsid")(0)

dirEnt.Dispose()

newTrusteeUser("Name") = UserName

newTrusteeUser("SID") = UserSid

newTrusteeUser("SIDLength") = UserSid.Length

'Create ACE for User

Dim win32Ace As New ManagementClass("Win32_ACE")

Dim newACEUser As ManagementObject = win32Ace.CreateInstance

newACEUser("Trustee") = newTrusteeUser

newACEUser("AceFlags") = 3

newACEUser("AceType") = 0

newACEUser("AccessMask") = 1179817

'Create Trustee for Domain Admin

Dim newTrusteeAdmin As ManagementObject = win32Trustee.CreateInstance

Dim AdminAcct As String = "LDAP string to Domain Admins in AD (without
LDAP://)"

Dim AdminNamePath As String = "LDAP://" & AdminAcct

dirEnt = New DirectoryEntry(AdminNamePath)

Dim AdminName As String = dirEnt.Properties("sAMAccountName")(0)

Dim adminSid As Byte() = dirEnt.Properties("objectsid")(0)

dirEnt.Dispose()

newTrusteeAdmin("Name") = AdminName

newTrusteeAdmin("SID") = adminSid

newTrusteeAdmin("SIDLength") = adminSid.Length

'Create ACE for Domain Admins

Dim newACEAdmin As ManagementObject = win32Ace.CreateInstance

newACEAdmin("Trustee") = newTrusteeAdmin

newACEAdmin("AceFlags") = 3

newACEAdmin("AceType") = 0

newACEAdmin("AccessMask") = 2032127

'set new dacl

Dim newAces() As ManagementBaseObject = New ManagementBaseObject()
{newACEUser, newACEAdmin}

securityDescriptor("DACL") = newAces

'call method, set sd

Dim args1() As Object = {securityDescriptor}

Dim retval As UInt32 = objFile.InvokeMethod("SetSecurityDescriptor", args1)

lblMessage.Text += "<br>SetSecurityDescriptor ReturnStatus = " &
System.Convert.ToInt32(retval)

impersonationContext.Undo()

Catch ex As Exception

lblMessage.Text = "Setting permission failed: " & ex.Message

End Try

End Sub

=========End code===============

Hope this is helpful... If you have questions, don't hesitate to aske
them...

Martin Emanuelsson
Sweden


Quote:
> Hi Chris!

> Thanks a lot for your help, really appreciated.

> I believe I have gotten your code to work for me so far as that I have
been
> able to retrieve the path to the folder's security settings (in this case
> I'm just testing on a folder on my D:, the extension is really helpful),
the
> security descriptor for this path and the DACL and trustees for the same
> (look at code further down in this mail).

> Now I only(?) need to create a new ACE and add it to the DACL but I have
no
> idea about how to do this, do you have any ideas?

> Now to the code. I am using VB.NET at the moment (customer's wish) and am
> trying with a Console Application, hope the code is readable.
> ============CODE======================

> Sub Main()

> 'Create ManagementPath to the folder

> Dim objPath As New ManagementPath()

> objPath.Server = "guidegotsc035"

> objPath.NamespacePath = "root\cimv2"

> objPath.RelativePath = "Win32_LogicalFileSecuritySetting.Path='D:\test'"

> Dim mo As New ManagementObject(objPath)

> Dim mbo As ManagementBaseObject

> Dim outParams As ManagementBaseObject

> outParams = mo.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)

> If System.Convert.ToInt32(outParams.Properties("ReturnValue").Value) = 0
> Then

> Dim descriptor As ManagementBaseObject =
> outParams.Properties("Descriptor").Value

> Dim mbo2 As ManagementBaseObject

> 'Retrieve and print out DACL and trustees for folder

> For Each mbo2 In descriptor.Properties("DACL").Value

> Console.WriteLine("Mask: {0} - aceflags: {1} - acetype: {2}",
> mbo2("AccessMask"), mbo2("AceFlags"), mbo2("AceType"))

> Dim Trustee As ManagementBaseObject

> Trustee = mbo2("Trustee")

