Question

我是Python新手。我试图在此代码中为所有用户设置访问权限。脚本运行但不反映或设置访问权限。我正在尝试为这些用户的所有打印机设置以下权限：

所有人 - 打印
CREATOR OWNER - 管理文件
任何管理员 - 打印，管理打印机，管理文档
管理员 - 打印，管理打印机，管理文档
所有其他用户 - 打印

以下是代码：

import win32com.client
import win32security
from win32security import DACL_SECURITY_INFORMATION, TRUSTEE_IS_NAME, TRUSTEE_IS_USER
import win32net
import win32security
import win32netcon
import win32file

ManagePrinters = 983052
ManageDocuments = 983088
Print = 131080
ReadPermissions = 131072
GenericAll = 268435456
GenericExecute =  536870912

administrators = []

compliant = True

for x in win32net.NetLocalGroupGetMembers("localhost","Administrators", 2)[0]:
username =  x["domainandname"]
usersid = str(win32security.LookupAccountName("",username)[0])[6:]
administrators.append(usersid)

info=win32security.DACL_SECURITY_INFORMATION

strComputer = "."
objWMIService = win32com.client.Dispatch("WbemScripting.SWbemLocator")
objSWbemServices = objWMIService.ConnectServer(strComputer,"root\cimv2")
colItems = objSWbemServices.ExecQuery("SELECT * FROM Win32_Printer")
for objItem in colItems:
secDes = win32security.GetNamedSecurityInfo(objItem.DeviceID, win32security.SE_PRINTER, win32security.DACL_SECURITY_INFORMATION)
dacl = secDes.GetSecurityDescriptorDacl()
for count in range(dacl.GetAceCount()):
    ace = dacl.GetAce(count)
    accessMask = ace[1]
    sidArr = str(ace[2]).split(":",1)
    sid = sidArr[1]
    newAcl = win32security.ACL(128)


    if "S-1-3-0" in sid:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
        newAcl.AddAccessAllowedAce(GenericAll, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
    elif "S-1-1-0" in sid:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
    elif "S-1-5-32-544" in sid:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
        newAcl.AddAccessAllowedAce(GenericAll, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
        newAcl.AddAccessAllowedAce(ManagePrinters, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
    elif sid in administrators:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
        newAcl.AddAccessAllowedAce(GenericAll, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
        newAcl.AddAccessAllowedAce(ManagePrinters, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
    else:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])

    secDes.SetSecurityDescriptorDacl(1, newAcl, 0)

print "done"

Answer 1

看起来你并没有真正应用修改后的DACL 到打印机。尝试使用win32security.SetNamedSecurityInfo。

在Windows上使用python设置打印机权限不起作用

1 个答案: