RE: File Security Descriptor

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thanks Amos for your help.
I have tried the SetACL ActiveX, and it works fine for adding users
permissions on a directory.
But I also have to delete permissions for a group of users and I'm unable to
do it with SetACL.

Do you know how can I do that?
thanks.
chris

"A. Ahola" wrote:

>
>
> "Chris" wrote:
>
> > I'm working with VB6 SP6.
> > I need to change rights on a directory.
> >
> > When VB runs the GetFileSecurity function, It returns 0 and I get the
> > "Unable to Get the File Security Descriptor" message box.
> >
> > Could you tell me what's wrong ?
> > Many thanks.
> > Chris
>
> I recommend using SetACL activex component, a very handy tool for permission
> management, you can grab it @ http://setacl.sourceforge.net/
>
> -Amos
>
>
> >
> > I'm using the following code from Microsoft :
> >
> >
> > Public Sub SetAccess(sUserName As String, sFileName As String, lMask As Long)
> > Dim strError As String, strComputerName As String
> > strError = String$(1024, Chr$(0))
> > Dim lResult As Long ' Result of various API calls.
> > Dim i As Integer ' Used in looping.
> > Dim bUserSid(255) As Byte ' This will contain your SID.
> > Dim bTempSid(255) As Byte ' This will contain the Sid of each ACE in
> > the ACL .
> > Dim sSystemName As String ' Name of this computer system.
> >
> > Dim lSystemNameLength As Long ' Length of string that contains
> > ' the name of this system.
> >
> > Dim lLengthUserName As Long ' Max length of user name.
> >
> > 'Dim sUserName As String * 255 ' String to hold the current user
> > ' name.
> >
> >
> > Dim lUserSID As Long ' Used to hold the SID of the
> > ' current user.
> >
> > Dim lTempSid As Long ' Used to hold the SID of each ACE in the
> > ACL
> > Dim lUserSIDSize As Long ' Size of the SID.
> > Dim sDomainName As String * 255 ' Domain the user belongs to.
> > Dim lDomainNameLength As Long ' Length of domain name needed.
> >
> > Dim lSIDType As Long ' The type of SID info we are
> > ' getting back.
> >
> > Dim sFileSD As SECURITY_DESCRIPTOR ' SD of the file we want.
> >
> > Dim bSDBuf() As Byte ' Buffer that holds the security
> > ' descriptor for this file.
> >
> > Dim lFileSDSize As Long ' Size of the File SD.
> > Dim lSizeNeeded As Long ' Size needed for SD for file.
> >
> >
> > Dim sNewSD As SECURITY_DESCRIPTOR ' New security descriptor.
> >
> > Dim sACL As ACL ' Used in grabbing the DACL from
> > ' the File SD.
> >
> > Dim lDaclPresent As Long ' Used in grabbing the DACL from
> > ' the File SD.
> >
> > Dim lDaclDefaulted As Long ' Used in grabbing the DACL from
> > ' the File SD.
> >
> > Dim sACLInfo As ACL_SIZE_INFORMATION ' Used in grabbing the ACL
> > ' from the File SD.
> >
> > Dim lACLSize As Long ' Size of the ACL structure used
> > ' to get the ACL from the File SD.
> >
> > Dim pAcl As Long ' Current ACL for this file.
> > Dim lNewACLSize As Long ' Size of new ACL to create.
> > Dim bNewACL() As Byte ' Buffer to hold new ACL.
> >
> > Dim sCurrentACE As ACCESS_ALLOWED_ACE ' Current ACE.
> > Dim pCurrentAce As Long ' Our current ACE.
> >
> > Dim nRecordNumber As Long
> > Dim strdw As String
> >
> > ' Get the SID of the user. (Refer to the MSDN for more information on SIDs
> > ' and their function/purpose in the operating system.) Get the SID of this
> > ' user by using the LookupAccountName API. In order to use the SID
> > ' of the current user account, call the LookupAccountName API
> > ' twice. The first time is to get the required sizes of the SID
> > ' and the DomainName string. The second call is to actually get
> > ' the desired information.
> > lResult = LookupAccountName(strComputerName, sUserName, _
> > bUserSid(0), 255, sDomainName, lDomainNameLength, _
> > lSIDType)
> >
> > ' Now set the sDomainName string buffer to its proper size before
> > ' calling the API again.
> > sDomainName = Space(lDomainNameLength)
> >
> > ' Call the LookupAccountName again to get the actual SID for user.
> > lResult = LookupAccountName(strComputerName, sUserName, _
> > bUserSid(0), 255, sDomainName, lDomainNameLength, _
> > lSIDType)
> >
> > ' Return value of zero means the call to LookupAccountName failed;
> > ' test for this before you continue.
> > If (lResult = 0) Then
> > strdw = Err.LastDllError
> > lResult = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, ByVal 0&, strdw,
> > GetUserDefaultLangID, strError, 1024, "0")
> > MsgBox "Erreur " & strdw & " : " & Left$(strError, lResult)
> > Exit Sub
> > End If
> >
> > ' You now have the SID for the user who is logged on.
> > ' The SID is of interest since it will get the security descriptor
> > ' for the file that the user is interested in.
> > ' The GetFileSecurity API will retrieve the Security Descriptor
> > ' for the file. However, you must call this API twice: once to get
> > ' the proper size for the Security Descriptor and once to get the
> > ' actual Security Descriptor information.
> >
> > lResult = GetFileSecurityN(sFileName, DACL_SECURITY_INFORMATION, _
> > 0, 0, lSizeNeeded)
> >
> > ' Redimension the Security Descriptor buffer to the proper size.
> > ReDim bSDBuf(lSizeNeeded)
> >
> > ' Now get the actual Security Descriptor for the file.
> > lResult = GetFileSecurity(sFileName, DACL_SECURITY_INFORMATION, _