> Console.WriteLine("Name: {0} - Domain: {1} - SID {2}",
> Trustee.Properties("Name").Value, Trustee.Properties("Domain").Value,
> Trustee.Properties("SIDString").Value)

> Next

> End If

> Dim inParams As ManagementBaseObject =
> mo.GetMethodParameters("SetSecurityDescriptor")

> Console.Read()

> End Sub

> ============END CODE==================

> Best regards
> Martin



> > I've been struggling with the same issue. It's apparently
> > much simpler in COM, but I'm pretty much committed to .Net
> > at this point...

> > Basically, you will specify a path to the folder's
> > security settings. To figure out this path, I highly
> > recommend the WMI extensions for Server Explorer in Visual
> > Studio. Search on that phrase and you should get a hit for
> > download. This gives you a WMI class browser, which is
> > really helpful.

> > Once you have this path, you retrieve the security
> > descriptor for the path. One of the children of this
> > descriptor will be a Discretionary Access Control List, or
> > DACL. This is a list of the all the trustees to that path.
> > To add or revoke a trustee, you create what's called an
> > Access Control Entry, or ACE, add it to the DACL, and then
> > re-set the security descriptor. Here, at least, is a code
> > snippet for retrieving the security descriptor in .Net:

> >     Private Function getSD(ByRef mo As ManagementObject)
> > As ManagementBaseObject
> >         Dim szBoxName As String = Environment.MachineName
> >         Dim szPath As String = "\\" & szBoxName
> > & "\ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path=""" &
> > Replace(m_szPath, "\", "\\") & """"
> >         Dim objPath As New ManagementPath(szPath)
> >         mo = New ManagementObject(objPath)
> >         Dim objOptions As ManagementBaseObject
> >         Dim objResult As ManagementBaseObject =
> > mo.InvokeMethod("getSecurityDescriptor", objOptions,
> > Nothing)
> >         Return objResult.Properties("Descriptor").Value
> >     End Function

> > This doesn't get you all the way; you still need to create
> > the ACE, and add it to the DACL. Once you've figured that
> > out, it's basically just as it is above, except
> > with "setSecurityDescriptor".

> > And good luck with this; it's almost totally undocumented.

> > If you figure out the missing pieces, please let me know.

> > Thanks,

> > Chris B. Behrens

> > >-----Original Message-----
> > >Hi all!

> > >I'm looking for a way to set folder security and
> > permissions and really
> > >could use some  help. I've tried using cacls.exe but I
> > can't get it to work
> > >when I try setting permissions on a folder on another
> > server than the server
> > >where my app is running.

> > >So if anyone could give me a hint of how WMI works when
> > it comes to setting
> > >security on folders I would really appreciate it.

> > >Best regards
> > >Martin Emanuelsson

> > >.



Mon, 27 Dec 2004 21:50:08 GMT  
 Setting folder permissions using WMI instead of cacls.exe?
Martin,

While this may work, you are actually setting a new DACL, that is you are not preserving the existing ACE's.
In order to change an existing DACL you need to preserve the non inherited ACEs in an array and add the new ones to this array
taking care of duplicated ACE's.

Some other remarks:
You don't have to specify both the name and SID property when creating a new trustee, only the name or the SID (byte) is required.
When the name refers to a domain account( user or group) you will have to set the "Domain" property like this:

newTrusteeUser("Domain") = UserDomain.

When the name refers to a local account, the Domain property is not required, when name refers to a local group, the domain must be
empty.

When the SID is specified, the name and domain is not required.

Willy.

Quote:

> Hi Chris (and everybody else)...

> I have been able to figure out the missing pieces to be able to change
> permissions on folders using WMI. In this case I give permissions to the
> Domain Admins and one user.

