4.6 Connecting to the manageable entities
4.6 Connecting to the manageable entities
Since the philosophy of this book is to be practical, the rest of this chapter is dedicated to the examination of a script managing security descriptors of:
-
A file or a folder
-
A share
-
An Active Directory object
-
An Exchange 2000 mailbox
-
A registry key
-
A CIM repository namespace
As we said, the technique to access and update the security descriptor will depend on the WMI capabilities. If it is impossible to get a security descriptor via WMI, and if ADSI represents a valid alternative to WMI, we will use ADSI to complement the WMI functionality.
Independent of the technique used to access and manage the security descriptor, the next script sample (called WMIManageSD.Wsf) implements the following operations:
-
Perform the connection to the manageable entity (i.e., file, share, CIM repository namespace, etc.).
-
Retrieve the security descriptor of that manageable entity (via WMI and/or ADSI).
-
Convert the security descriptor to an ADSI structural representation if necessary.
-
Decipher the security descriptor structural representation to view the security settings on the manageable entity.
-
Update the security descriptor owner.
-
Update the security descriptor group.
-
Update the security descriptor control flags.
-
Add Access Control Entries in the Access Control List.
-
Remove Access Control Entries in the Access Control List.
-
Reorder the Access Control Entries in the Access Control List.
-
Update the security descriptor back to the manageable entity.
These various operations are implemented in Samples 4.2 through 4.61.
As we discover the script, we will see the techniques used to manage the various security descriptors. As with all scripts we have seen in previous chapters, this script will follow the same philosophy by exposing various command-line parameters to manage the security descriptors. The script exposes the following command-line parameters:
C:\>WMIManageSD.Wsf Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path. Share : Get the security descriptor of the specified share name. ADObject : Get the security descriptor of the specified distinguished name AD object. E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name. E2KStore : Specify if the security descriptor must come from the Exchange 2000 store. RegistryKey : Get the security descriptor of the specified registry key. WMINameSpace : Get the security descriptor of the specified WMI Name space. ViewSD : Decipher the security descriptor. Owner : Set the security descriptor owner. Group : Set the security descriptor group. SDControls : Set the security descriptor control flags. AddAce : Add a new ACE to the ACL. DelAce : Remove an existing ACE from the ACL. Trustee : Specify the ACE mask (granted user, group or machine account). ACEMask : Specify the ACE mask (granted rights). ACEType : Specify the ACE type (allow or deny the ACE mask). ACEFlags : Specify the ACE flags (ACE mask inheritance). ObjectType : Specify which object type, property set, or property an ACE refers to. InheritedObjectType : Specify the GUID of an object that will inherit the ACE. SACL : Manage the System ACL (auditing) (default=Discretionary ACL). Decipher : Decipher the security descriptor. ADSI : Retrieve the security descriptor with ADSI. SIDResolutionDC : Domain Controller to use for SID resolution. Machine : Determine the WMI system to connect to. (default=LocalHost) User : Determine the UserID to perform the remote connection. (default=none) Password : Determine the password to perform the remote connection. (default=none)
The switch use is determined by the nature of the managed entity. During the script discovery, we will also examine the various command-line parameters to properly access, decipher, and update the respective security descriptors.
As usual, Sample 4.2 starts with the command-line parameters definition (skipped lines 13 through 153) and parsing (skipped lines 261 through 505). It is important to note that the script is initially written for Windows XP and Windows Server 2003. However, it is easily adaptable for Windows 2000 and Windows NT 4.0. The lines that must be used for Windows 2000 (and earlier versions) are commented out in the code. If you plan to use this script under Windows 2000, you must comment out the lines pointed to by a "Windows Server 2003 only" comment and remove the comment character of the lines pointed to by a "Windows 2000 only" comment. For instance, lines 188 through 192 and 199 through 203 illustrate the script adaptability to Windows 2000. We will see some more comments like this in the code, especially in the functions reading and updating the security descriptor. If you run under Windows NT 4.0, make sure that the latest update of WSH, WMI, and ADSI are installed on the managed systems. Once done, the script will use the same techniques under Windows NT 4.0 as under Windows 2000.
Sample 4.2: The WMIManageSD.Wsfframework to manage security descriptors from the command line
 |
1:<?xml version="1.0"?> .: 8:<package> 9: <job> ..: 13: <runtime> ...: 153: </runtime> 154: 155: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\SecurityInclude.vbs" /> 156: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\GetSDFunction.vbs" /> 157: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\SetSDFunction.vbs" /> 158: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DecipherWMISDFunction.vbs" /> 159: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DecipherADSISDFunction.vbs" /> 160: 161: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\SetSDOwnerFunction.vbs" /> 162: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\SetSDGroupFunction.vbs" /> 163: 164: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DecipherSDControlFlagsFunction.vbs" /> 165: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\CalculateSDControlFlagsFunction.vbs" /> 166: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\SetSDControlFlagsFunction.vbs" /> 167: 168: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DecipherACEFunction.vbs" /> 169: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\CalculateACEFunction.vbs" /> 170: 171: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\AddACEFunction.vbs" /> 172: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DelACEFunction.vbs" /> 173: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\CreateDefaultSDFunction.vbs" /> 174: 175: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\CreateTrusteeFunction.vbs" /> 176: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\ReOrderACEFunction.vbs" /> 177: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\ExtractUserIDFunction.vbs" /> 178: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\ExtractUserDomainFunction.vbs" /> 179: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\ConvertStringInArrayFunction.vbs" /> 180: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\ConvertArrayInStringFunction.vbs" /> 181: 182: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DisplayFormattedSTDProperty Function.vbs" /> 183: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\DisplayFormattedPropertyFunction.vbs" /> 184: <script language="VBScript" src="/books/2/679/1/html/2/..\Functions\TinyErrorHandler.vbs" /> 185: 186: <reference object="ADs" version="1.0"/> 187: 188: <!-- ***** Windows Server 2003 only ***** --> 189: <object prog /> 190: 191: <!-- ***** Windows 2000 only ***** --> 192: <!-- <object prog /> --> 193: 194: <object prog /> 195: 196: <object prog reference="true"/> 197: <object prog /> 198: 199: <!