> > bSDBuf(0), lSizeNeeded, lSizeNeeded)
> >
> > ' A return code of zero means the call failed; test for this
> > ' before continuing.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Get the File Security Descriptor"
> > Exit Sub
> > End If
> >
> > ' Call InitializeSecurityDescriptor to build a new SD for the
> > ' file.
> > lResult = InitializeSecurityDescriptor(sNewSD, _
> > SECURITY_DESCRIPTOR_REVISION)
> >
> > ' A return code of zero means the call failed; test for this
> > ' before continuing.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Initialize New Security Descriptor"
> > Exit Sub
> > End If
> >
> > ' You now have the file's SD and a new Security Descriptor
> > ' that will replace the current one. Next, pull the DACL from
> > ' the SD. To do so, call the GetSecurityDescriptorDacl API
> > ' function.
> >
> > lResult = GetSecurityDescriptorDacl(bSDBuf(0), lDaclPresent, _
> > pAcl, lDaclDefaulted)
> >
> > ' A return code of zero means the call failed; test for this
> > ' before continuing.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Get DACL from File Security " _
> > & "Descriptor"
> > Exit Sub
> > End If
> >
> > ' You have the file's SD, and want to now pull the ACL from the
> > ' SD. To do so, call the GetACLInformation API function.
> > ' See if ACL exists for this file before getting the ACL
> > ' information.
> > If (lDaclPresent = False) Then
> > MsgBox "Error: No ACL Information Available for this File"
> > Exit Sub
> > End If
> >
> > ' Attempt to get the ACL from the file's Security Descriptor.
> > lResult = GetAclInformation(pAcl, sACLInfo, Len(sACLInfo), 2&)
> >
> > ' A return code of zero means the call failed; test for this
> > ' before continuing.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Get ACL from File Security Descriptor"
> > Exit Sub
> > End If
> >
> > ' Now that you have the ACL information, compute the new ACL size
> > ' requirements.
> > lNewACLSize = sACLInfo.AclBytesInUse + (Len(sCurrentACE) + _
> > GetLengthSid(bUserSid(0))) * 2 - 4
> >
> > ' Resize our new ACL buffer to its proper size.
> > ReDim bNewACL(lNewACLSize)
> >
> > ' Use the InitializeAcl API function call to initialize the new
> > ' ACL.
> > lResult = InitializeAcl(bNewACL(0), lNewACLSize, ACL_REVISION)
> >
> > ' A return code of zero means the call failed; test for this
> > ' before continuing.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Initialize New ACL"
> > Exit Sub
> > End If
> >
> > ' If a DACL is present, copy it to a new DACL.
> > If (lDaclPresent) Then
> >
> > ' Copy the ACEs from the file to the new ACL.
> > If (sACLInfo.AceCount > 0) Then
> >
> > ' Grab each ACE and stuff them into the new ACL.
> > nRecordNumber = 0
> > For i = 0 To (sACLInfo.AceCount - 1)
> >
> > ' Attempt to grab the next ACE.
> > lResult = GetAce(pAcl, i, pCurrentAce)
> >
> > ' Make sure you have the current ACE under question.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Obtain ACE (" & i & ")"
> > Exit Sub
> > End If
> >
> > ' You have a pointer to the ACE. Place it
> > ' into a structure, so you can get at its size.
> > CopyMemory sCurrentACE, pCurrentAce, LenB(sCurrentACE)
> >
> > 'Skip adding the ACE to the ACL if this is same usersid
> > lTempSid = pCurrentAce + 8
> > If EqualSid(bUserSid(0), lTempSid) = 0 Then
> >
> > ' Now that you have the ACE, add it to the new ACL.
> > lResult = AddAce(VarPtr(bNewACL(0)), ACL_REVISION, _
> > MAXDWORD, pCurrentAce, _
> > sCurrentACE.Header.AceSize)
> >
> > ' Make sure you have the current ACE under question.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Add ACE to New ACL"
> > Exit Sub
> > End If
> > nRecordNumber = nRecordNumber + 1
> > End If
> >
> > Next i
> >
> > ' You have now rebuilt a new ACL and want to add it to
> > ' the newly created DACL.
> > lResult = AddAccessAllowedAce(bNewACL(0), ACL_REVISION, _
> > lMask, bUserSid(0))
> >
> > ' Make sure added the ACL to the DACL.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Add ACL to DACL"
> > Exit Sub
> > End If
> >
> > 'If it's directory, we need to add inheritance staff.
> > If GetAttr(sFileName) And vbDirectory Then
> >
> > ' Attempt to grab the next ACE which is what we just added.
> > lResult = GetAce(VarPtr(bNewACL(0)), nRecordNumber, pCurrentAce)
> >
> > ' Make sure you have the current ACE under question.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Obtain ACE (" & i & ")"
> > Exit Sub
> > End If
> > ' You have a pointer to the ACE. Place it
> > ' into a structure, so you can get at its size.
> > CopyMemory sCurrentACE, pCurrentAce, LenB(sCurrentACE)
> > sCurrentACE.Header.AceFlags = OBJECT_INHERIT_ACE +
> > INHERIT_ONLY_ACE
> > CopyMemory ByVal pCurrentAce, VarPtr(sCurrentACE),
> > LenB(sCurrentACE)
> >
> > 'add another ACE for files
> > lResult = AddAccessAllowedAce(bNewACL(0), ACL_REVISION, _
> > lMask, bUserSid(0))
> >
> > ' Make sure added the ACL to the DACL.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Add ACL to DACL"
> > Exit Sub
> > End If
> >
> > ' Attempt to grab the next ACE.
> > lResult = GetAce(VarPtr(bNewACL(0)), nRecordNumber + 1,
> > pCurrentAce)
> >
> > ' Make sure you have the current ACE under question.
> > If (lResult = 0) Then
> > MsgBox "Error: Unable to Obtain ACE (" & i & ")"
.