> In this case I've used a ASP.NET application which demands the first part of
> the code where I use impersonation. The code looks like this:

> =========Start code===============
> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
> System.EventArgs) Handles Button1.Click
> AddFileAccessControlEntry("D:\test\test2")

> End Sub

> Public Sub AddFileAccessControlEntry(ByVal path As String)

> Try

> 'Code for impersonation

> Dim impersonationContext As WindowsImpersonationContext

> Dim currentWindowsIdentity As WindowsIdentity

> currentWindowsIdentity = CType(User.Identity, WindowsIdentity)

> impersonationContext = currentWindowsIdentity.Impersonate()

> 'Path to folder to change permissions for

> Dim mp As New ManagementPath()

> mp.Server = "servername"

> mp.NamespacePath = "root\cimv2"

> mp.RelativePath = "Win32_LogicalFileSecuritySetting.Path='" +
> path.Replace("\", "\\") + "'"

> Dim objFile As New ManagementObject(mp)

> Dim options As New InvokeMethodOptions(Nothing, New TimeSpan(0, 0, 0, 5))

> Dim outparams As ManagementBaseObject =
> objFile.InvokeMethod("GetSecurityDescriptor", Nothing, options)

> Dim securityDescriptor As ManagementBaseObject = outparams("Descriptor")

> lblMessage.Text += "Got SD...<br>"

> Dim dacl As ManagementBaseObject() = securityDescriptor("DACL")

> Dim oldACE As ManagementBaseObject

> Dim trustee As ManagementBaseObject

> lblMessage.Text += "Print old DACL<br>"

> For Each oldACE In dacl

> trustee = CType(oldACE("Trustee"), ManagementBaseObject)

> lblMessage.Text += trustee("Name").ToString() & " " &
> oldACE("AccessMask").ToString() & " " & oldACE("AceType").ToString() &
> "<br>"

> Next

> Dim win32Trustee As New ManagementClass("Win32_Trustee")

> 'Create Trustee for User

> Dim newTrusteeUser As ManagementObject = win32Trustee.CreateInstance

> Dim UserAcct As String = "LDAP string to user in AD (without LDAP://)"

> Dim UserNamePath As String = "LDAP://" & UserAcct

> Dim dirEnt As New DirectoryEntry(UserNamePath)

> Dim UserName As String = dirEnt.Properties("sAMAccountName")(0)

> Dim UserSid As Byte() = dirEnt.Properties("objectsid")(0)

> dirEnt.Dispose()

> newTrusteeUser("Name") = UserName

> newTrusteeUser("SID") = UserSid

> newTrusteeUser("SIDLength") = UserSid.Length

> 'Create ACE for User

> Dim win32Ace As New ManagementClass("Win32_ACE")

> Dim newACEUser As ManagementObject = win32Ace.CreateInstance

> newACEUser("Trustee") = newTrusteeUser

> newACEUser("AceFlags") = 3

> newACEUser("AceType") = 0

> newACEUser("AccessMask") = 1179817

> 'Create Trustee for Domain Admin

> Dim newTrusteeAdmin As ManagementObject = win32Trustee.CreateInstance

> Dim AdminAcct As String = "LDAP string to Domain Admins in AD (without
> LDAP://)"

> Dim AdminNamePath As String = "LDAP://" & AdminAcct

> dirEnt = New DirectoryEntry(AdminNamePath)

> Dim AdminName As String = dirEnt.Properties("sAMAccountName")(0)

> Dim adminSid As Byte() = dirEnt.Properties("objectsid")(0)

> dirEnt.Dispose()

> newTrusteeAdmin("Name") = AdminName

> newTrusteeAdmin("SID") = adminSid

> newTrusteeAdmin("SIDLength") = adminSid.Length

> 'Create ACE for Domain Admins

> Dim newACEAdmin As ManagementObject = win32Ace.CreateInstance

> newACEAdmin("Trustee") = newTrusteeAdmin

> newACEAdmin("AceFlags") = 3

> newACEAdmin("AceType") = 0

> newACEAdmin("AccessMask") = 2032127

> 'set new dacl

> Dim newAces() As ManagementBaseObject = New ManagementBaseObject()
> {newACEUser, newACEAdmin}

> securityDescriptor("DACL") = newAces

> 'call method, set sd

> Dim args1() As Object = {securityDescriptor}

> Dim retval As UInt32 = objFile.InvokeMethod("SetSecurityDescriptor", args1)

> lblMessage.Text += "<br>SetSecurityDescriptor ReturnStatus = " &
> System.Convert.ToInt32(retval)

> impersonationContext.Undo()

> Catch ex As Exception

> lblMessage.Text = "Setting permission failed: " & ex.Message

> End Try

> End Sub

> =========End code===============

> Hope this is helpful... If you have questions, don't hesitate to aske
> them...

