SetSecurityDescriptor erases entire DACL
- From: Michael Edenfield <medenfield@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 16:19:12 -0500
Hello,
I am trying to figure out how to add an ACE to the DACL for a particular folder during our install process. (We need to grant Everyone Change permission to where our log files will go, so that the IIS and Guest accounts can log things). However, calling SetSecurityDescriptor is behaving as if it's being passed an empty DACL.
What I've written so far is:
-----------------------
'* Connect to the CIM repository with the WMI.
Set wmi = GetObject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
'* Create a Trustee object representing the Everyone special account.
Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
Set account = wmi.Get("Win32_SystemAccount.Domain='" & sComputerName & "',Name='Everyone'")
Set sid = wmi.Get("Win32_SID.SID='" & account.SID & "'")
trustee.Name = "Everyone" trustee.Domain = sComputerName trustee.SID = sid.BinaryRepresentation
'* Create a new ACE for the Everyone user.
Set ace = wmi.Get("Win32_Ace").SpawnInstance_
ace.AccessMask = RIGHTS_CHANGE
ace.AceFlags = OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE
ace.AceType = ACETYPE_ACCESS_ALLOWED
Set ace.Trustee = trustee'* Get an object specifying the directory where we want our logfiles.
Set security = wmi.Get("Win32_LogicalFileSecuritySetting.Path='" & sPath & "'")
'* Pull the object's security descriptor, replace it's DACL, and send it back
nResult = security.GetSecurityDescriptor(descriptor)
descriptor.ControlFlags = SE_DACL_PRESENT Or SE_DACL_AUTO_INHERIT_REQ
descriptor.DACL = Array(ace)
nResult = security.SetSecurityDescriptor(descriptor)
----------------------
After setting descriptor.DACL, I can use a For Each loop to scan it and confirm that there is exactly one entry. However, when I check the permissions for the folder, it's blank. Since I am running this code on Windows XP, it appears that the SetSecurityDescriptor beleives DACL is missing and is writing a NULL DACL to the folder itself.
I have tried a number of alternatives, including: Creating a new instance of Win32_SecurityDescriptor; using Win32_Directory's ChangeSecurityPermissions; and copying all of the existing ACE's to a new array with the Everyone ACE added.
Note that I can change any of the ACEs in the DACL and write the descriptor back with no problems, I just cannot set the DACL to a new list. Can anyone see where I'm going wrong?
--Mike .
- Prev by Date: Re:JoinDomainOrWorkgroup
- Next by Date: Re: Win32_UserAccount - PasswordRequired
- Previous by thread: Re:JoinDomainOrWorkgroup
- Next by thread: Lowest-level method to retrieve MAC address!
- Index(es):
Relevant Pages
|
