Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Changing permissions on files, folders, and registry keys/valuesHelpful Member! 

Roham (IS/IT--Management) (OP)
6 Mar 08 10:11
Hello out there,
I am constructing a script to fix least user access bugs that I encounter for a particular legacy piece of software.  I need to change security permissions on files and folders as well as registry keys and specific values.

I currently have a subroutine that calls cacls.exe to change the permissions on the files or folders, but I'd like to do it inherent to the script without having to call an executable.  I haven't found a way to do that up to this point.  Any ideas?

My main concern is to be able to change permissions on some registry keys and values as needed to add modify access so that limited Windows users can run the program.  I can't use cacls.exe for this.  I can do this manually, but am not sure how to get it done via a script.

Thanks for any ideas!

Mike
markdmac (MIS)
9 Mar 08 11:36
Here are some resources you can check out.  Subinacl is probably your best solution but note that it does not run against remove systems and does not support x64 platforms.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

http://support.microsoft.com/Default.aspx?kbid=269159

http://support.microsoft.com/kb/245031

I hope you find this post helpful.  

Regards,

Mark

Check out my scripting solutions at http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER.  The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier!  Save time, get more work done, get the Admin Script Pack.

Helpful Member!  Roham (IS/IT--Management) (OP)
10 Mar 08 11:44
Hi Mark,
Thanks for your suggestion, I came across that program in my research.  I'm sure it works great, but I'm a minimalist when it comes to scripting.  I usually don't want to load extra stuff if I don't have to, since I work with isolated computer labs (public school district) and don't have a homogenous environment.  

After I posted my question, I did a lot more research and found many references.  Most were in VB and I had trouble translating them to VBScript.  I then came across another source where the author listed the constants needed to modify permissions.  They are part of my script below.

Apparently the ability to modify the registry permissions did not exist a while back, even in XP.  Most of the sources refer to using ADsSecurity.dll from the ADSI 2.5 Resource Kit, but it can no longer be downloaded.  After some digging, I found out that the functionality in the ADsSecurity.dll was replaced along the line (I'm guessing XP SP2) with activeds.dll.  There are multiple objects (examples in my code below) that can be called in order to modify ACL's in the registry.

So without further ado, here's the script that I wrote to change registry and file settings in order to make Cakewalk Music Creator 2003 run as a limited user.  It's one of those old programs that has limited user access bugs.

Option Explicit
    ' Define some constants:
    '
    ' Define a ADS_RIGHTS_ENUM constants:
    '
        const ADS_RIGHT_DELETE                 = &h10000
        const ADS_RIGHT_READ_CONTROL           = &h20000
        const ADS_RIGHT_WRITE_DAC              = &h40000
        const ADS_RIGHT_WRITE_OWNER            = &h80000
        const ADS_RIGHT_SYNCHRONIZE            = &h100000
        const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &h1000000
        Const ADS_RIGHT_GENERIC_READ           = &h80000000
        const ADS_RIGHT_GENERIC_WRITE          = &h40000000
        const ADS_RIGHT_GENERIC_EXECUTE        = &h20000000
        const ADS_RIGHT_GENERIC_ALL            = &h10000000
        const ADS_RIGHT_DS_CREATE_CHILD        = &h1
        const ADS_RIGHT_DS_DELETE_CHILD        = &h2
        const ADS_RIGHT_ACTRL_DS_LIST          = &h4
        const ADS_RIGHT_DS_SELF                = &h8
        const ADS_RIGHT_DS_READ_PROP           = &h10
        const ADS_RIGHT_DS_WRITE_PROP          = &h20
        const ADS_RIGHT_DS_DELETE_TREE         = &h40
        const ADS_RIGHT_DS_LIST_OBJECT         = &h80
        const ADS_RIGHT_DS_CONTROL_ACCESS      = &h100
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Type definitions
    '
        const ADS_ACETYPE_ACCESS_ALLOWED           = 0
        const ADS_ACETYPE_ACCESS_DENIED            = &h1
        const ADS_ACETYPE_SYSTEM_AUDIT             = &h2
        const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT    = &h5
        Const ADS_ACETYPE_ACCESS_DENIED_OBJECT     = &h6
        const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT      = &h7
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Flag Constants
    '
        const ADS_ACEFLAG_UNKNOWN                  = &h1
        const ADS_ACEFLAG_INHERIT_ACE              = &h2
        const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
        const ADS_ACEFLAG_INHERIT_ONLY_ACE         = &h8
        const ADS_ACEFLAG_INHERITED_ACE            = &h10
        const ADS_ACEFLAG_VALID_INHERIT_FLAGS      = &h1f
        Const ADS_ACEFLAG_SUCCESSFUL_ACCESS        = &h40
        const ADS_ACEFLAG_FAILED_ACCESS            = &h80
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ' Flags constants for AD objects
    '
        const ADS_FLAG_OBJECT_TYPE_PRESENT           = &h1
        Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &h2
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   
    ' File Specific Access Rights
    '
        Const  DELETE                           = &h00010000
        Const  READ_CONTROL                     = &h00020000
        Const  WRITE_DAC                        = &h00040000
        Const  WRITE_OWNER                      = &h00080000
        Const  SYNCHRONIZE                      = &h00100000
        Const  STANDARD_RIGHTS_REQUIRED         = &h000F0000
        Const  STANDARD_RIGHTS_ALL              = &h001F0000     
        Const  SPECIFIC_RIGHTS_ALL              = &h0000FFFF
    
