INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...I frequent other newsgroups, too, and am MOST IMPRESSED with the lack of smart a-- and presence of genuine desire to help anyone of any skill level..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > Programmers > Languages > VBScript Forum

Changing permissions on files, folders, and registry keys/values

Read More Threads Like This One

Roham (IS/IT--Management)

6 Mar 08 10:11

Hello out there,
I am constructing a script to fix least user access bugs that I encounter for a particular legacy piece of software.  I need to change security permissions on files and folders as well as registry keys and specific values.

I currently have a subroutine that calls cacls.exe to change the permissions on the files or folders, but I'd like to do it inherent to the script without having to call an executable.  I haven't found a way to do that up to this point.  Any ideas?

My main concern is to be able to change permissions on some registry keys and values as needed to add modify access so that limited Windows users can run the program.  I can't use cacls.exe for this.  I can do this manually, but am not sure how to get it done via a script.

Thanks for any ideas!

Mike

markdmac (MIS)

9 Mar 08 11:36

Here are some resources you can check out. Subinacl is probably your best solution but note that it does not run against remove systems and does not support x64 platforms.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

http://support.microsoft.com/Default.aspx?kbid=269159

http://support.microsoft.com/kb/245031

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

Roham (IS/IT--Management)

10 Mar 08 11:44

Hi Mark,
Thanks for your suggestion, I came across that program in my research.  I'm sure it works great, but I'm a minimalist when it comes to scripting.  I usually don't want to load extra stuff if I don't have to, since I work with isolated computer labs (public school district) and don't have a homogenous environment.

After I posted my question, I did a lot more research and found many references.  Most were in VB and I had trouble translating them to VBScript.  I then came across another source where the author listed the constants needed to modify permissions.  They are part of my script below.

Apparently the ability to modify the registry permissions did not exist a while back, even in XP.  Most of the sources refer to using ADsSecurity.dll from the ADSI 2.5 Resource Kit, but it can no longer be downloaded.  After some digging, I found out that the functionality in the ADsSecurity.dll was replaced along the line (I'm guessing XP SP2) with activeds.dll.  There are multiple objects (examples in my code below) that can be called in order to modify ACL's in the registry.

So without further ado, here's the script that I wrote to change registry and file settings in order to make Cakewalk Music Creator 2003 run as a limited user.  It's one of those old programs that has limited user access bugs.

Option Explicit
    ' Define some constants:
    '
    ' Define a ADS_RIGHTS_ENUM constants:
    '
        const ADS_RIGHT_DELETE                 = &h10000
        const ADS_RIGHT_READ_CONTROL           = &h20000
        const ADS_RIGHT_WRITE_DAC              = &h40000
        const ADS_RIGHT_WRITE_OWNER            = &h80000
        const ADS_RIGHT_SYNCHRONIZE            = &h100000
        const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &h1000000
        Const ADS_RIGHT_GENERIC_READ           = &h80000000
        const ADS_RIGHT_GENERIC_WRITE          = &h40000000
        const ADS_RIGHT_GENERIC_EXECUTE        = &h20000000
        const ADS_RIGHT_GENERIC_ALL            = &h10000000
        const ADS_RIGHT_DS_CREATE_CHILD        = &h1
        const ADS_RIGHT_DS_DELETE_CHILD        = &h2
        const ADS_RIGHT_ACTRL_DS_LIST          = &h4
        const ADS_RIGHT_DS_SELF                = &h8
        const ADS_RIGHT_DS_READ_PROP           = &h10
        const ADS_RIGHT_DS_WRITE_PROP          = &h20
        const ADS_RIGHT_DS_DELETE_TREE         = &h40
        const ADS_RIGHT_DS_LIST_OBJECT         = &h80
        const ADS_RIGHT_DS_CONTROL_ACCESS      = &h100
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Type definitions
    '
        const ADS_ACETYPE_ACCESS_ALLOWED           = 0
        const ADS_ACETYPE_ACCESS_DENIED            = &h1
        const ADS_ACETYPE_SYSTEM_AUDIT             = &h2
        const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT    = &h5
        Const ADS_ACETYPE_ACCESS_DENIED_OBJECT     = &h6
        const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT      = &h7
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    ' Ace Flag Constants
    '
        const ADS_ACEFLAG_UNKNOWN                  = &h1
        const ADS_ACEFLAG_INHERIT_ACE              = &h2
        const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
        const ADS_ACEFLAG_INHERIT_ONLY_ACE         = &h8
        const ADS_ACEFLAG_INHERITED_ACE            = &h10
        const ADS_ACEFLAG_VALID_INHERIT_FLAGS      = &h1f
        Const ADS_ACEFLAG_SUCCESSFUL_ACCESS        = &h40
        const ADS_ACEFLAG_FAILED_ACCESS            = &h80
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ' Flags constants for AD objects
    '
        const ADS_FLAG_OBJECT_TYPE_PRESENT           = &h1
        Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &h2
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ' File Specific Access Rights
    '
        Const  DELETE                           = &h00010000
        Const  READ_CONTROL                     = &h00020000
        Const  WRITE_DAC                        = &h00040000
        Const  WRITE_OWNER                      = &h00080000
        Const  SYNCHRONIZE                      = &h00100000
        Const  STANDARD_RIGHTS_REQUIRED         = &h000F0000
        Const  STANDARD_RIGHTS_ALL              = &h001F0000
        Const  SPECIFIC_RIGHTS_ALL              = &h0000FFFF

