SetSecurityDescriptor fails on Registry (using ADsSecurityUtility)

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm using scripts to change permissions on files and the registry. I've been
using the ADsSecurity component to access ADSI in scripts on Windows 2000
systems. Apparently it's been incorporated into Windows XP under the object
ID "ADsSecurityUtility". Apart from slight changes in method parameters, the
conversion of scripts is straightforward.

The scripts on Windows XP Professionnal works well on files and fileshares.
But attempting to set the security descriptor of a registry key using
SetSecurityDescriptor always fails with "access denied" error, even though
this script is being executed under administrative priviledge.

The language used is VBScript with ".vbs" files. Those script are executed
on Windows XP Professional SP1 machines with Windows Script Host Version 5.6.
Script fails both when run under domain administrator and local
administrator.

Other question: it is still necessary to re-order ACEs as I think I've seen
somewhere that the new ADsSecurityUtility was handling this on its own ?

Thanks on advance for any help or cues.
 
Jonathan said:
I'm using scripts to change permissions on files and the registry. I've been
using the ADsSecurity component to access ADSI in scripts on Windows 2000
systems. Apparently it's been incorporated into Windows XP under the object
ID "ADsSecurityUtility". Apart from slight changes in method parameters, the
conversion of scripts is straightforward.

The scripts on Windows XP Professionnal works well on files and fileshares.
But attempting to set the security descriptor of a registry key using
SetSecurityDescriptor always fails with "access denied" error, even though
this script is being executed under administrative priviledge.
Click to expand...


You may find something here:

http://groups.google.com/groups?as_...t.public.*&as_usubject=&as_uauthors=&safe=off

The language used is VBScript with ".vbs" files. Those script are executed
on Windows XP Professional SP1 machines with Windows Script Host Version 5.6.
Script fails both when run under domain administrator and local
administrator.

Other question: it is still necessary to re-order ACEs as I think I've seen
somewhere that the new ADsSecurityUtility was handling this on its own ?
Click to expand...

As far as I know, ADsSecurityUtility should handle this.

A link that may interest you:

Scripting Security Descriptors
http://www.microsoft.com/downloads/...ce-2b7c-40cd-abe0-85eb69a90019&displaylang=en
 
Great, both questions answered! A big thanks on the resources you gave me,
Torgeir (fortunately I'm familiar with the Windows security model since I'm a
developer at core).

For the SetSecurityDescriptor problem, it seems like it's happened to other
ones too. But for them to know, I might have a lead. While working on this, I
figured out that though the call was failing on all my target machines (which
run with the SP1 update), it IS working my (only one) machine with SP2
installed. I will surely investigate this one further. Thanks again.
 
Back
Top