    Dim  STANDARD_RIGHTS_READ   : STANDARD_RIGHTS_READ           = READ_CONTROL
    Dim  STANDARD_RIGHTS_WRITE  : STANDARD_RIGHTS_WRITE          = READ_CONTROL
    Dim  STANDARD_RIGHTS_EXECUTE: STANDARD_RIGHTS_EXECUTE        = READ_CONTROL
    '
    '  AccessSystemAcl access type
    '
        Const  ACCESS_SYSTEM_SECURITY           = &h01000000
    '
    '  MaximumAllowed access type
    '
        Const  MAXIMUM_ALLOWED                  = &h02000000
    '
    '   These are the generic rights.
    '
        Const  GENERIC_READ                     = &h80000000
        Const  GENERIC_WRITE                    = &h40000000
        Const  GENERIC_EXECUTE                  = &h20000000
        Const  GENERIC_ALL                      = &h10000000
    '
    ' AccessMask constants for FILE ACEs
    '
        Const FILE_READ_DATA            = &h0001    '  file & pipe
        Const FILE_LIST_DIRECTORY       = &h0001    '  directory
        Const FILE_WRITE_DATA           = &h0002    '  file & pipe
        Const FILE_ADD_FILE             = &h0002    '  directory
        
        Const FILE_APPEND_DATA          = &h0004    '  file
        Const FILE_ADD_SUBDIRECTORY     = &h0004    '  directory
        Const FILE_CREATE_PIPE_INSTANCE = &h0004    '  named pipe
        
        Const FILE_READ_EA              = &h0008    '  file & directory
        Const FILE_WRITE_EA             = &h0010    '  file & directory
        
        Const FILE_EXECUTE              = &h0020    '  file
        Const FILE_TRAVERSE             = &h0020    '  directory
        
        Const FILE_DELETE_CHILD         = &h0040    '  directory
        Const FILE_READ_ATTRIBUTES      = &h0080    '  all
        Const FILE_WRITE_ATTRIBUTES     = &h0100    '  all
        
        Dim FILE_ALL_ACCESS : FILE_ALL_ACCESS  = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &h1FF
            
        dim FILE_GENERIC_READ : FILE_GENERIC_READ =  STANDARD_RIGHTS_READ   Or _
                                   FILE_READ_DATA         Or _
                                   FILE_READ_ATTRIBUTES   Or _
                                   FILE_READ_EA           Or _
                                   SYNCHRONIZE
        
        
        dim FILE_GENERIC_WRITE : FILE_GENERIC_WRITE =  STANDARD_RIGHTS_WRITE  Or _
                                     FILE_WRITE_DATA        Or _
                                     FILE_WRITE_ATTRIBUTES  Or _
                                     FILE_WRITE_EA          Or _
                                     FILE_APPEND_DATA       Or _
                                     SYNCHRONIZE
        
        
        dim FILE_GENERIC_EXECUTE : FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or _
                                     FILE_READ_ATTRIBUTES    Or _
                                     FILE_EXECUTE            Or _
                                     SYNCHRONIZE
        
        
        Const FILE_SHARE_READ                = &h00000001   
        Const FILE_SHARE_WRITE               = &h00000002   
        Const FILE_SHARE_DELETE              = &h00000004
        '
        ' AceFlags values for files
        '
        Const OBJECT_INHERIT_ACE = &H1
        Const CONTAINER_INHERIT_ACE = &H2
        Const NO_PROPAGATE_INHERIT_ACE = &H4
        Const INHERIT_ONLY_ACE = &H8
        Const INHERITED_ACE = &H10
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    '<<<<<<<<<<<<<<<<<<<<<<<<< Begin IADsSecurityUtility Constants >>>>>>>>>>>>
    '
    ' Supported on XP
    '
    'typedef enum
    '
    ' ADS_PATHTYPE_ENUM
    '
        Const  ADS_PATH_FILE = 1
        Const  ADS_PATH_FILESHARE = 2
        Const  ADS_PATH_REGISTRY = 3
    '
    ' ADS_SD_FORMAT_ENUM
    '
        Const  ADS_SD_FORMAT_IID = 1
        Const  ADS_SD_FORMAT_RAW = 2
        Const  ADS_SD_FORMAT_HEXSTRING = 3
    '
    '<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
    '
'<<<<MAIN>>>>    
  funcFolderPerms
  funcRegPerms
'<<<<End MAIN>>>>

WScript.Echo "Cakewalk Permissions modified."