-- ***** Windows Server 2003 only ***** --> 200: <object prog /> 201: 202: <!-- ***** Windows 2000 only *****--> 203: <!-- <object prog /> --> 204: 205: <script language="VBscript"> 206: <![CDATA[ ...: 210: ' -------------------------------------------------------------------------------- 211: Const cComputerName = "LocalHost" 212: Const cWMICIMv2NameSpace = "root/cimv2" 213: Const cWMIADNameSpace = "root\directory\LDAP" ...: 261: ' -------------------------------------------------------------------------------- 262: ' Parse the command line parameters 263: If WScript.Arguments.Named.Count = 0 Then 264: WScript.Arguments.ShowUsage() 265: WScript.Quit 266: End If 267: 268: strFileSystem = WScript.Arguments.Named("FileSystem") 269: strShare = WScript.Arguments.Named("Share") 270: strADsObjectDN = WScript.Arguments.Named("ADObject") 271: strADsUserDN = WScript.Arguments.Named("E2KMailbox") 272: strRegistryKey = WScript.Arguments.Named("RegistryKey") 273: strWMINameSpace = WScript.Arguments.Named("WMINameSpace") ...: 495: strUserID = WScript.Arguments.Named("User") 496: If Len(strUserID) = 0 Then strUserID = "" 497: 498: strPassword = WScript.Arguments.Named("Password") 499: If Len(strPassword) = 0 Then strPassword = "" 500: 501: strComputerName = WScript.Arguments.Named("Machine") 502: If Len(strComputerName) = 0 Then strComputerName = cComputerName 503: 504: strSIDResolutionDC = WScript.Arguments.Named("SIDResolutionDC") 505: If Len(strSIDResolutionDC) = 0 Then strSIDResolutionDC = strComputerName 506: 507: Select Case intSDType 508:' +----------------------------------------------------------------------------------------+ 509:' | File or Folder | 510:' +----------------------------------------------------------------------------------------+ 511: Case cFileViaWMI 512:' WMI technique retrieval ------------------------------------------------------------------ ...: 584: 585: Case cFileViaADSI 586:' ADSI technique retrieval ------------------------------------------------------------------ ...: 644: 645:' +----------------------------------------------------------------------------------------+ 646: ' | Share | 647:' +----------------------------------------------------------------------------------------+ 648: Case cShareViaWMI 649 :' WMI technique retrieval ------------------------------------------------------------------ ...: 722: 723: Case cShareViaADSI 724 :' ADSI technique retrieval ----------------------------------------------------------------- 725: ' Security descriptor access not implemented via ADSI under Windows 2000. 726: 727: ' Windows Server 2003 only --------------------------------------------------- ...: 787: 788:' +----------------------------------------------------------------------------------------+ 789:' | Active Directory object | 790:' +----------------------------------------------------------------------------------------+ 791: Case cActiveDirectoryViaWMI 792:' WMI technique retrieval ------------------------------------------------------------------ ...: 860: 861: Case cActiveDirectoryViaADSI 862:' ADSI technique retrieval ------------------------------------------------------------------ ...: 933: 934:' +----------------------------------------------------------------------------------------+ 935:' | Exchange 2000 mailbox | 936:' +----------------------------------------------------------------------------------------+ 937: Case cExchange2000MailboxViaWMI 938:' WMI technique retrieval ------------------------------------------------------------------ ....: 1006: 1007: Case cExchange2000MailboxViaADSI 1008:' ADSI technique retrieval ----------------------------------------------------------------- ....: 1077: 1078: Case cExchange2000MailboxViaCDOEXM 1079:' CDOEXM technique retrieval --------------------------------------------------------------- ....: 1147: 1148:' +----------------------------------------------------------------------------------------+ 1149:' | Registry key | 1150:' +----------------------------------------------------------------------------------------+ 1151: Case cRegistryViaWMI 1152:' WMI technique retrieval ------------------------------------------------------------------ 1153: ' Security descriptor access not implemented via WMI. 1154: 1155: Case cRegistryViaADSI 1156:' ADSI technique retrieval ----------------------------------------------------------------- ....: 1213: 1214:' +----------------------------------------------------------------------------------------+ 1215:' | CIM repository namespace | 1216:' +----------------------------------------------------------------------------------------+ 1217: Case cWMINameSpaceViaWMI 1218:' WMI technique retrieval ------------------------------------------------------------------ ....: 1288: 1289: Case cWMINameSpaceViaADSI 1290:' ADSI technique retrieval ----------------------------------------------------------------- 1291: ' Security descriptor access not implemented via ADSI. 1292: End Select 1293: 1294: ]]> 1295: </script> 1296: </job> 1297:</package> |
Sample 4.2 is the framework used by WMIManageSD.Wsf to manage security descriptors. We will examine all functions included (lines 155 through 184) and the code contained in this framework (lines 507 through 1292) in the following sections. Sample 4.2 is organized in a "Select Case" structure. Each "Case" corresponds to the management of a security descriptor with a specific access method. We have a "Case" section for:
-
Security descriptor from files and folders accessed by WMI (lines 511 through 584)
-
Security descriptor from files and folders accessed by ADSI (lines 585 through 644)
-
Security descriptor from shares accessed by WMI (lines 648 through 722)
-
Security descriptor from shares accessed by ADSI (lines 723 to 787)
-
Security descriptor from Active Directory objects accessed by WMI (lines 791 through 860)
-
Security descriptor from Active Directory objects accessed by ADSI (lines 861 through 933)
-
Security descriptor from Exchange 2000 mailboxes accessed by WMI (lines 937 through 1006)
-
Security descriptor from Exchange 2000 mailboxes accessed by ADSI (lines 1007 through 1077)
-
Security descriptor from Exchange 2000 mailboxes accessed by CDOEXM (lines 1078 through 1147)
-
Security descriptor from registry keys accessed by WMI (lines 1151 through 1154)
-
Security descriptor from registry keys accessed by ADSI (lines 1155 through 1213)
-
Security descriptor from CIM repository namespaces accessed by WMI (lines 1217 through 1288)
-
Security descriptor from CIM repository namespaces accessed by ADSI (lines 1289 through 1292)
Before trying to change the content of a security descriptor, let's first see how we can retrieve a security descriptor from a manageable instance and how we can decipher it. Since WMI represents real-world objects with some specific classes, we must examine the technique used to retrieve the security descriptor, based on the nature and the class capabilities representing the real-world object. Let's start with the file system objects first.
4.6.1 Connecting to file and folder security descriptors
4.6.1.1 Connecting to files and folders with WMI
Accessing file and folder security descriptors with WMI involves establishing the WMI connection to the Root\CIMv2 namespace (Sample 4.3), since it contains the Win32_LogicalFileSecuritySetting class, which exposes a method to retrieve the security descriptor. This connection is completed from line 513 through 520. At line 515, the addition of the SeSecurityPrivilege privilege to the SWBemLocator object is required to access the SACL part of the security descriptor.
