N
Nick @ Rensoft
Hello all,
I've spent a lot of my time on this issue, and I thought it best to
share my solution with the community. A special thanks to Willy
Denoyette for his help. Ive opened about two threads to try and get
this solved and neither of them contain a full solution; but this one
does!
So the scenario is, I need to change the file permissions on a remote
folder using WMI. I was attempting to do this using a UNC path, which
is not the right way to go about it, because when you access file
security from a UNC path with WMI you get the share permissions as
opposed to the physical file permissions (at least this appears to be
how it works -- perhaps Willy, you could confirm?).
This said (as pointed out by Willy), we need to access the security
from a local path, which is possible once you're connected to a remote
machine via a WMI scope/path etc. So, step by step, this is how it's
done -- for those who are having trouble, this is definitely the best
way to do it, and it works.
I have tested the following procedure on a Windows 2003 server, which
is not part of a domain. This has also been tried using ADSI with
little success.
1. Create e a new scope which points to the remote machine.
2. Create a new Win32_LogicalFileSecuritySetting path based on the
scope.
3. Create a new management object based on the above path (file
security).
4. Invoke the GetSecurityDescriptor and gather the out parameters.
5. Retrieve the "Descriptor" property from the out params.
6. From the new "Descriptor" object, retrieve the "Dacl" property.
7. Create a new Win32_Trustee ManagementObject from ManagementClass.
8. Make sure you're using the scope which points to the remote machine.
9. Set the "Name" property to the name of the user account on the
remote machine.
10. Create a new Win32_ACE object from ManagementClass.
11. Set the "Trustee" property to the Win32_Trustee object in step 7.
12. Set the "AccessMask" property of the Win32_ACE object*.
13. If you want to inherit the parent's Dacl, set the "AceFlags"
property to 0x10.
14. Generally speaking you want to have an "Allow" ace, so set the
"AceType" to 0.
15. Convert the current Dacl to an array list (or similar) and add your
ACE to the list.
16. Set the descriptor's "Dacl" property to the Dacl array list
(converted back to an array).
17. From the file security object (step 3) get the parameters for
SetSecurityDescriptor.
18. For the parameters, set the "Descriptor" property to our security
descriptor (step 5).
19. For file security (step 3) invoke the SetSecurityDescriptor passing
the parameters.
Seems like a very complex solution, but for a remote machine, it's the
only way. Again, thanks to Willy for his guidance. Please see below for
the notes on the access mask described in step 12.
Happy coding!
Nick Bolton
Rensoft Web Services
www.rensoft.net
+++++++++++++++++++++++++++++++++++
* I used the following variables to set the bits.
int FILE_READ_DATA = 0x0;
int FILE_WRITE_DATA = 0x1;
int FILE_APPEND_DATA = 0x4;
int DELETE = 0x10000;
If you need to allow a user to modify, I used this but I'm not entirely
sure it's perfect because the Windows security properties still show it
as "special" permissions.
newAce.Properties["AccessMask"].Value = FILE_READ_DATA |
FILE_WRITE_DATA | FILE_APPEND_DATA | DELETE;
+++++++++++++++++++++++++++++++++++
I've spent a lot of my time on this issue, and I thought it best to
share my solution with the community. A special thanks to Willy
Denoyette for his help. Ive opened about two threads to try and get
this solved and neither of them contain a full solution; but this one
does!
So the scenario is, I need to change the file permissions on a remote
folder using WMI. I was attempting to do this using a UNC path, which
is not the right way to go about it, because when you access file
security from a UNC path with WMI you get the share permissions as
opposed to the physical file permissions (at least this appears to be
how it works -- perhaps Willy, you could confirm?).
This said (as pointed out by Willy), we need to access the security
from a local path, which is possible once you're connected to a remote
machine via a WMI scope/path etc. So, step by step, this is how it's
done -- for those who are having trouble, this is definitely the best
way to do it, and it works.
I have tested the following procedure on a Windows 2003 server, which
is not part of a domain. This has also been tried using ADSI with
little success.
1. Create e a new scope which points to the remote machine.
2. Create a new Win32_LogicalFileSecuritySetting path based on the
scope.
3. Create a new management object based on the above path (file
security).
4. Invoke the GetSecurityDescriptor and gather the out parameters.
5. Retrieve the "Descriptor" property from the out params.
6. From the new "Descriptor" object, retrieve the "Dacl" property.
7. Create a new Win32_Trustee ManagementObject from ManagementClass.
8. Make sure you're using the scope which points to the remote machine.
9. Set the "Name" property to the name of the user account on the
remote machine.
10. Create a new Win32_ACE object from ManagementClass.
11. Set the "Trustee" property to the Win32_Trustee object in step 7.
12. Set the "AccessMask" property of the Win32_ACE object*.
13. If you want to inherit the parent's Dacl, set the "AceFlags"
property to 0x10.
14. Generally speaking you want to have an "Allow" ace, so set the
"AceType" to 0.
15. Convert the current Dacl to an array list (or similar) and add your
ACE to the list.
16. Set the descriptor's "Dacl" property to the Dacl array list
(converted back to an array).
17. From the file security object (step 3) get the parameters for
SetSecurityDescriptor.
18. For the parameters, set the "Descriptor" property to our security
descriptor (step 5).
19. For file security (step 3) invoke the SetSecurityDescriptor passing
the parameters.
Seems like a very complex solution, but for a remote machine, it's the
only way. Again, thanks to Willy for his guidance. Please see below for
the notes on the access mask described in step 12.
Happy coding!
Nick Bolton
Rensoft Web Services
www.rensoft.net
+++++++++++++++++++++++++++++++++++
* I used the following variables to set the bits.
int FILE_READ_DATA = 0x0;
int FILE_WRITE_DATA = 0x1;
int FILE_APPEND_DATA = 0x4;
int DELETE = 0x10000;
If you need to allow a user to modify, I used this but I'm not entirely
sure it's perfect because the Windows security properties still show it
as "special" permissions.
newAce.Properties["AccessMask"].Value = FILE_READ_DATA |
FILE_WRITE_DATA | FILE_APPEND_DATA | DELETE;
+++++++++++++++++++++++++++++++++++