SetSecurityDescriptor fails on Registry (using ADsSecurityUtility)

G

Guest

I'm using scripts to change permissions on files and the registry. I've been
using the ADsSecurity component to access ADSI in scripts on Windows 2000
systems. Apparently it's been incorporated into Windows XP under the object
ID "ADsSecurityUtility". Apart from slight changes in method parameters, the
conversion of scripts is straightforward.

The scripts on Windows XP Professionnal works well on files and fileshares.
But attempting to set the security descriptor of a registry key using
SetSecurityDescriptor always fails with "access denied" error, even though
this script is being executed under administrative priviledge.

The language used is VBScript with ".vbs" files. Those script are executed
on Windows XP Professional SP1 machines with Windows Script Host Version 5.6.
Script fails both when run under domain administrator and local
administrator.

Other question: it is still necessary to re-order ACEs as I think I've seen
somewhere that the new ADsSecurityUtility was handling this on its own ?

Thanks on advance for any help or cues.
 
T

Torgeir Bakken \(MVP\)

Jonathan said:
I'm using scripts to change permissions on files and the registry. I've been
using the ADsSecurity component to access ADSI in scripts on Windows 2000
systems. Apparently it's been incorporated into Windows XP under the object
ID "ADsSecurityUtility". Apart from slight changes in method parameters, the
conversion of scripts is straightforward.

The scripts on Windows XP Professionnal works well on files and fileshares.
But attempting to set the security descriptor of a registry key using
SetSecurityDescriptor always fails with "access denied" error, even though
this script is being executed under administrative priviledge.
Click to expand...


You may find something here:

http://groups.google.com/groups?as_...t.public.*&as_usubject=&as_uauthors=&safe=off

The language used is VBScript with ".vbs" files. Those script are executed
on Windows XP Professional SP1 machines with Windows Script Host Version 5.6.
Script fails both when run under domain administrator and local
administrator.

Other question: it is still necessary to re-order ACEs as I think I've seen
somewhere that the new ADsSecurityUtility was handling this on its own ?
Click to expand...

As far as I know, ADsSecurityUtility should handle this.

A link that may interest you:

Scripting Security Descriptors
http://www.microsoft.com/downloads/...ce-2b7c-40cd-abe0-85eb69a90019&displaylang=en
 
G

Guest

Great, both questions answered! A big thanks on the resources you gave me,
Torgeir (fortunately I'm familiar with the Windows security model since I'm a
developer at core).

For the SetSecurityDescriptor problem, it seems like it's happened to other
ones too. But for them to know, I might have a lead. While working on this, I
figured out that though the call was failing on all my target machines (which
run with the SP1 update), it IS working my (only one) machine with SP2
installed. I will surely investigate this one further. Thanks again.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What is the GroupPolicy? 3
scripts 2
Scheduling a script that reads HKCU 1
Vista Startup Script problem (loading registry hive issue) 5
Scheduled Task running as SYSTEM fails with logged-on user 3
Running Login Scripts on XP using NT 4.0 Netlogon 1
Elevating scripts on network shares 2
Shutdown on Logoff 1

Top