Sample 4.3: Connecting to files and folders with WMI (Part I)
|
...: ...: ...: 508:' +---------------------------------------------------------------------------+ 509:' | File or Folder | 510:' +---------------------------------------------------------------------------+ 511: Case cFileViaWMI 512:' WMI technique retrieval ------------------------------------------------------------------ 513: objWMILocator.Security_.AuthenticationLevel = wbemAuthenticationLevelDefault 514: objWMILocator.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate 515: objWMILocator.Security_.Privileges.AddAsString "SeSecurityPrivilege", True 516: 517: Set objWMIServices = objWMILocator.ConnectServer(strComputerName, _ 518: cWMICIMv2NameSpace, _ 519: strUserID, _ 520: strPassword) ...: 523: Set objSD = GetSecurityDescriptor (objWMIServices, _ 524: strFileSystem, _ 525: intSDType) 526: If boolAddAce Then 527: Set objSD = AddACE (objWMIServices, strSIDResolutionDC, _ 528: strUserID, strPassword, _ 529: objSD, _ 530: strTrustee, _ 531: intACEType, _ 532: intACEMask, _ 533: intACEFlags, _ 534: intACLtype, _ 535: vbNull, _ 536: vbNull, _ 537: intSDType) 538: End If 539: 540: If boolDelAce Then 541: Set objSD = DelACE (objWMIServices, strSIDResolutionDC, _ 542: strUserID, strPassword, _ 543: objSD, _ 544: strTrustee, _ 545: intACLtype, _ 546: intSDType) 547: End If 548: 549: If boolOwner Then 550: Set objSD = SetSDOwner(strSIDResolutionDC, strUserID, strPassword, _ 551: objSD, strOwner, intSDType) 552: End If 553: 554: If boolGroup Then 555: Set objSD = SetSDGroup(strSIDResolutionDC, strUserID, strPassword, _ 556: objSD, strGroup, intSDType) 557: End If 558: 559: If boolSDControlFlags Then 560: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 561: End If 562: 563: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 564: If boolAddAce Or boolDelAce Then 565: Set objSD = ReOrderACE(objWMIServices, objSD, intSDType) 566: End If 567: 568: SetSecurityDescriptor objWMIServices, _ 569: objSD, _ 570: strFileSystem, _ 571: intSDType 572: End If 573: 574: If boolViewSD Then 575: WScript.Echo 576: DecipherWMISecurityDescriptor objSD, _ 577: intSDType, _ 578: "", _ 579: boolDecipher 580: End If ...: 585: Case cFileViaADSI ...: ...: ...:
|
To execute the Sample 4.3 code portion, the following command lines must be used:
C:\>WMIManageSD.Wsf /FileSystem:C:\MyDirectory C:\>WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt
Once the WMI connection completes, the script invokes a series of subfunctions:
-
Lines 523 through 525 read the security descriptor from the selected file or folder with the GetSecurityDescriptor() function.
-
Lines 526 through 538 add an ACE in the security descriptor with the AddAce() function, if specified to do so on the command line.
-
Lines 540 through 547 remove an ACE to the security descriptor with the DelAce() function, if specified to do so on the command line.
-
Lines 549 through 552 set the owner from the security descriptor with the SetSDOwner() function, if specified to do so on the command line.
-
Lines 554 through 557 set the group in the security descriptor with the SetSDGroup(), if specified to do so on the command line.
-
Lines 559 through 561 set the security descriptor control flags with the SetSDControlFlags() function, if specified to do so on the command line.
-
Lines 564 through 566 reorder the security descriptor ACE in the discretionary ACL with the ReOrderAce() function, if an ACE addition or removal is performed.
-
Lines 568 through 571 update the security descriptor on the selected file or folder with the SetSecurityDescriptor() function.
-
Lines 576 through 579 decipher and display the security descriptor settings with the DecipherWMISecurityDescriptor() function, if specified to do so on the command line. Note that this function can be replaced by the DecipherADSISecurityDescriptor() function, based on the object model used to represent the security descriptor. In this particular example, the file or folder security descriptor accessed with the WMI access method is represented in the WMI object model. So, the security descriptor deciphering will be completed with the DecipherWMISecurityDescriptor() function.
Note that the code structure is always the same for any security descriptor type (i.e., files, Active Directory objects, CIM repository namespace) and access method technique (WMI or ADSI). As we will see further, only the WMI or the ADSI connection logic, with some parameters passed to the subfunctions, will vary. The subfunctions (i.e., AddAce(), DelAce(), ReOrderAce(), etc.) will manage the security descriptor specifics according to their nature and format. For instance, in Sample 4.3, the WMI security descriptor access method retrieves the security descriptor in a WMI representation, which implies the use of a Win32_SecurityDescriptor instance. In order to properly manipulate this security descriptor representation in the subfunctions, it is necessary to pass the WMI connection made to the Root\CIMv2 namespace to the subfunctions, since this namespace contains the Win32_SecurityDescriptor, Win32_ACE, and Win32_Trustee class definitions.
4.6.1.2 Connecting to files and folders with ADSI
When the security descriptor is represented in the ADSI object model, it is not necessary to pass an object representing the connection to the entity owning the security descriptor. Sample 4.4 illustrates this approach. We retrieve the exact same structure as Sample 4.3 ("Connecting to files and folders with WMI [Part I]"), while the access method to the file or the folder security descriptor is made with ADSI. In this case, no specific connection is made to the file or folder, because it uses a different tactic to get access to the entity owning the security descriptor. Based on the operating system, the script will use:
-
The ADsSecurityUtility object instantiated at line 189 in Sample 4.2 ("The WMIManageSD.Wsf framework to manage security descriptors from the command line"), if you run under Windows XP or Windows Server 2003. This object is only available under Windows XP and Windows Server 2003 and is implemented by the ADSI IADsSecurityUtility interface.
-
The ADsSecurity object instantiated at line 192 in Sample 4.2, if you run under Windows NT or Windows 2000. Note that the ADsSecurity object requires the registration of the ADsSecurity.DLL, which is available from the Windows 2000 Resource Kit (or the ADSI SDK for Windows NT 4.0). It is very important to know that the ADsSecurity.DLL is not designed to retrieve the SACL part of a security descriptor. This is a limitation of the ADsSecurity.DLL.
