Hi all,
Ok, my boss found something buried deep inside MSDN but I was able to use it
to accomplish my task. Below is the code I wrote to compare a list of
user/groups and permissions for each against a list of Registry DACLs.
===============================================================
Sub AuditReg(ByVal sRegKey, _
ByVal iAccessMask, _
ByVal sGroupName, _
ByVal sAccessText, _
ByVal iAttribCounter, _
ByVal iGroupCounter)
Dim oRegSD, oDACL_ACEs, oADsSecurityUtility
'--
' THIS LINE WAS WHAT WE NEEDED TO DO WHAT WE WANTED.
' --------------------------------------------------
'
' Create an ADsSecurityUtlity object.
'--
Set oADsSecurityUtility = CreateObject("ADsSecurityUtility")
'
' Get the Security Descriptor for the given NTFS File path.
' - specify a Registry path
'
Set oRegSD = oADsSecurityUtility.GetSecurityDescriptor(sRegKey, _
ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)
'
' Get the Discrectionary ACL for the key.
'
Set oDACL_ACEs = oRegSD.DiscretionaryAcl
Call CheckDacl(oDACL_ACEs, iAccessMask, sGroupName, sRegKey, _
sAccessText, iAttribCounter, iGroupCounter)
Set oADsSecurityUtility = Nothing
Set oRegSD = Nothing
Set oDACL_ACEs = Nothing
End Sub
===================================
Hope this may someone else.
--
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org
"Mark-Allen Perry" <mark-allen@mvps_dot_org> wrote in message
news:(E-Mail Removed)...
> To all:
>
> The code below checks to see if the user account running the script has
the
> specified permissions; in this case, QUERY_VALUE.
>
> What I would like is a similar code example on how to ask if a 'specified
> user or group' has a specific permission. Does anyone know of a code
> example that will do this? Or can post a link to a URL somewhere. I've
> checked all over MS and MSDN, and on Google but after checking about 100
> sites, nothing looks promising.
>
>
'---------------------------------------------------------------------------
> ------
> ' Create constants for access rights and registry hive
> const KEY_QUERY_VALUE = &H0001
> const HKEY_LOCAL_MACHINE = &H80000002
>
> strComputer = "."
> Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
> strComputer & "\root\default:StdRegProv")
>
> strKeyPath = "SYSTEM\CurrentControlSet"
>
> ' Does the account under which the script runs have the
> ' right to query the SYSTEM\CurrentControlSet key
> '---------------------------------------------------------------
> objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE,
> bHasAccessRight
>
> If bHasAccessRight = True Then
> Wscript.Echo "Has Query Value Access Rights on
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
> Else
> Wscript.Echo "No Query Value Access Rights on
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
> End If
>
>
'---------------------------------------------------------------------------
> ------
>
> There are example for using WMI for checking the DACLs of file objects;
> files and folders. But I haven't been able to find something similar for
> Regsitry keys.
>
> many thanks for all the help,
>
> --
> Mark-Allen Perry
> ALPHA Systems
> Marly, Switzerland
> mark-allen_AT_mvps_DOT_org
>
>
>
|
Similar Threads