Relevant Pages

  • RE: File Security Descriptor
    ... > Dim bUserSid(255) As Byte ' This will contain your SID. ... > the ACL. ... > Dim sNewSD As SECURITY_DESCRIPTOR ' New security descriptor. ...
    (microsoft.public.vb.general.discussion)
  • Re: Function in XL or in VBA for XL that pulls numeric digits from a t
    ... Put this into a codemodule, and use it like your examples. ... Function Include(StrInput As String, _ ... Dim i As Integer ... > Example also from ACL: ...
    (microsoft.public.excel.misc)
  • Re: How to set ADAM ACL programmatically?
    ... intergrating my application with ADAM test. ... programmatically set ACL for the ADAM partition that it creates. ... The security descriptor has some interesting ... more interested in use LDAP APIs to do it. ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to enable event logging IIS 5.1
    ... We also tightened up the ACLs on the event logs to restrict what ... the Application log Security Descriptor is configured ... the event log is because of an ACL issue. ... Add your own ACE to the SDDL string and then restart the Event Log ...
    (microsoft.public.inetserver.iis.security)
  • Re: 10 Immutable Laws of Security
    ... ACL in the descriptor on the new object. ... Yes, the container and object inherit, and inherit only bits did ... the storage the DACL was null). ... What is wrong is to create a non-NULL security descriptor with a NULL ...
    (microsoft.public.security)