Sample 4.4: Connecting to files and folders with ADSI (Part II)
|
...: ...: ...: 585: Case cFileViaADSI 586:' ADSI technique retrieval ------------------------------------------------------------------ 587: Set objSD = GetSecurityDescriptor (vbNull, _ 588: strFileSystem, _ 589: intSDType) 590: If boolAddAce Then 591: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 592: objSD, _ 593: strTrustee, _ 594: intACEType, _ 595: intACEMask, _ 596: intACEFlags, _ 597: intACLtype, _ 598: vbNull, _ 599: vbNull, _ 600: intSDType) 601: End If 602: 603: If boolDelAce Then 604: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 605: objSD, _ 606: strTrustee, _ 607: intACLtype, _ 608: intSDType) 609: End If 610: 611: If boolOwner Then 612: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 613: objSD, strOwner, intSDType) 614: End If 615: 616: If boolGroup Then 617: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 618: objSD, strGroup, intSDType) 619: End If 620: 621: If boolSDControlFlags Then 622: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 623: End If 624: 625: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 626: If boolAddAce Or boolDelAce Then 627: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 628: End If 629: 630: SetSecurityDescriptor vbNull, _ 631: objSD, _ 632: strFileSystem, _ 633: intSDType 634: End If 635: 636: If boolViewSD Then 637: WScript.Echo 638: DecipherADSISecurityDescriptor objSD, _ 639: intSDType, _ 640: boolDecipher 641: End If ...: 644: ...: ...: ...:
|
As shown in Sample 4.4, the first parameter of the GetSecurityDescriptor() function is set to Null (line 587). The ADSI security descriptor access method for a file or a folder via ADSI does not need an object representing the connection to the examined file or folder, because the ADsSecurityUtility or ADsSecurity object uses an encapsulated logic running in the user security context. Because the ADSI access technique retrieves the security descriptor in an ADSI representation and not in a WMI presentation, there is no need to access the Root\CIMv2 namespace. Therefore, any subsequent subfunction calls (i.e., AddAce(), DelAce(), ReOrderAce(), etc.) use a Null parameter for the WMI connection settings. Next, the security descriptor deciphering will be handled by DecipherADSISecurityDescriptor() function (lines 638 through 640).
The following command lines will invoke the Sample 4.4 code portion:
C:\>WMIManageSD.Wsf /FileSystem:C:\MyDirectory /ADSI+ C:\>WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /ADSI+
4.6.2 Connecting to file system share security descriptors
4.6.2.1 Connecting to file system shares with WMI
As with files and folders, the WMI logic to access a share security descriptor is exactly the same (see Sample 4.3, "Connecting to files and folders with WMI [Part I]"). Once the WMI connection to the Root\CIMv2 namespace is established (lines 650 through 656 in Sample 4.5), the parameters passed to the subfunctions managing the security descriptor are the same. This similarity comes from two factors:
-
The security descriptor access method is based on WMI.
-
The security descriptor is represented by a Win32_SecurityDescriptor instance, which implies the use of the DecipherWMISecurityDescriptor() function to decipher the security descriptor (lines 714 through 717).
Sample 4.5: Connecting to shares with WMI (Part III)
|
...: ...: ...: 644: 645:' +----------------------------------------------------------------------------------------+ 646:' | Share | 647:' +----------------------------------------------------------------------------------------+ 648: Case cShareViaWMI 649:' WMI technique retrieval ------------------------------------------------------------------ 650: objWMILocator.Security_.AuthenticationLevel = wbemAuthenticationLevelDefault 651: objWMILocator.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate 652: 653: Set objWMIServices = objWMILocator.ConnectServer(strComputerName, _ 654: cWMICIMv2NameSpace, _ 655: strUserID, _ 656: strPassword) ...: 659: Set objSD = GetSecurityDescriptor (objWMIServices, _ 660: strShare, _ 661: intSDType) 662: If boolAddAce Then 663: Set objSD = AddACE (objWMIServices, strSIDResolutionDC, _ 664: strUserID, strPassword, _ 665: objSD, _ 666: strTrustee, _ 667: intACEType, _ 668: intACEMask, _ 669: intACEFlags, _ 670: intACLtype, _ 671: vbNull, _ 672: vbNull, _ 673: intSDType) 674: End If 675: 676: If boolDelAce Then 677: Set objSD = DelACE (objWMIServices, strSIDResolutionDC, _ 678: strUserID, strPassword, _ 679: objSD, _ 680: strTrustee, _ 681: intACLtype, _ 682: intSDType) 683: End If 684: 685: ' Not supported for a share security descriptor. 686: ' 687: ' If boolOwner Then 688: ' Set objSD = SetSDOwner(strSIDResolutionDC, strUserID, strPassword, _ 689: ' objSD, strOwner, intSDType) 690: ' End If 691: ' 692: ' If boolGroup Then 693: ' Set objSD = SetSDGroup(strSIDResolutionDC, strUserID, strPassword, _ 694: ' objSD, strGroup, intSDType) 695: ' End If 696: ' 697: ' If boolSDControlFlags Then 698: ' Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 699: ' End If 700: 701: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 702: If boolAddAce Or boolDelAce Then 703: Set objSD = ReOrderACE(objWMIServices, objSD, intSDType) 704: End If 705: 706: SetSecurityDescriptor objWMIServices, _ 707: objSD, _ 708: strShare, _ 709: intSDType 710: End If 711: 712: If boolViewSD Then 713: WScript.Echo 714: DecipherWMISecurityDescriptor objSD, _ 715: intSDType, _ 716: "", _ 717: boolDecipher 718: End If ...: 723: Case cShareViaADSI ...: ...: ...:
|
Of course, as we manage a share security descriptor, we must note some small differences as well:
-
The GetSecurityDescriptor() takes a share name instead of a file or folder path (line 663).
-
The modification of the security descriptor owner, group, or control flags is not applicable to a share security descriptor (lines 685 through 699).
-
The SACL is not supported on a security descriptor share.
