• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1222
  • Last Modified:

How can I set auditing for a folder in Windows programatically?

I need to set auditing on a folder for everyone, failure, full.

The code below seemed promising, but fails returing the code "1314."

How can I set the SACL via script?  I am not married to the attached code, but it demonstrates a flow that one might expect to work.

I have found various ways to write the DACL, but none seem to convert directly to SACL.

Thanks.

Set wmiFileSecSetting = GetObject("winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\test'")
'Obtain existing security descriptor for folder
RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecDes)
If Err <> 0 Then
    WScript.Echo "GetSecurityDescriptor failed" _
    & VBCRLF & Err.Number & VBCRLF & Err.Description
    WScript.Quit
Else
    WScript.Echo "GetSecurityDescriptor succeeded"
End If

varSACL = wmiSecDes.SACL

Set objwmi = getobject("winmgmts:\\.\root\cimv2")
Set objaceclass = objwmi.get("win32_ace")
Set objace = objaceclass.spawninstance_()
Set objtrusteeclass = objwmi.Get("Win32_Trustee")
Set objtrustee1 = objtrusteeclass.spawninstance_()
objtrustee1.name = "Everyone"
objtrustee1.sidstring = "S-1-1-0"
objace.accessmask = 983551
objace.acetype = 2
objace.aceflags = 128
objace.Trustee = objtrustee1
wmiSecDes.sacl = objace
If wmifilesecsetting.setsecuritydescriptor(wmisecdes) = 0 Then
Wscript.echo "pass"
else
Wscript.echo "Fail " & wmifilesecsetting.setsecuritydescriptor(wmisecdes)
End If

Open in new window

0
jrslim
Asked:
jrslim
  • 3
2 Solutions
 
grayeCommented:
Take a look at this example...   It differs from yours only in the fact that it treats the SACL as an array

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.file_system/2005-05/msg00139.html
0
 
jrslimAuthor Commented:
Thanks Grave, but that method fails as well.
0
 
jrslimAuthor Commented:
I got it.

Started with the code refereenced by grave.

Added impersonate to the GetObject statements which enabled the seSecurityPrivilege and allowed modification of the SACL.

Partial credit to grave for directing me back to almost correct code.

' Connect to WMI and get the file security 
' object for the test directory 
Set wmiFileSecSetting = GetObject ( _ 
"winmgmts:{impersonationLevel=impersonate,(Security)}!Win32_LogicalFileSecuritySetting." & _ 
"path='c:\\test'") 


' Obtain existing security descriptor for folder 
RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor) 
If Err <> 0 Then 
WScript.Echo "GetSecurityDescriptor failed" & _ 
VBCRLF & Err.Number & VBCRLF & Err.Description 
WScript.Quit 
End If 


dim oACE, oTrustee 
set oACE=GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!Win32_ACE") 
set oTrustee=GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!Win32_Trustee") 

'Set Trustee Attributes 
oTrustee.Name="Everyone" 

' Set ACE Attributes 
oAce.Trustee=oTrustee 
oACE.AccessMask=983551 
oACE.AceType=2 
oACE.AceFlags=128 

'Add ACE to Security Descriptor 
if isarray(wmiSecurityDescriptor.SACL) then 
	wmiSecurityDescriptor.SACL(UBound(wmiSecurityDescriptor.SACL)+1)=oAce 
else 
	wmiSecurityDescriptor.SACL=Array(oAce) 
end if 

'Print out Aces for test 
for each wmiAce in wmiSecurityDescriptor.SACL 
Set Trustee = wmiAce.Trustee 
wscript.echo "Trustee Domain: " & Trustee.Domain 
wscript.echo "Trustee Name: " & Trustee.Name 
wscript.echo "Trustee SIDString " & Trustee.SIDString 
wscript.echo "Access Type " & wmiAce.AceType 
wscript.echo "Access Flags " & wmiAce.AceFlags 
wscript.echo "Access Mask: " & wmiAce.AccessMask 
next 



' Call the Win32_LogicalFileSecuritySetting. 
' SetSecurityDescriptor method 
' to write the new security descriptor. 
RetVal = wmiFileSecSetting. _ 
SetSecurityDescriptor(wmiSecurityDescriptor) 

Wscript.Echo "ReturnValue is: " & RetVal

Open in new window

0
 
jrslimAuthor Commented:
Discovered my own solution.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now