Function funcRegPerms
    '<<<<<<<<<<<<<<<< Registry Keys to be modified >>>>>>>>>>>>>>>>>>>>>>>>>>
    Dim arrRegKeys(25)
    arrRegKeys(0) = "HKCR\Cakewalk.Application"
    arrRegKeys(1) = "HKCR\Cakewalk.Application\CLSID"
    arrRegKeys(2) = "HKCR\CakewalkProjectFile\CLSID"
    arrRegKeys(3) = "HKCR\CakewalkProjectFile\Insertable"
    arrRegKeys(4) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\server"
    arrRegKeys(5) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\verb\0"
    arrRegKeys(6) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}"
    arrRegKeys(7) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\2"
    arrRegKeys(8) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\3"
    arrRegKeys(9) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\DefaultIcon"
    arrRegKeys(10) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\InprocHandler32"
    arrRegKeys(11) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Insertable"
    arrRegKeys(12) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\LocalServer32"
    arrRegKeys(13) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\MiscStatus"
    arrRegKeys(14) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\ProgID"
    arrRegKeys(15) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\0"
    arrRegKeys(16) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\1"
    arrRegKeys(17) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}"
    arrRegKeys(18) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\InprocHandler32"
    arrRegKeys(19) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\LocalServer32"
    arrRegKeys(20) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\ProgID"
    arrRegKeys(21) = "HKLM\System\CurrentControlSet\Control\MediaResources"
    arrRegKeys(22) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound"
    arrRegKeys(23) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Device Presence"
    arrRegKeys(24) = "HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF\DirectSound"
    arrRegKeys(25) = "HKLM\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF"
    '>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Dim dacl, sd, newAce, sdutil, strRegKey
    
    set dacl = createobject("AccessControlList")
    set sd = createobject("SecurityDescriptor")
    set newAce = CreateObject("AccessControlEntry")
    set sdutil = createobject("ADsSecurityUtility")
    
    For Each strRegKey In arrRegKeys
        WScript.Echo strRegKey
        Set sd = sdUtil.GetSecurityDescriptor (strRegKey, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)
        Set dacl = sd.DiscretionaryAcl
        newAce.Trustee = "NT AUTHORITY\Authenticated Users"
        newAce.AccessMask = ADS_RIGHT_GENERIC_READ Or _
            ADS_RIGHT_GENERIC_EXECUTE Or _
            ADS_RIGHT_GENERIC_WRITE Or _
            ADS_RIGHT_DELETE Or _
            ADS_RIGHT_WRITE_DAC Or _
            ADS_RIGHT_WRITE_OWNER
            
        newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
        dacl.AddAce newAce
        
        sdutil.SetSecurityDescriptor strRegKey, ADS_PATH_REGISTRY, sd, ADS_SD_FORMAT_IID
    Next
    WScript.Echo "Set Registry permissions."
End Function


Function funcFolderPerms
    Dim objFSO, strSourceFile, strDestLoc
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    strDestLoc = "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"
    
    'Check for and change folder permissions
    If objFSO.FolderExists(strDestLoc) Then
        'Set Full permissions on the folder
        subSetFolderPerms(strDestLoc)
        WScript.Echo "Set Cakewalk folder permissions."
    End If
End Function
Sub subSetFolderPerms(folderPath)
    Dim dacl, sd, newAce, sdutil, strFile
    Dim arrFiles(0)
    arrFiles(0)= "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"
    
    set dacl = createobject("AccessControlList")
    set sd = createobject("SecurityDescriptor")
    set newAce = CreateObject("AccessControlEntry")
    set sdutil = createobject("ADsSecurityUtility")
    
    For Each strFile In arrFiles
        Set sd = sdUtil.GetSecurityDescriptor (strFile, ADS_PATH_FILE, ADS_SD_FORMAT_IID)
        Set dacl = sd.DiscretionaryAcl
        newAce.Trustee = "NT AUTHORITY\Authenticated Users"
        newAce.AccessMask = GENERIC_ALL
        
        newAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
        newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
        dacl.AddAce newAce
        
        sdutil.SetSecurityDescriptor strFile, ADS_PATH_FILE, sd, ADS_SD_FORMAT_IID
    Next
End Sub

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close