Once these differences are taken into consideration (commented out lines 685 through 699), the code logic for a share is exactly the same as before. The following command line will invoke the Sample 4.5 code portion:
C:\>WMIManageSD.Wsf /Share:MyDirectory
4.6.2.2 Connecting to file system shares with ADSI
Connecting to a share security descriptor with ADSI is only possible under Windows XP or Windows Server 2003, because the ADSI ADsSecurityUtility object is only available for these platforms (see Sample 4.6). The ADsSecurity.DLL is not designed for this purpose. Since we use the ADSI ADsSecurityUtility object to retrieve the security descriptor, it is not necessary to establish a connection to the manageable entity. Basically, it follows the same logic as Sample 4.4 ("Connecting to files and folders with ADSI [Part II]") but with the same restrictions as the WMI techniques: Owner, group, control flags, and SACL updates are not applicable to a share. The retrieved security descriptor is represented in the ADSI object model, which implies the use of the DecipherADSISecurityDescriptor() function (lines 781 through 783). If you run under Windows Server 2003 or Windows XP, you can use the following command line to execute this portion of the script:
C:\>WMIManageSD.Wsf /Share:MyDirectory /ADSI+
Sample 4.6: Connecting to shares with ADSI (Part IV)
|
...: ...: ...: 723: Case cShareViaADSI 724:' ADSI technique retrieval ----------------------------------------------------------------- 725: ' Security descriptor access not implemented via ADSI under Windows 2000. 726: 727: ' Windows Server 2003 only --------------------------------------------------- 728: Set objSD = GetSecurityDescriptor (vbNull, _ 729: strShare, _ 730: intSDType) 731: If boolAddAce Then 732: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 733: objSD, _ 734: strTrustee, _ 735: intACEType, _ 736: intACEMask, _ 737: intACEFlags, _ 738: intACLtype, _ 739: vbNull, _ 740: vbNull, _ 741: intSDType) 742: End If 743: 744: If boolDelAce Then 745: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 746: objSD, _ 747: strTrustee, _ 748: intACLtype, _ 749: intSDType) 750: End If 751: 752: ' Not supported for a share security descriptor. 753: ' 754: ' If boolOwner Then 755: ' Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 756: ' objSD, strOwner, intSDType) 757: ' End If 758: ' 759: ' If boolGroup Then 760: ' Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 761: ' objSD, strGroup, intSDType) 762: ' End If 763: ' 764: ' If boolSDControlFlags Then 765: ' Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 766: ' End If 767: 768: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 769: If boolAddAce Or boolDelAce Then 770: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 771: End If 772: 773: SetSecurityDescriptor vbNull, _ 774: objSD, _ 775: strShare, _ 776: intSDType 777: End If 778: 779: If boolViewSD Then 780: WScript.Echo 781: DecipherADSISecurityDescriptor objSD, _ 782: intSDType, _ 783: boolDecipher 784: End If ...: 787: ...: ...: ...:
|
4.6.3 Connecting to Active Directory object security descriptors
4.6.3.1 Connecting to Active Directory objects with WMI
Connecting to an Active Directory object with WMI follows the same rules as Sample 4.3 ("Connecting to files and folders with WMI [Part I]"). However, we must connect to the Root\Directory\LDAP CIM repository namespace, instead of the Root\CIMv2 namespace (lines 769 through 799), in order to get access to the WMI classes representing Active Directory object classes. As mentioned previously in section 4.4 ("Which access technique to use? Which security descriptor representation do we obtain?"), the WMI security descriptor access method of an Active Directory object retrieves the security descriptor in a binary format. The conversion of the security descriptor to an ADSI security descriptor representation is made in the GetSecurityDescriptor() function. This is why, even if the security descriptor access method is based on WMI, the subsequent subfunctions (i.e., AddAce() at line 806, DelAce() at line 819, and ReOrderAce() at line 842, to name a few) do not use the WMI connection settings. Instead, these functions manipulate the security descriptor in its ADSI representation. This implies that the security descriptor deciphering technique will be handled by the DecipherADSISecurityDescriptor() function (lines 853 through 855).
Another point to note is the format of the Active Directory distinguished name. Because the script can retrieve any object type from Active Directory, and because WMI requires the class of the object, it is mandatory to specify the object class on the command line. This must be done as follows:
C:\>WMIManageSD.Wsf /ADObject:''user;CN=MyUser, CN=Users,DC=LissWare,DC=Net"
The script will properly decode the class and the distinguishedName in the GetSecurityDescriptor() function.
Sample 4.7: Connecting to Active Directory objects with WMI (Part V)
|
...: ...: ...: 787: 788:' +----------------------------------------------------------------------------------------+ 789:' | Active Directory object | 790:' +----------------------------------------------------------------------------------------+ 791: Case cActiveDirectoryViaWMI 792:' WMI technique retrieval ------------------------------------------------------------------ 793: objWMILocator.Security_.AuthenticationLevel = wbemAuthenticationLevelDefault 794: objWMILocator.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate 795: 796: Set objWMIServices = objWMILocator.ConnectServer(strComputerName, _ 797: cWMIADNameSpace, _ 798: strUserID, _ 799: strPassword) ...: 802: Set objSD = GetSecurityDescriptor (objWMIServices, _ 803: strADsObjectDN, _ 804: intSDType) 805: If boolAddAce Then 806: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 807: objSD, _ 808: strTrustee, _ 809: intACEType, _ 810: intACEMask, _ 811: intACEFlags, _ 812: intACLtype, _ 813: strObjectType, _ 814: strInheritedObjectType, _ 815: intSDType) 816: End If 817: 818: If boolDelAce Then 819: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 820: objSD, _ 821: strTrustee, _ 822: intACLtype, _ 823: intSDType) 824: End If 825: 826: If boolOwner Then 827: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 828: objSD, strOwner, intSDType) 829: End If 830: 831: If boolGroup Then 832: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 833: objSD, strGroup, intSDType) 834: End If 835: 836: If boolSDControlFlags Then 837: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 838: End If 839: 840: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 841: If boolAddAce Or boolDelAce Then 842: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 843: End If 844: 845: SetSecurityDescriptor objWMIServices, _ 846: objSD, _ 847: strADsObjectDN, _ 848: intSDType 849: End If 850: 851: If boolViewSD Then 852: WScript.Echo 853: DecipherADSISecurityDescriptor objSD, _ 854: intSDType, _ 855: boolDecipher 856: End If ...: 861: Case cActiveDirectoryViaADSI ...: ...: ...:
|
4.6.3.2 Connecting to Active Directory objects with ADSI
To retrieve the security descriptor of an Active Directory object with ADSI (see Sample 4.8), it is necessary to connect to the desired Active Directory object first. This can be done in the current user security context (lines 871 and 872) or with different credentials (lines 864 through 869). The connection security context is determined by the presence of the /UserID switch on the command line, which determines the content of the strUserID variable. Under Windows 2000, we do not use the ADsSecurity object method, even if it can retrieve the security descriptor from an Active Directory object. Coding the logic directly with the ADSI base objects, instead of using another COM object encapsulating its own logic, gives us more control over the coding. Moreover, this technique is applicable to any platform (Windows 2000, Windows Server 2003, Windows XP). This is why we must perform the connection to the Active Directory object. In the case of a file, a folder, or a share, this is done by the logic encapsulated in the ADsSecurityUtility or ADsSecurity objects.
