Re: Problem to update ACL using ADsSecurity from VBScript

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 08/29/04

  • Next message: Roger Abell [MVP]: "Re: script that gets the local admin users" 
    Date: Sun, 29 Aug 2004 07:11:55 -0700

    I no longer use the ADsSecurity route for ACLing , but have switched over
    to use of WMI for this. If you grab the xcacls.vbs download you will find a
    wealth of example.

    http://support.microsoft.com/?id=825751 

    -- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"Kevin Debono" <KevinDebono@discussions.microsoft.com> wrote in message 
news:AF24EDCC-C2FD-4D4E-867B-43A31D2AC8F0@microsoft.com...
> Hi Roger,
>
> Thanks a lot for your answer.
>
> As for your solution, the problem is that the script is doing other varies
> things, like updating the profile of the user, moving the user from one OU 
> to
> another, etc.
>
> After taking onwership of a file/folder I'm copying the current 
> permissions
> and also recurring through all the subfolders.  The  missing bit is to add
> myself to the ACL and I'll have a complete solution.  At the moment I'm
> calling a very cool utility from my script called SecureCopy to handle 
> this
> problem.  But I'm a hard headed person and what to have a solution that is
> independent from any other utility.  Most probably I will have to use an 
> API
> call and I think the one that will do the trick is SetEntriesInAcl.
>
> Best regards,
>
> Kevin
>
> "Roger Abell [MVP]" wrote:
>
>> IMO you are taking the long (and messy) road, plus, as you mentioned
>> an Explorer step you still are not fully automated.
>>
>> To do as you are correctly, you need to take note of the preexisting
>> ownership and permissions and then set them back that way after the
>> copy over to the other server.  Note that taking ownership and settings
>> permissions for you to copy may need to be done recursively down inside
>> each home folder.  The user, as owner, may have blocked inheritance.
>> If you try the shortcut way to avoid the recurse, then you will wipe out
>> permissions differences the user may have placed within.
>>
>> The quick, easy way to do this is to use NTbackup to grab all the needed
>> home directories and then restore them with permissions to the new server
>> specifying to preserve permissions.  Using an account with the backup and
>> the restore user rights will allow a registered backup/restore 
>> application
>> to
>> be immune from NTFS hinderances.
>>
>> -- 
>> Roger Abell
>> Microsoft MVP (Windows Server System: Security)
>> MCDBA,  MCSE W2k3+W2k+Nt4
>> "Kevin Debono" <KevinDebono@discussions.microsoft.com> wrote in message
>> news:E2D1BAD8-AE26-4985-AD00-807880F29186@microsoft.com...
>> > Hi everybody,
>> >
>> > At the moment I'm working on a VBScript with which I want to copy files
>> > and
>> > folders from one Server to another.  While doing this I want also to
>> > transfer
>> > the NTFS permissions.
>> >
>> > The folders that I'm going to copy are user home directories and even 
>> > if
>> > I'm
>> > an administrator I don't have the rights to access some of the folders.
>> > To
>> > overcome this problem I'm using the CIM_LogicalFile WMI class and its
>> > TakeOwnership method.  This works because I use Windows Explorer to 
>> > verify
>> > that I'm the new onwer of the folder/file.  My next step is to add 
>> > myself
>> > to
>> > the ACL of the file/folder so that I have enough right to perform the 
>> > copy
>> > operation.  To do this I'm using ADsSecurity.  I'm creating an ACE 
>> > object
>> > and
>> > give myself ReadWrite permissions; the problem is that when I update 
>> > the
>> > ACL
>> > using the SetSecurityDescriptor nothing happens i.e. the new ACE is not
>> > added.
>> >
>> > It seems that the problem is coming from the fact that I don't have 
>> > Change
>> > permissions (BUT I CAN PERFORM THE SAME OPERATINO FROM WINODWS 
>> > EXPLORER)
>> > on
>> > the target file/folder because when I executed the script against a 
>> > file
>> > on
>> > which I have Change permissions the ACL is updated successfully.
>> >
>> > Can anybody out there help?
>> >
>> > Sorry if a bit long.
>> >
>> > Best regards,
>> >
>> > Kevin
>> >
>>
>>
>>
  • Next message: Roger Abell [MVP]: "Re: script that gets the local admin users"

    Relevant Pages

    • Re: How can I control folder permissions when creating a folder
      ... > I'll dig into the ACL stuff a bit more. ... > get into it was the idea of trying to figure out what permissions to add ... folder are the same on Win2K and WinXP? ... I hope that means your application's folders, ...
      (microsoft.public.dotnet.security)
    • Re: Folder permissions & security??
      ... Messing with permissions can create a mess - what follows comes from memory ... If you go under the security tab for the ACL it ... Now he can access the parent folder, ... cant access 3 of the 6 child folders on the drive nor can he edit the ACL ...
      (microsoft.public.windows.server.general)
    • Re: NTFS Security Question.
      ... A subordinate object DOES not inherit the PARENT perms (in ... will assume "Nebulous" permissions that refer to the LINK ... The trick is to PROPOGATE to all FILES (not Folders and Files - that would ... Since Windows 2000 deny NTFS permission does not work ...
      (microsoft.public.windowsxp.security_admin)
    • RE: ISA 2004 REPORT FAILURE
      ... Did as you suggested and turned auditing on for the system and folders ... that is setting the wrong permissions of the folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • Re: Network service default permissions
      ... In general ACL permissions are inhirited by parent ... 1-I went to a non system partition, and check the ACL ... Network service was not listed there; ... creator owner permissions in my "web application folders" to prevent that). ...
      (microsoft.public.inetserver.iis.security)