    Dim  STANDARD_RIGHTS_READ   : STANDARD_RIGHTS_READ           = READ_CONTROL
    Dim  STANDARD_RIGHTS_WRITE  : STANDARD_RIGHTS_WRITE          = READ_CONTROL
    Dim  STANDARD_RIGHTS_EXECUTE: STANDARD_RIGHTS_EXECUTE        = READ_CONTROL
    '
    '  AccessSystemAcl access type
    '
        Const  ACCESS_SYSTEM_SECURITY           = &h01000000
    '
    '  MaximumAllowed access type
    '
        Const  MAXIMUM_ALLOWED                  = &h02000000
    '
    '   These are the generic rights.
    '
        Const  GENERIC_READ                     = &h80000000
        Const  GENERIC_WRITE                    = &h40000000
        Const  GENERIC_EXECUTE                  = &h20000000
        Const  GENERIC_ALL                      = &h10000000
    '
    ' AccessMask constants for FILE ACEs
    '
        Const FILE_READ_DATA            = &h0001    '  file & pipe
        Const FILE_LIST_DIRECTORY       = &h0001    '  directory
        Const FILE_WRITE_DATA           = &h0002    '  file & pipe
        Const FILE_ADD_FILE             = &h0002    '  directory

        Const FILE_APPEND_DATA          = &h0004    '  file
        Const FILE_ADD_SUBDIRECTORY     = &h0004    '  directory
        Const FILE_CREATE_PIPE_INSTANCE = &h0004    '  named pipe

        Const FILE_READ_EA              = &h0008    '  file & directory
        Const FILE_WRITE_EA             = &h0010    '  file & directory

        Const FILE_EXECUTE              = &h0020    '  file
        Const FILE_TRAVERSE             = &h0020    '  directory

        Const FILE_DELETE_CHILD         = &h0040    '  directory
        Const FILE_READ_ATTRIBUTES      = &h0080    '  all
        Const FILE_WRITE_ATTRIBUTES     = &h0100    '  all

        Dim FILE_ALL_ACCESS : FILE_ALL_ACCESS  = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &h1FF

        dim FILE_GENERIC_READ : FILE_GENERIC_READ =  STANDARD_RIGHTS_READ   Or _
                                   FILE_READ_DATA         Or _
                                   FILE_READ_ATTRIBUTES   Or _
                                   FILE_READ_EA           Or _
                                   SYNCHRONIZE


        dim FILE_GENERIC_WRITE : FILE_GENERIC_WRITE =  STANDARD_RIGHTS_WRITE  Or _
                                     FILE_WRITE_DATA        Or _
                                     FILE_WRITE_ATTRIBUTES  Or _
                                     FILE_WRITE_EA          Or _
                                     FILE_APPEND_DATA       Or _
                                     SYNCHRONIZE


        dim FILE_GENERIC_EXECUTE : FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or _
                                     FILE_READ_ATTRIBUTES    Or _
                                     FILE_EXECUTE            Or _
                                     SYNCHRONIZE