Sample 4.8: Connecting to Active Directory objects with ADSI (Part VI)
|
...: ...: ...: 861: Case cActiveDirectoryViaADSI 862:' ADSI technique retrieval ------------------------------------------------------------------ 863: If Len (strUserID) Then 864: Set objNS = GetObject("LDAP:") 865: Set objADsObject = objNS.OpenDSObject("LDAP://" & strComputerName & _ 866: "/" & strADsObjectDN, _ 867: strUserID, _ 868: strPassword, _ 869: ADS_SECURE_AUTHENTICATION) 870: Else 871: Set objADsObject = GetObject("LDAP://" & strComputerName & "/" & _ 872: strADsObjectDN) 873: End If 874: 875: Set objSD = GetSecurityDescriptor (objADsObject, _ 876: strADsObjectDN, _ 877: intSDType) 878: If boolAddAce Then 879: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 880: objSD, _ 881: strTrustee, _ 882: intACEType, _ 883: intACEMask, _ 884: intACEFlags, _ 885: intACLtype, _ 886: strObjectType, _ 887: strInheritedObjectType, _ 888: intSDType) 889: End If 890: 891: If boolDelAce Then 892: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 893: objSD, _ 894: strTrustee, _ 895: intACLtype, _ 896: intSDType) 897: End If 898: 899: If boolOwner Then 900: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 901: objSD, strOwner, intSDType) 902: End If 903: 904: If boolGroup Then 905: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 906: objSD, strGroup, intSDType) 907: End If 908: 909: If boolSDControlFlags Then 910: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 911: End If 912: 913: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 914: If boolAddAce Or boolDelAce Then 915: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 916: End If 917: 918: SetSecurityDescriptor objADsObject, _ 919: objSD, _ 920: strADsObjectDN, _ 921: intSDType 922: End If 923: 924: If boolViewSD Then 925: WScript.Echo 926: DecipherADSISecurityDescriptor objSD, _ 927: intSDType, _ 928: boolDecipher 929: End If ...: 933: ...: ...: ...: |
Once the connection is established, the script invokes the GetSecurityDescriptor() function with the object referring to the Active Directory object connection (line 875). The distinguishedName of the object is also passed to the function (line 876). The following command line will execute this portion of the script:
C:\>WMIManageSD.Wsf /ADObject: "CN=MyUser,CN=Users,DC=LissWare,DC=Net" /ADSI+
Note that with the ADSI access method, we do not provide the object class with the distinguishedName, as done with the WMI access method. ADSI is able to determine the object class by itself. Once the security descriptor is retrieved (line 875), since it is represented in the ADSI object model, the subsequent functions do not need the connection parameters, unlike the case with WMI. The security descriptor is deciphered with the DecipherADSISecurityDescriptor() function (lines 926 through 928).
4.6.4 Connecting to Exchange 2000 mailbox security descriptors
To get access to the security descriptor set on an Exchange 2000 mailbox, it is possible to use three techniques: WMI, ADSI, or CDOEXM. Although all techniques can retrieve and view the security descriptor settings, only the CDOEXM technique can perform an update of the Exchange 2000 security descriptor correctly, because the CDOEXM technique is the only one updating the security descriptor located in the Exchange 2000 store. We will deal with this aspect when updating the Exchange 2000 security descriptor in section 4.14.4.3 ("Updating Exchange 2000 mailbox security descriptors with CDOEXM").
4.6.4.1 Connecting to Exchange 2000 mailbox security descriptor with WMI
Sample 4.9 illustrates the WMI technique. Basically, this is exactly the same as the technique used to retrieve the security descriptor from an Active Directory object, simply because the Exchange 2000 mailbox security descriptor is available from Active Directory. The only difference resides in the object class that is accessed, since only user objects can have an Exchange 2000 mailbox. That's the reason why the distinguishedName given on the command line does not require the object class anymore. For instance, the following command line will retrieve the Exchange 2000 mailbox security descriptor with WMI:
C:\>WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net"
Sample 4.9: Connecting to Exchange 2000 mailbox information with WMI (Part VII)
|
...: ...: ...: 933: 934:' +----------------------------------------------------------------------------------------+ 935:' | Exchange 2000 mailbox | 936:' +----------------------------------------------------------------------------------------+ 937: Case cExchange2000MailboxViaWMI 938:' WMI technique retrieval ------------------------------------------------------------------ 939: objWMILocator.Security_.AuthenticationLevel = wbemAuthenticationLevelDefault 940: objWMILocator.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate 941: 942: Set objWMIServices = objWMILocator.ConnectServer(strComputerName, _ 943: cWMIADNameSpace, _ 944: strUserID, _ 945: strPassword) ...: 948: Set objSD = GetSecurityDescriptor (objWMIServices, _ 949: strADsUserDN, _ 950: intSDType) 951: If boolAddAce Then 952: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 953: objSD, _ 954: strTrustee, _ 955: intACEType, _ 956: intACEMask, _ 957: intACEFlags, _ 958: intACLtype, _ 959: vbNull, _ 960: vbNull, _ 961: intSDType) 962: End If 963: 964: If boolDelAce Then 965: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 966: objSD, _ 967: strTrustee, _ 968: intACLtype, _ 969: intSDType) 970: End If 971: 972: If boolOwner Then 973: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 974: objSD, strOwner, intSDType) 975: End If 976: 977: If boolGroup Then 978: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 979: objSD, strGroup, intSDType) 980: End If 981: 982: If boolSDControlFlags Then 983: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 984: End If 985: 986: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 987: If boolAddAce Or boolDelAce Then 988: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 989: End If 990: 991: SetSecurityDescriptor objWMIServices, _ 992: objSD, _ 993: strADsUserDN, _ 994: intSDType 995: End If 996: 997: If boolViewSD Then 998: WScript.Echo 999: DecipherADSISecurityDescriptor objSD, _ 1000: intSDType, _ 1001: boolDecipher 1002: End If ....: 1007: Case cExchange2000MailboxViaADSI ....: ....: ....:
|
However, the GetSecurityDescriptor() function will look for a specific attribute containing the Exchange 2000 mailbox security descriptor. We will see this in detail when examining the GetSecurityDescriptor() function as it accesses an Exchange 2000 mailbox security descriptor in section 4.7.4. Except for this difference encapsulated in the GetSecurityDescriptor() function, Sample 4.9 is the same as Sample 4.7 ("Connecting to Active Directory objects with WMI [Part V]").
