在文件共享上管理远程DACL:Win32_ACE到Win32_Share

时间:2012-11-11 17:17:45

标签: vbscript wmi share windows-server-2003 dacl

目标:向现有文件共享添加本地用户帐户共享级别读/写权限。

我在开发这个问题时遇到了障碍。显然,Microsoft希望您将用户的ACE添加到DACL,然后返回到共享的安全描述符。 (1)。 (不,NET SHARE / ADD不适用于现有股票,我很惊讶。)

理论上应该足够简单,但我主要担心的是做错了并且丢失了现有的共享权限(许多网络用户,特定组)。该解决方案需要扩展到几千股。我正在开发解决方案,以便在需要退出时输出有关现有DACL的数据。我应该编写代码来解释该日志,并准备好在出现任何问题时将它们添加回来。

目前我正在使用VBscript--我觉得PowerShell可能会更强一些,但VBscript / WMI是一个已知数量。

研究: (1)http://blogs.msdn.com/b/helloworld/archive/2008/07/22/editing-share-permission.aspx

1 个答案:

答案 0 :(得分:1)

将现有ACE复制到数组:

rc = shareSec.GetSecurityDescriptor(sd)
ReDim acl(UBound(sd.DACL)+1)  '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
  Set acl(i) = sd.DACL(i)
Next

将新ACE添加到该阵列:

Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), 2032127)

函数NewTrustee()NewACE()封装了创建受托者和ACE的说明。该号码是完全控制的访问掩码。

创建新的安全描述符并将其分配给共享:

Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
rc = shareSec.SetSecurityDescriptor(sd)

检查this page以获取有关安全描述符,受托者,ACL和ACE的更多详细信息。

完整脚本:

Const FullControl = 2032127

' modify these variables according to your requirements:
computer = "."
share    = "..."
username = "..."
domain   = CreateObject("WScript.Network").UserDomain

Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" _
  & computer & "/root/cimv2")
Set shareSec = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" _
  & share & "'")

Function NewTrustee(name, domain)
  Dim trustee, account

  Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
  trustee.Name   = name
  trustee.Domain = domain
  Set account = wmi.Get("Win32_UserAccount.Domain='" & domain & "',Name='" _
    & name & "'")
  trustee.Properties_.Item("SID") = wmi.Get("Win32_SID.SID='" & account.SID _
    & "'").BinaryRepresentation

  Set NewTrustee = trustee
End Function

Function NewACE(trustee, permissions)
  Dim ace : Set ace = wmi.Get("Win32_Ace").SpawnInstance_
  ace.Properties_.Item("AccessMask") = permissions
  ace.Properties_.Item("AceFlags") = 3
  ace.Properties_.Item("AceType") = 0
  ace.Properties_.Item("Trustee") = trustee
  Set NewACE = ace
End Function

' copy existing ACEs
rc = shareSec.GetSecurityDescriptor(sd)
flags = sd.ControlFlags
ReDim acl(UBound(sd.DACL)+1)  '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
  Set acl(i) = sd.DACL(i)
Next
Set sd = Nothing

' add new ACE
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), FullControl)

' prepare new security descriptor
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl

' assign new security descriptor
rc = shareSec.SetSecurityDescriptor(sd)
相关问题
最新问题