> Martin Emanuelsson
> Sweden



> > Hi Chris!

> > Thanks a lot for your help, really appreciated.

> > I believe I have gotten your code to work for me so far as that I have
> been
> > able to retrieve the path to the folder's security settings (in this case
> > I'm just testing on a folder on my D:, the extension is really helpful),
> the
> > security descriptor for this path and the DACL and trustees for the same
> > (look at code further down in this mail).

> > Now I only(?) need to create a new ACE and add it to the DACL but I have
> no
> > idea about how to do this, do you have any ideas?

> > Now to the code. I am using VB.NET at the moment (customer's wish) and am
> > trying with a Console Application, hope the code is readable.
> > ============CODE======================

> > Sub Main()

> > 'Create ManagementPath to the folder

> > Dim objPath As New ManagementPath()

> > objPath.Server = "guidegotsc035"

> > objPath.NamespacePath = "root\cimv2"

> > objPath.RelativePath = "Win32_LogicalFileSecuritySetting.Path='D:\test'"

> > Dim mo As New ManagementObject(objPath)

> > Dim mbo As ManagementBaseObject

> > Dim outParams As ManagementBaseObject

> > outParams = mo.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)

> > If System.Convert.ToInt32(outParams.Properties("ReturnValue").Value) = 0
> > Then

> > Dim descriptor As ManagementBaseObject =
> > outParams.Properties("Descriptor").Value

> > Dim mbo2 As ManagementBaseObject

> > 'Retrieve and print out DACL and trustees for folder

> > For Each mbo2 In descriptor.Properties("DACL").Value

> > Console.WriteLine("Mask: {0} - aceflags: {1} - acetype: {2}",
> > mbo2("AccessMask"), mbo2("AceFlags"), mbo2("AceType"))

> > Dim Trustee As ManagementBaseObject

> > Trustee = mbo2("Trustee")

> > Console.WriteLine("Name: {0} - Domain: {1} - SID {2}",
> > Trustee.Properties("Name").Value, Trustee.Properties("Domain").Value,
> > Trustee.Properties("SIDString").Value)

> > Next

> > End If

> > Dim inParams As ManagementBaseObject =
> > mo.GetMethodParameters("SetSecurityDescriptor")

> > Console.Read()

> > End Sub

> > ============END CODE==================

> > Best regards
> > Martin



> > > I've been struggling with the same issue. It's apparently
> > > much simpler in COM, but I'm pretty much committed to .Net
> > > at this point...

> > > Basically, you will specify a path to the folder's
> > > security settings. To figure out this path, I highly
> > > recommend the WMI extensions for Server Explorer in Visual
> > > Studio. Search on that phrase and you should get a hit for
> > > download. This gives you a WMI class browser, which is
> > > really helpful.

> > > Once you have this path, you retrieve the security
> > > descriptor for the path. One of the children of this
> > > descriptor will be a Discretionary Access Control List, or
> > > DACL. This is a list of the all the trustees to that path.
> > > To add or revoke a trustee, you create what's called an
> > > Access Control Entry, or ACE, add it to the DACL, and then
> > > re-set the security descriptor. Here, at least, is a code
> > > snippet for retrieving the security descriptor in .Net:

> > >     Private Function getSD(ByRef mo As ManagementObject)
> > > As ManagementBaseObject
> > >         Dim szBoxName As String = Environment.MachineName
> > >         Dim szPath As String = "\\" & szBoxName
> > > & "\ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path=""" &
> > > Replace(m_szPath, "\", "\\") & """"
> > >         Dim objPath As New ManagementPath(szPath)
> > >         mo = New ManagementObject(objPath)
> > >         Dim objOptions As ManagementBaseObject
> > >         Dim objResult As ManagementBaseObject =
> > > mo.InvokeMethod("getSecurityDescriptor", objOptions,
> > > Nothing)
> > >         Return objResult.Properties("Descriptor").Value
> > >     End Function

> > > This doesn't get you all the way; you still need to create
> > > the ACE, and add it to the DACL. Once you've figured that
> > > out, it's basically just as it is above, except
> > > with "setSecurityDescriptor".

> > > And good luck with this; it's almost totally undocumented.

> > > If you figure out the missing pieces, please let me know.

> > > Thanks,

> > > Chris B. Behrens

> > > >-----Original Message-----
> > > >Hi all!

...

read more »



Thu, 30 Dec 2004 19:43:17 GMT  
 Setting folder permissions using WMI instead of cacls.exe?
Thanks a lot for your remarks... Appreciate it...

/Martin



Quote:
> Martin,

> While this may work, you are actually setting a new DACL, that is you are

not preserving the existing ACE's.
Quote:
> In order to change an existing DACL you need to preserve the non inherited

ACEs in an array and add the new ones to this array
Quote:
> taking care of duplicated ACE's.

> Some other remarks:
> You don't have to specify both the name and SID property when creating a

new trustee, only the name or the SID (byte) is required.
Quote:
> When the name refers to a domain account( user or group) you will have to

set the "Domain" property like this:
Quote:

> newTrusteeUser("Domain") = UserDomain.

> When the name refers to a local account, the Domain property is not

required, when name refers to a local group, the domain must be
Quote:
> empty.

> When the SID is specified, the name and domain is not required.

> Willy.




Quote:
> > Hi Chris (and everybody else)...

> > I have been able to figure out the missing pieces to be able to change
> > permissions on folders using WMI. In this case I give permissions to the
> > Domain Admins and one user.

> > In this case I've used a ASP.NET application which demands the first
part of
> > the code where I use impersonation. The code looks like this:

> > =========Start code===============
> > Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
> > System.EventArgs) Handles Button1.Click
> > AddFileAccessControlEntry("D:\test\test2")

> > End Sub

> > Public Sub AddFileAccessControlEntry(ByVal path As String)

> > Try

> > 'Code for impersonation

> > Dim impersonationContext As WindowsImpersonationContext

> > Dim currentWindowsIdentity As WindowsIdentity

> > currentWindowsIdentity = CType(User.Identity, WindowsIdentity)

> > impersonationContext = currentWindowsIdentity.Impersonate()

> > 'Path to folder to change permissions for

> > Dim mp As New ManagementPath()

> > mp.Server = "servername"

> > mp.NamespacePath = "root\cimv2"

> > mp.RelativePath = "Win32_LogicalFileSecuritySetting.Path='" +
> > path.Replace("\", "\\") + "'"

> > Dim objFile As New ManagementObject(mp)

> > Dim options As New InvokeMethodOptions(Nothing, New TimeSpan(0, 0, 0,
5))

> > Dim outparams As ManagementBaseObject =
> > objFile.InvokeMethod("GetSecurityDescriptor", Nothing, options)

> > Dim securityDescriptor As ManagementBaseObject = outparams("Descriptor")

> > lblMessage.Text += "Got SD...<br>"

> > Dim dacl As ManagementBaseObject() = securityDescriptor("DACL")

> > Dim oldACE As ManagementBaseObject

> > Dim trustee As ManagementBaseObject

> > lblMessage.Text += "Print old DACL<br>"

> > For Each oldACE In dacl

> > trustee = CType(oldACE("Trustee"), ManagementBaseObject)

> > lblMessage.Text += trustee("Name").ToString() & " " &
> > oldACE("AccessMask").ToString() & " " & oldACE("AceType").ToString() &
> > "<br>"

> > Next

> > Dim win32Trustee As New ManagementClass("Win32_Trustee")

> > 'Create Trustee for User

> > Dim newTrusteeUser As ManagementObject = win32Trustee.CreateInstance

> > Dim UserAcct As String = "LDAP string to user in AD (without LDAP://)"

> > Dim UserNamePath As String = "LDAP://" & UserAcct

> > Dim dirEnt As New DirectoryEntry(UserNamePath)

> > Dim UserName As String = dirEnt.Properties("sAMAccountName")(0)

> > Dim UserSid As Byte() = dirEnt.Properties("objectsid")(0)

> > dirEnt.Dispose()

> > newTrusteeUser("Name") = UserName

> > newTrusteeUser("SID") = UserSid

> > newTrusteeUser("SIDLength") = UserSid.Length

> > 'Create ACE for User

> > Dim win32Ace As New ManagementClass("Win32_ACE")

> > Dim newACEUser As ManagementObject = win32Ace.CreateInstance

> > newACEUser("Trustee") = newTrusteeUser

> > newACEUser("AceFlags") = 3

> > newACEUser("AceType") = 0

> > newACEUser("AccessMask") = 1179817

> > 'Create Trustee for Domain Admin

> > Dim newTrusteeAdmin As ManagementObject = win32Trustee.CreateInstance

> > Dim AdminAcct As String = "LDAP string to Domain Admins in AD (without
> > LDAP://)"

> > Dim AdminNamePath As String = "LDAP://" & AdminAcct

> > dirEnt = New DirectoryEntry(AdminNamePath)

> > Dim AdminName As String = dirEnt.Properties("sAMAccountName")(0)

> > Dim adminSid As Byte() = dirEnt.Properties("objectsid")(0)

> > dirEnt.Dispose()

> > newTrusteeAdmin("Name") = AdminName

> > newTrusteeAdmin("SID") = adminSid

> > newTrusteeAdmin("SIDLength") = adminSid.Length

> > 'Create ACE for Domain Admins

> > Dim newACEAdmin As ManagementObject = win32Ace.CreateInstance

> > newACEAdmin("Trustee") = newTrusteeAdmin

> > newACEAdmin("AceFlags") = 3

> > newACEAdmin("AceType") = 0

> > newACEAdmin("AccessMask") = 2032127

> > 'set new dacl

> > Dim newAces() As ManagementBaseObject = New ManagementBaseObject()
> > {newACEUser, newACEAdmin}

> > securityDescriptor("DACL") = newAces

> > 'call method, set sd

> > Dim args1() As Object = {securityDescriptor}

> > Dim retval As UInt32 = objFile.InvokeMethod("SetSecurityDescriptor",
args1)

> > lblMessage.Text += "<br>SetSecurityDescriptor ReturnStatus = " &
> > System.Convert.ToInt32(retval)

> > impersonationContext.Undo()

> > Catch ex As Exception

> > lblMessage.Text = "Setting permission failed: " & ex.Message

> > End Try

> > End Sub

> > =========End code===============

> > Hope this is helpful... If you have questions, don't hesitate to aske
> > them...

> > Martin Emanuelsson
> > Sweden



> > > Hi Chris!

> > > Thanks a lot for your help, really appreciated.

> > > I believe I have gotten your code to work for me so far as that I have
> > been
> > > able to retrieve the path to the folder's security settings (in this
case
> > > I'm just testing on a folder on my D:, the extension is really
helpful),
> > the
> > > security descriptor for this path and the DACL and trustees for the
same
> > > (look at code further down in this mail).

> > > Now I only(?) need to create a new ACE and add it to the DACL but I
have
> > no
> > > idea about how to do this, do you have any ideas?

