[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Remove inheritance of NTFS permissions in VBscript

Posted on 2010-01-07
11
Medium Priority
?
1,589 Views
Last Modified: 2012-05-08
The following makes the specified directory read only to the logged on user, but only if there are no inherited permissions.  How can the inherited permissions be removed so that this script will work in either case?  Or is it easier to revise this so that it denys the 'write' priviledge to the logged on user - if so, how can that be accomplished?
0
Comment
Question by:ENTPF
  • 6
  • 5
11 Comments
 

Author Comment

by:ENTPF
ID: 26207284
I forgot to add the scirpt.  It is included now.
Set WshNetwork = WScript.CreateObject("WScript.Network")

Set wmiFileSecSetting = GetObject ( _
    "winmgmts:Win32_LogicalFileSecuritySetting." & _
    "path='c:\temp\test'")


RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)

DACL = wmiSecurityDescriptor.DACL

For each wmiAce in DACL
    
       Set Trustee = wmiAce.Trustee

if trustee.name = WshNetwork.UserName then

    wmiAce.AccessMask = 131072
  
End if        
Next

RetVal = wmiFileSecSetting. _
    SetSecurityDescriptor(wmiSecurityDescriptor)

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26207954

Hey,

This should do it:

Const DiscretionaryAclProtected = 4096

wmiSecurityDescriptor.ControlFlags = _
  wmiSecurityDescriptor.ControlFlags Or DiscretionaryAclProtected

In context below.

Chris
Const DiscretionaryAclProtected = 4096

Set WshNetwork = WScript.CreateObject("WScript.Network")

Set wmiFileSecSetting = GetObject ( _
    "winmgmts:Win32_LogicalFileSecuritySetting." & _
    "path='c:\temp\test'")

RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)

wmiSecurityDescriptor.ControlFlags = _
  wmiSecurityDescriptor.ControlFlags Or DiscretionaryAclProtected

DACL = wmiSecurityDescriptor.DACL

For each wmiAce in DACL
    
       Set Trustee = wmiAce.Trustee

if trustee.name = WshNetwork.UserName then

    wmiAce.AccessMask = 131072
  
End if        
Next

RetVal = wmiFileSecSetting. _
    SetSecurityDescriptor(wmiSecurityDescriptor)

Open in new window

0
 

Author Comment

by:ENTPF
ID: 26212626
This works great! How do I turn inheritance back on?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Chris Dent
ID: 26212925

Almost the same, swap Or for XOr. The only trick is that XOr will effectively toggle the switch, because of that we might want to test for the value with And first (otherwise it might unintentionally toggle the option).

Example below :)

Chris
Const DiscretionaryAclProtected = 4096

Set WshNetwork = WScript.CreateObject("WScript.Network")

Set wmiFileSecSetting = GetObject ( _
    "winmgmts:Win32_LogicalFileSecuritySetting." & _
    "path='c:\temp\test'")

RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)

' Test for the value with bitwise AND
If wmiSecurityDescriptor.ControlFlags And DiscretionaryAclProtected Then

  ' The flag is set, remove the flag (enable inheritance)
  ' using Exclusive Or (XOr)
  wmiSecurityDescriptor.ControlFlags = _
    wmiSecurityDescriptor.ControlFlags XOr DiscretionaryAclProtected

End If

' Using Or will only ever add the value once. 
' Sets the AclProtected Flag (disable inheritance)

wmiSecurityDescriptor.ControlFlags = _
  wmiSecurityDescriptor.ControlFlags Or DiscretionaryAclProtected

DACL = wmiSecurityDescriptor.DACL

For each wmiAce in DACL
    
       Set Trustee = wmiAce.Trustee

if trustee.name = WshNetwork.UserName then

    wmiAce.AccessMask = 131072
  
End if        
Next

RetVal = wmiFileSecSetting. _
    SetSecurityDescriptor(wmiSecurityDescriptor)

Open in new window

0
 

Author Comment

by:ENTPF
ID: 26213064
This doesn't seem to work.  Incidentally, I am using wmiAce.AccessMask =1179817 to make it read-only now.  It works better for what I am trying to do.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 26213105

You did take out the Or version? I left it in with some comments which might have confused things, the script above just turns the flag off then on again.

I have a note of all the AccessMask values here if a reference is any help for this little task :)

http://www.indented.co.uk/2009/02/19/reading-ntfs-and-share-security-with-vbscript/

Never got around to writing an article on setting permissions but the values are still relevant.

Chris
0
 

Author Comment

by:ENTPF
ID: 26213388
Ok.  that actually works after taking out the Or version.  It works on regular folders, but not special folders like the 'desktop' folder.  do you know why?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26213422

What path do you feed it for that? I only have Windows 7 Pro to test against so my ability to change the inheritance flag on desktop isn't exactly conclusive.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26213490

Oh and are you testing the return value you get back after calling the SetSecurityDescriptor method? I see you catch it, but the operation is only successful if RetVal is 0.

Chris
0
 

Author Comment

by:ENTPF
ID: 26213597
yes.  it is a 0 ret value.  
i used this as the path: strDesktopPath = objShell.SpecialFolders("Desktop")

i works when i take it off and make it read only.  it does not let me put it back.
but works fine on a regular folder.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26213625

I couldn't say then I'm afraid. It ends up with exactly the same path as I used, but as I say, I only have one OS to test against.

Chris
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an addendum to the following article: Acitve Directory based Outlook Signature (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_24950055.html) The script is fine, and works in normal client-server domains…
This is pretty cool.  The purpose of this VB Script is to help you document where JAR (Java ARchive) files and specifically java class files are located so that you can address issues seen with a client or that you can speak intelligently with a dev…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month18 days, 12 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question