Verifying if ntfs files/folders rights are inherited or not...

Hi!

I'm currently working on a vbscript that will allow me to identify files or
folders where inheritance have been removed or altered with explicit ntfs
security.

The problem is, I don't know how to manipulate the ace flags to know if the
rights are inherited or not:

AceFlags Data type: uint32
Access type: Read/write

OBJECT_INHERIT_ACE 0x1 (1) Non-container child objects inherit the ACE as an
effective ACE. For child objects that are containers, the ACE is inherited as
an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

CONTAINER_INHERIT_ACE 0x2 (2) Child objects that are containers, such as
directories, inherit the ACE as an effective ACE. The inherited ACE is
inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

NO_PROPAGATE_INHERIT_ACE 0x4 (4) If the ACE is inherited by a child object,
the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in
the inherited ACE. This prevents the ACE from being inherited by subsequent
generations of objects.

INHERIT_ONLY_ACE 0x8 (8) Indicates an inherit-only ACE which does not
control access to the object to which it is attached. If this flag is not
set, the ACE is an effective ACE which controls access to the object to which
it is attached.
Both effective and inherit-only ACEs can be inherited depending on the state
of the other inheritance flags.

INHERITED_ACE 0x10 (16) The system sets this bit when it propagates an
inherited ACE to a child object.

Here is my code:

Set wmiFileSecSetting = GetObject(
"winmgmts:Win32_LogicalFileSecuritySetting." & "path='" & strFolderName &
"'" )

' Obtain the existing security descriptor for folder
RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor)

If Err <> 0 Then
WScript.Echo "GetSecurityDescriptor failed" & VBCRLF & Err.Number &
VBCRLF & Err.Description
WScript.Quit
End If

' Retrieve the content of Win32_SecurityDescriptor DACL property.
' The DACL is an array of Win32_ACE objects.
DACL = wmiSecurityDescriptor.DACL

' Obtain the trustee for each access control entry (ACE)
For each wmiAce in DACL

' Get Win32_Trustee object from ACE
Set Trustee = wmiAce.Trustee

wscript.echo Trustee.Domain & "\" & Trustee.Name
wscript.echo wmiAce.AceFlags
Next

When I'm reading the wmiAce.AceFlags, I get 0, 3, 19 values... what does
that mean???

Thanks.

Claude Lachapelle
Systems Administrator, MCSE
.

Relevant Pages

  • Re: programmatically change permissions on folder in windows?
    ... as seen in the Adv / Edit drill-in, then the new ACE ... if inheritance is blocked at some ... > programmatically change permissions on folder in windows ... > Then folder> security> Advanced> Permissions> Replace permission entries ...
    (microsoft.public.win2000.security)
  • [PATCH 002 of 9] knfsd: nfsd4: relax checking of ACL inheritance bits
    ... The rfc allows us to be more permissive about the ACL inheritance bits we ... "If the server supports a single "inherit ACE" flag that applies to ... Let's take the latter option--the ACL is a complex attribute that could be ...
    (Linux-Kernel)
  • Re: Enum only files/folders where explicit NTFS rights have been s
    ... What I found is that the bit (inheritance requested, ace inherited, etc. ... AccessEnum "differ from parent" feature is not so much evolved, ... only comparing effectives rights listing to the parent rights listing, ...
    (microsoft.public.security)
  • Re: GetEffectivePermissions and Implementing DACL Inheritence
    ... There have been changes in the semantics of ACE ordering within ACLs, ... inherited vs explicit deny was first defined, so that correct is deny, ... > permission inheritance and sddl syntax in the msdn library. ...
    (microsoft.public.security)
  • Re: OOP using javascipt
    ... You have no clue about the features of class-based inheritance, ... function ClassB(arg1, arg2) { ... // prototype object fix in case you want to identify Child objects later ...
    (comp.lang.javascript)