4.6.4.2 Connecting to Exchange 2000 mailbox security descriptor with ADSI
As with Sample 4.8 ("Connecting to Active Directory objects with ADSI [Part VI]"), Sample 4.10 follows the exact same logic. The security descriptor specificities are treated in the subfunctions. The following command line executes the Sample 4.10 code portion:
C:\>WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /ADSI+
Sample 4.10: Connecting to Exchange 2000 mailbox information with ADSI (Part VIII)
|
....: ....: ....: 1007: Case cExchange2000MailboxViaADSI 1008:' ADSI technique retrieval ------------------------------------------------------------------ 1009: If Len (strUserID) Then 1010: Set objNS = GetObject("LDAP:") 1011: Set objADsObject = objNS.OpenDSObject("LDAP://" & strComputerName, _ 1012: strUserID, _ 1013: strPassword, _ 1014: ADS_SECURE_AUTHENTICATION) 1015: Else 1016: Set objADsObject = GetObject("LDAP://" & strComputerName & "/" & strADsUserDN) 1017: End If 1018: 1019: Set objSD = GetSecurityDescriptor (objADsObject, _ 1020: strADsUserDN, _ 1021: intSDType) 1022: If boolAddAce Then 1023: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 1024: objSD, _ 1025: strTrustee, _ 1026: intACEType, _ 1027: intACEMask, _ 1028: intACEFlags, _ 1029: intACLtype, _ 1030: vbNull, _ 1031: vbNull, _ 1032: intSDType) 1033: End If 1034: 1035: If boolDelAce Then 1036: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 1037: objSD, _ 1038: strTrustee, _ 1039: intACLtype, _ 1040: intSDType) 1041: End If 1042: 1043: If boolOwner Then 1044: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 1045: objSD, strOwner, intSDType) 1046: End If 1047: 1048: If boolGroup Then 1049: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 1050: objSD, strGroup, intSDType) 1051: End If 1052: 1053: If boolSDControlFlags Then 1054: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 1055: End If 1056: 1057: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 1058: If boolAddAce Or boolDelAce Then 1059: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 1060: End If 1061: 1062: SetSecurityDescriptor objADsObject, _ 1063: objSD, _ 1064: strADsUserDN, _ 1065: intSDType 1066: End If 1067: 1068: If boolViewSD Then 1069: WScript.Echo 1070: DecipherADSISecurityDescriptor objSD, _ 1071: intSDType, _ 1072: boolDecipher 1073: End If ....: 1078: Case cExchange2000MailboxViaCDOEXM ....: ....: ....: |
4.6.4.3 Connecting to Exchange 2000 mailbox security descriptor with CDOEXM
CDOEXM provides objects and interfaces for the management of many Exchange 2000 components. For instance, with CDOEXM you can configure Exchange Servers and stores, mount and dismount stores, and create and configure mailboxes. CDOEXM is more than an extension for ADSI; it is also an extension for Collaboration Data Object for Exchange 2000 (CDOEX). At the server level, CDOEXM retrieves specific information about the server itself, as well as the Storage Groups present on the server and stores created in the Storage Groups. From an Active Directory user object point of view, CDOEXM exposes properties and methods to manage the Exchange 2000 mailbox. CDOEXM is an important companion to ADSI and CDOEX when working with Exchange 2000. Our unique interest for the CDOEXM technique for the script purpose resides in its capability to update the security descriptor in the Exchange store (see section 4.13.4.3, "Updating Exchange 2000 mailbox security descriptors with CDOEXM").
Sample 4.11 refers to the CDOEXM security descriptor access technique. Basically, this is the same technique as Sample 4.10, since CDOEXM acts as an extension for ADSI. Again, the security descriptor specificities are managed in the GetSecurityDescriptor() function. The following command line executes the Sample 4.11 code portion:
C:\>WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /E2KStore+
Sample 4.11: Connecting to Exchange 2000 mailbox information with CDOEXM (Part IX)
|
....: ....: ....: 1078: Case cExchange2000MailboxViaCDOEXM 1079:' CDOEXM technique retrieval ------------------------------------------------------------------ 1080: If Len (strUserID) Then 1081: Set objNS = GetObject("LDAP:") 1082: Set objADsObject = objNS.OpenDSObject("LDAP://" & strADsUserDN, _ 1083: strUserID, _ 1084: strPassword, _ 1085: ADS_SECURE_AUTHENTICATION) 1086: Else 1087: Set objADsObject = GetObject("LDAP://" & strADsUserDN) 1088: End If 1089: Set objSD = GetSecurityDescriptor (objADsObject, _ 1090: strADsUserDN, _ 1091: intSDType) 1092: If boolAddAce Then 1093: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 1094: objSD, _ 1095: strTrustee, _ 1096: intACEType, _ 1097: intACEMask, _ 1098: intACEFlags, _ 1099: intACLtype, _ 1100: vbNull, _ 1101: vbNull, _ 1102: intSDType) 1103: End If 1104: 1105: If boolDelAce Then 1106: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 1107: objSD, _ 1108: strTrustee, _ 1109: intACLtype, _ 1110: intSDType) 1111: End If 1112: 1113: If boolOwner Then 1114: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 1115: objSD, strOwner, intSDType) 1116: End If 1117: 1118: If boolGroup Then 1119: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 1120: objSD, strGroup, intSDType) 1121: End If 1122: 1123: If boolSDControlFlags Then 1124: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 1125: End If 1126: 1127: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 1128: If boolAddAce Or boolDelAce Then 1129: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 1130: End If 1131: 1132: SetSecurityDescriptor objADsObject, _ 1133: objSD, _ 1134: strADsUserDN, _ 1135: intSDType 1136: End If 1137: 1138: If boolViewSD Then 1139: WScript.Echo 1140: DecipherADSISecurityDescriptor objSD, _ 1141: intSDType, _ 1142: boolDecipher 1143: End If ....: 1147: ....: ....: ....: |
4.6.5 Connecting to registry keys security descriptor
4.6.5.1 Connecting to registry keys with WMI
The connection to the registry with WMI is possible with the use of the StdRegProv class in the Root\Default namespace. Although this class exposes the CheckAccess method to verify if the user invoking this method possesses some specified permissions, it is not currently possible to retrieve a structural representation of a registry key security descriptor (in the WMI object model, the ADSI object model, or in a binary format). The only way is to use the ADSI ADsSecurityUtility or ADsSecurity objects, which refer to an ADSI security descriptor access technique.