> > > Now to the code. I am using VB.NET at the moment (customer's wish) and
am
> > > trying with a Console Application, hope the code is readable.
> > > ============CODE======================

> > > Sub Main()

> > > 'Create ManagementPath to the folder

> > > Dim objPath As New ManagementPath()

> > > objPath.Server = "guidegotsc035"

> > > objPath.NamespacePath = "root\cimv2"

> > > objPath.RelativePath =

"Win32_LogicalFileSecuritySetting.Path='D:\test'"

- Show quoted text -

Quote:

> > > Dim mo As New ManagementObject(objPath)

> > > Dim mbo As ManagementBaseObject

> > > Dim outParams As ManagementBaseObject

> > > outParams = mo.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)

> > > If System.Convert.ToInt32(outParams.Properties("ReturnValue").Value) =
0
> > > Then

> > > Dim descriptor As ManagementBaseObject =
> > > outParams.Properties("Descriptor").Value

> > > Dim mbo2 As ManagementBaseObject

> > > 'Retrieve and print out DACL and trustees for folder

> > > For Each mbo2 In descriptor.Properties("DACL").Value

> > > Console.WriteLine("Mask: {0} - aceflags: {1} - acetype: {2}",
> > > mbo2("AccessMask"), mbo2("AceFlags"), mbo2("AceType"))

> > > Dim Trustee As ManagementBaseObject

> > > Trustee = mbo2("Trustee")

> > > Console.WriteLine("Name: {0} - Domain: {1} - SID {2}",
> > > Trustee.Properties("Name").Value, Trustee.Properties("Domain").Value,
> > > Trustee.Properties("SIDString").Value)

> > > Next

> > > End If

> > > Dim inParams As ManagementBaseObject =
> > > mo.GetMethodParameters("SetSecurityDescriptor")

> > > Console.Read()

> > > End Sub

> > > ============END CODE==================

> > > Best regards
> > > Martin



> > > > I've been struggling with the same issue. It's apparently
> > > > much simpler in COM, but I'm pretty much committed to .Net
> > > > at this point...

> > > > Basically, you will specify a path to the folder's
> > > > security settings. To figure out this path, I highly
> > > > recommend the WMI extensions for Server Explorer in Visual
> > > > Studio. Search on that phrase and you should get a hit for
> > > > download. This gives you a WMI class browser, which is
> > > > really helpful.

> > > > Once you have this path, you retrieve the security
> > > > descriptor for the path. One of the children of this
> > > > descriptor will be a Discretionary Access Control List, or
> > > > DACL. This is a list of the all the trustees to that path.
> > > > To add or revoke a trustee, you create what's called an
> > > > Access Control Entry, or ACE, add it to the DACL, and then
> > > > re-set the security descriptor. Here, at least, is a code
> > > > snippet for retrieving the security descriptor in .Net:

> > > >     Private Function getSD(ByRef mo As ManagementObject)
> > > > As ManagementBaseObject
> > > >         Dim szBoxName As String = Environment.MachineName
> > > >         Dim szPath As String = "\\" & szBoxName
> > > > & "\ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path=""" &
> > > > Replace(m_szPath, "\", "\\") & """"
> > > >         Dim objPath As New ManagementPath(szPath)
> > > >         mo = New

...

read more »



Fri, 31 Dec 2004 05:56:30 GMT  
 Setting folder permissions using WMI instead of cacls.exe?

Quote:

> You don't have to specify both the name and SID property when creating
> a new trustee, only the name or the SID (byte) is required.  

Is there anyway that this could be inferred from the MSDN
documentation?  It lists the MOF, but doesn't seem talk about what is
required from a "create" standpoint.

I just want to make sure that I am not missing something.
--
 David L. Crow                     Texas!  It's like a



Sat, 29 Jan 2005 10:37:14 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. Setting NTFS folder permissions using WMI

2. Problems with setting folder security permissions using WMI!!!

3. Setting NTFS Permissions using WMI

4. Using VBScript to set permissions on a folder

5. instead of using browse for folder, how can u put those virtual folder into a co

6. Setting W2K folder permissions in code

7. Setting Folder Permissions Programatically

8. how to set folder permission

9. Set permission for folder

10. How to set access permissions on new folder ?

11. Creating shares & setting permissions on folders

12. set folder permissions

 

 
Powered by phpBB® Forum Software