S
Steve
Even when I add (or think I do!) a new ACL in the correct order
according to http://support.microsoft.com/default.aspx?scid=kb;en-us;269159
I still get errors when trying to view the security permissions on
newley created child objects on XP. I've been twekaing the constants
all day with mixed results, but not once have I not got the "The
permissions on xxx are incorrectly ordered..." message, what am I
doing wrong??? Here's my code (what for line breaks)...
Module StartUp
Const defaultAccessMask As ActiveDs.ADS_RIGHTS_ENUM =
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_READ +
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_WRITE +
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_EXECUTE +
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DELETE
Const defaultAceFlags As ActiveDs.ADS_ACEFLAG_ENUM =
ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE
Const defaultAceType As ActiveDs.ADS_ACETYPE_ENUM =
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED
Sub Main()
Call PermissionFolder("C:\Program Files\test",
"somedomain\user1234", defaultAccessMask, defaultAceFlags,
defaultAceType)
Call ListACEs("C:\Program Files\test")
End Sub
Sub PermissionFolder(ByVal folderPath As String, ByVal trustee As
String, ByVal accessMask As ActiveDs.ADS_RIGHTS_ENUM, ByVal aceFlags
As ActiveDs.ADS_ACEFLAG_ENUM, ByVal aceType As
ActiveDs.ADS_ACETYPE_ENUM)
Dim adsSecurity As New ActiveDs.ADsSecurityUtilityClass
Dim adsDescriptor As ActiveDs.SecurityDescriptor
Dim folderACL As ActiveDs.AccessControlList
Dim newACE As New ActiveDs.AccessControlEntry
adsDescriptor = adsSecurity.GetSecurityDescriptor(folderPath,
ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
folderACL = adsDescriptor.DiscretionaryAcl()
newACE.Trustee = trustee
newACE.AccessMask = accessMask
newACE.AceFlags = aceFlags
newACE.AceType = aceType
folderACL.AddAce(newACE)
adsDescriptor.DiscretionaryAcl = OrderACL(folderACL)
adsSecurity.SetSecurityDescriptor(folderPath,
ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE, adsDescriptor,
ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
End Sub
Function OrderACL(ByVal dacl As ActiveDs.AccessControlList) As
ActiveDs.AccessControlList
Dim impDenyDACL As New ActiveDs.AccessControlList
Dim impDenyObjectDACL As New ActiveDs.AccessControlList
Dim impAllowDACL As New ActiveDs.AccessControlList
Dim impAllowObjectDACL As New ActiveDs.AccessControlList
Dim inheritedDACL As New ActiveDs.AccessControlList
Dim ace As ActiveDs.AccessControlEntry
Dim returnDACL As New ActiveDs.AccessControlList
For Each ace In dacl
If ace.AceFlags =
ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERITED_ACE Then
inheritedDACL.AddAce(ace)
Else
Select Case ace.AceType
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED
impAllowDACL.AddAce(ace)
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED
impDenyDACL.AddAce(ace)
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
impAllowObjectDACL.AddAce(ace)
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT
impDenyObjectDACL.AddAce(ace)
End Select
End If
Next
For Each ace In impDenyDACL
returnDACL.AddAce(ace)
Next
For Each ace In impDenyObjectDACL
returnDACL.AddAce(ace)
Next
For Each ace In impAllowDACL
returnDACL.AddAce(ace)
Next
For Each ace In impAllowObjectDACL
returnDACL.AddAce(ace)
Next
For Each ace In inheritedDACL
returnDACL.AddAce(ace)
Next
returnDACL.AclRevision = dacl.AclRevision
Return returnDACL
End Function
Sub ListACEs(ByVal folderPath As String)
Dim securityObj As New ActiveDs.ADsSecurityUtilityClass
Dim descriptorObj As ActiveDs.SecurityDescriptor
Dim aclObj As ActiveDs.AccessControlList
Dim aceObj As ActiveDs.AccessControlEntry
Dim aceOutput As String
descriptorObj = securityObj.GetSecurityDescriptor(folderPath,
ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
aclObj = descriptorObj.DiscretionaryAcl()
For Each aceObj In aclObj
aceOutput = aceOutput & aceObj.Trustee & vbTab &
aceObj.AccessMask & vbTab & aceObj.AceFlags & vbTab & aceObj.AceType &
vbTab & aceObj.InheritedObjectType & vbCrLf
Next
MessageBox.Show(aceOutput)
End Sub
End Module
according to http://support.microsoft.com/default.aspx?scid=kb;en-us;269159
I still get errors when trying to view the security permissions on
newley created child objects on XP. I've been twekaing the constants
all day with mixed results, but not once have I not got the "The
permissions on xxx are incorrectly ordered..." message, what am I
doing wrong??? Here's my code (what for line breaks)...