4.6.5.2 Connecting to registry keys with ADSI
The logic developed for Sample 4.4 ("Connecting to files and folders with ADSI [Part II]") and Sample 4.6 ("Connecting to shares with ADSI [Part IV]") applies for Sample 4.12, since it makes use of the ADsSecurityUtility object (Windows Server 2003 or Windows XP only) or the ADsSecurity object (Windows 2000 or before). As already mentioned, keep in mind that ADsSecurity object does not give access to the SACL component of the security descriptor. The following command line executes the Sample 4.12 code portion:
C:\>WMIManageSD.Wsf /RegistryKey:HKLM\SOFTWARE\Microsoft /ADSI+
Sample 4.12: Connecting to registry keys with ADSI (Part X)
|
....: ....: ....: 1147: 1148:' +----------------------------------------------------------------------------------------+ 1149:' | Registry key | 1150:' +----------------------------------------------------------------------------------------+ 1151: Case cRegistryViaWMI 1152:' WMI technique retrieval ------------------------------------------------------------------- 1153: ' Security descriptor access not implemented via WMI. 1154: 1155: Case cRegistryViaADSI 1156:' ADSI technique retrieval ------------------------------------------------------------------ 1157: Set objSD = GetSecurityDescriptor (vbNull, _ 1158: strRegistryKey, _ 1159: intSDType) 1160: If boolAddAce Then 1161: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 1162: objSD, _ 1163: strTrustee, _ 1164: intACEType, _ 1165: intACEMask, _ 1166: intACEFlags, _ 1167: intACLtype, _ 1168: vbNull, _ 1169: vbNull, _ 1170: intSDType) 1171: End If 1172: 1173: If boolDelAce Then 1174: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 1175: objSD, _ 1176: strTrustee, _ 1177: intACLtype, _ 1178: intSDType) 1179: End If 1180: 1181: If boolOwner Then 1182: Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 1183: objSD, strOwner, intSDType) 1184: End If 1185: 1186: If boolGroup Then 1187: Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 1188: objSD, strGroup, intSDType) 1189: End If 1190: 1191: If boolSDControlFlags Then 1192: Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 1193: End If 1194: 1195: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 1196: If boolAddAce Or boolDelAce Then 1197: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 1198: End If 1199: SetSecurityDescriptor vbNull, _ 1200: objSD, _ 1201: strRegistryKey, _ 1202: intSDType 1203: End If 1204: 1205: If boolViewSD Then 1206: WScript.Echo 1207: DecipherADSISecurityDescriptor objSD, _ 1208: intSDType, _ 1209: boolDecipher 1210: End If ....: 1213: ....: ....: ....:
|
4.6.6 Connecting to CIM repository namespace security descriptors
4.6.6.1 Connecting to CIM repository namespaces with WMI
With WMI, it is possible to retrieve the security descriptor of a CIM repository namespace (see Sample 4.13). However, the retrieved security descriptor is in a binary form. The GetSecurityDescriptor() function will convert the security descriptor to an ADSI security descriptor representation. With the WMI access method, to get access to the namespace security descriptor, the GetSecurityDescriptor() function requires the SWBemServices object created when connecting to the CIM repository namespace (lines 1222 through 1225). It is important to note that the script does not connect to the Root\CIMv2 namespace anymore, but it connects to the namespace for which the security descriptor must be retrieved. Since the security descriptor is represented in the ADSI object model after its conversion from the binary form, the subsequent subfunctions (AddAce() at line 1232 through 1241, DelAce() at line 1245 through 1249, or ReOrderAce() at line 1270, to name a few) do not require the connection object to the managed entity.
Sample 4.13: Connecting to CIM repository namespaces with WMI (Part XI)
|
....: ....: ....: 1213: 1214:' +----------------------------------------------------------------------------------------+ 1215:' | CIM repository namespace | 1216:' +----------------------------------------------------------------------------------------+ 1217: Case cWMINameSpaceViaWMI 1218:' WMI technique retrieval ------------------------------------------------------------------ 1219: objWMILocator.Security_.AuthenticationLevel = wbemAuthenticationLevelDefault 1220: objWMILocator.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate 1221: 1222: Set objWMIServices = objWMILocator.ConnectServer(strComputerName, _ 1223: strWMINameSpace, _ 1224: strUserID, _ 1225: strPassword) ....: 1228: Set objSD = GetSecurityDescriptor (objWMIServices, _ 1229: strWMINameSpace, _ 1230: intSDType) 1231: If boolAddAce Then 1232: Set objSD = AddACE (vbNull, vbNull, vbNull, vbNull, _ 1233: objSD, _ 1234: strTrustee, _ 1235: intACEType, _ 1236: intACEMask, _ 1237: intACEFlags, _ 1238: intACLtype, _ 1239: vbNull, _ 1240: vbNull, _ 1241: intSDType) 1242: End If 1243: 1244: If boolDelAce Then 1245: Set objSD = DelACE (vbNull, vbNull, vbNull, vbNull, _ 1246: objSD, _ 1247: strTrustee, _ 1248: intACLtype, _ 1249: intSDType) 1250: End If 1251: 1252: ' Not supported for a CIM repository namespace security descriptor. 1253: ' 1254: ' If boolOwner Then 1255: ' Set objSD = SetSDOwner(vbNull, vbNull, vbNull, _ 1256: ' objSD, strOwner, intSDType) 1257: ' End If 1258: ' 1259: ' If boolGroup Then 1260: ' Set objSD = SetSDGroup(vbNull, vbNull, vbNull, _ 1261: ' objSD, strGroup, intSDType) 1262: ' End If 1263: ' 1264: ' If boolSDControlFlags Then 1265: ' Set objSD = SetSDControlFlags(objSD, intSDControlFlags, intSDType) 1266: ' End If 1267: 1268: If boolAddAce Or boolDelAce Or boolOwner Or boolGroup Or boolSDControlFlags Then 1269: If boolAddAce Or boolDelAce Then 1270: Set objSD = ReOrderACE(vbNull, objSD, intSDType) 1271: End If 1272: 1273: SetSecurityDescriptor objWMIServices, _ 1274: objSD, _ 1275: strWMINameSpace, _ 1276: intSDType 1277: End If 1278: 1279: If boolViewSD Then 1280: WScript.Echo 1281: DecipherADSISecurityDescriptor objSD, _ 1282: intSDType, _ 1283: boolDecipher 1284: End If ....: 1289: Case cWMINameSpaceViaADSI 1290:' ADSI technique retrieval ----------------------------------------------------------------- 1291: ' Security descriptor access not implemented via ADSI. 1292: End Select 1293: 1294: ]]> 1295: </script> 1296: </job> 1297:</package>
|
Note that as with a share, the owner, group, and security descriptor controls update is not supported for a CIM repository namespace (lines 1252 through 1266).
4.6.6.2 Connecting to CIM repository namespaces with ADSI
Accessing a CIM repository namespace security descriptor is not possible with ADSI and therefore is not supported by the script. The only valid access method is implemented by WMI.
EAN: 2147483647
Pages: 82