Module StartUp
Const defaultAccessMask As ActiveDs.ADS_RIGHTS_ENUM =
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_READ +
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_WRITE +
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_EXECUTE +
ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DELETE
Const defaultAceFlags As ActiveDs.ADS_ACEFLAG_ENUM =
ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE
Const defaultAceType As ActiveDs.ADS_ACETYPE_ENUM =
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED
Sub Main()
Call PermissionFolder("C:\Program Files\test",
"somedomain\user1234", defaultAccessMask, defaultAceFlags,
defaultAceType)
Call ListACEs("C:\Program Files\test")
End Sub
Sub PermissionFolder(ByVal folderPath As String, ByVal trustee As
String, ByVal accessMask As ActiveDs.ADS_RIGHTS_ENUM, ByVal aceFlags
As ActiveDs.ADS_ACEFLAG_ENUM, ByVal aceType As
ActiveDs.ADS_ACETYPE_ENUM)
Dim adsSecurity As New ActiveDs.ADsSecurityUtilityClass
Dim adsDescriptor As ActiveDs.SecurityDescriptor
Dim folderACL As ActiveDs.AccessControlList
Dim newACE As New ActiveDs.AccessControlEntry
adsDescriptor = adsSecurity.GetSecurityDescriptor(folderPath,
ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
folderACL = adsDescriptor.DiscretionaryAcl()
newACE.Trustee = trustee
newACE.AccessMask = accessMask
newACE.AceFlags = aceFlags
newACE.AceType = aceType
folderACL.AddAce(newACE)
adsDescriptor.DiscretionaryAcl = OrderACL(folderACL)
adsSecurity.SetSecurityDescriptor(folderPath,
ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE, adsDescriptor,
ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
End Sub
Function OrderACL(ByVal dacl As ActiveDs.AccessControlList) As
ActiveDs.AccessControlList
Dim impDenyDACL As New ActiveDs.AccessControlList
Dim impDenyObjectDACL As New ActiveDs.AccessControlList
Dim impAllowDACL As New ActiveDs.AccessControlList
Dim impAllowObjectDACL As New ActiveDs.AccessControlList
Dim inheritedDACL As New ActiveDs.AccessControlList
Dim ace As ActiveDs.AccessControlEntry
Dim returnDACL As New ActiveDs.AccessControlList
For Each ace In dacl
If ace.AceFlags =
ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERITED_ACE Then
inheritedDACL.AddAce(ace)
Else
Select Case ace.AceType
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED
impAllowDACL.AddAce(ace)
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED
impDenyDACL.AddAce(ace)
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
impAllowObjectDACL.AddAce(ace)
Case
ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_DENIED_OBJECT
impDenyObjectDACL.AddAce(ace)
End Select
End If
Next
For Each ace In impDenyDACL
returnDACL.AddAce(ace)
Next
For Each ace In impDenyObjectDACL
returnDACL.AddAce(ace)
Next
For Each ace In impAllowDACL
returnDACL.AddAce(ace)
Next
For Each ace In impAllowObjectDACL
returnDACL.AddAce(ace)
Next
For Each ace In inheritedDACL
returnDACL.AddAce(ace)
Next
returnDACL.AclRevision = dacl.AclRevision
Return returnDACL
End Function
Sub ListACEs(ByVal folderPath As String)
Dim securityObj As New ActiveDs.ADsSecurityUtilityClass
Dim descriptorObj As ActiveDs.SecurityDescriptor
Dim aclObj As ActiveDs.AccessControlList
Dim aceObj As ActiveDs.AccessControlEntry
Dim aceOutput As String
descriptorObj = securityObj.GetSecurityDescriptor(folderPath,
ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
aclObj = descriptorObj.DiscretionaryAcl()
For Each aceObj In aclObj
aceOutput = aceOutput & aceObj.Trustee & vbTab &
aceObj.AccessMask & vbTab & aceObj.AceFlags & vbTab & aceObj.AceType &
vbTab & aceObj.InheritedObjectType & vbCrLf
Next
MessageBox.Show(aceOutput)
End Sub
End Module