        Const FILE_SHARE_READ                = &h00000001
        Const FILE_SHARE_WRITE               = &h00000002
        Const FILE_SHARE_DELETE              = &h00000004
        '
        ' AceFlags values for files
        '
        Const OBJECT_INHERIT_ACE = &H1
        Const CONTAINER_INHERIT_ACE = &H2
        Const NO_PROPAGATE_INHERIT_ACE = &H4
        Const INHERIT_ONLY_ACE = &H8
        Const INHERITED_ACE = &H10
    '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    '
    '<<<<<<<<<<<<<<<<<<<<<<<<< Begin IADsSecurityUtility Constants >>>>>>>>>>>>
    '
    ' Supported on XP
    '
    'typedef enum
    '
    ' ADS_PATHTYPE_ENUM
    '
        Const  ADS_PATH_FILE = 1
        Const  ADS_PATH_FILESHARE = 2
        Const  ADS_PATH_REGISTRY = 3
    '
    ' ADS_SD_FORMAT_ENUM
    '
        Const  ADS_SD_FORMAT_IID = 1
        Const  ADS_SD_FORMAT_RAW = 2
        Const  ADS_SD_FORMAT_HEXSTRING = 3
    '
    '<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
    '
'<<<<MAIN>>>>
  funcFolderPerms
  funcRegPerms
'<<<<End MAIN>>>>

WScript.Echo "Cakewalk Permissions modified."

Function funcRegPerms
    '<<<<<<<<<<<<<<<< Registry Keys to be modified >>>>>>>>>>>>>>>>>>>>>>>>>>
    Dim arrRegKeys(25)
    arrRegKeys(0) = "HKCR\Cakewalk.Application"
    arrRegKeys(1) = "HKCR\Cakewalk.Application\CLSID"
    arrRegKeys(2) = "HKCR\CakewalkProjectFile\CLSID"
    arrRegKeys(3) = "HKCR\CakewalkProjectFile\Insertable"
    arrRegKeys(4) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\server"
    arrRegKeys(5) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\verb\0"
    arrRegKeys(6) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}"
    arrRegKeys(7) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\2"
    arrRegKeys(8) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\3"
    arrRegKeys(9) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\DefaultIcon"
    arrRegKeys(10) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\InprocHandler32"
    arrRegKeys(11) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Insertable"
    arrRegKeys(12) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\LocalServer32"
    arrRegKeys(13) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\MiscStatus"
    arrRegKeys(14) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\ProgID"
    arrRegKeys(15) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\0"
    arrRegKeys(16) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\1"
    arrRegKeys(17) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}"
    arrRegKeys(18) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\InprocHandler32"
    arrRegKeys(19) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\LocalServer32"
    arrRegKeys(20) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\ProgID"
    arrRegKeys(21) = "HKLM\System\CurrentControlSet\Control\MediaResources"
    arrRegKeys(22) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound"
    arrRegKeys(23) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Device Presence"
    arrRegKeys(24) = "HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF\DirectSound"
    arrRegKeys(25) = "HKLM\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF"
    '>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Dim dacl, sd, newAce, sdutil, strRegKey

    set dacl = createobject("AccessControlList")
    set sd = createobject("SecurityDescriptor")
    set newAce = CreateObject("AccessControlEntry")
    set sdutil = createobject("ADsSecurityUtility")

    For Each strRegKey In arrRegKeys
        WScript.Echo strRegKey
        Set sd = sdUtil.GetSecurityDescriptor (strRegKey, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)
        Set dacl = sd.DiscretionaryAcl
        newAce.Trustee = "NT AUTHORITY\Authenticated Users"
        newAce.AccessMask = ADS_RIGHT_GENERIC_READ Or _
            ADS_RIGHT_GENERIC_EXECUTE Or _
            ADS_RIGHT_GENERIC_WRITE Or _
            ADS_RIGHT_DELETE Or _
            ADS_RIGHT_WRITE_DAC Or _
            ADS_RIGHT_WRITE_OWNER

        newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
        dacl.AddAce newAce

        sdutil.SetSecurityDescriptor strRegKey, ADS_PATH_REGISTRY, sd, ADS_SD_FORMAT_IID
    Next
    WScript.Echo "Set Registry permissions."
End Function

Function funcFolderPerms
    Dim objFSO, strSourceFile, strDestLoc
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    strDestLoc = "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"

    'Check for and change folder permissions
    If objFSO.FolderExists(strDestLoc) Then
        'Set Full permissions on the folder
        subSetFolderPerms(strDestLoc)
        WScript.Echo "Set Cakewalk folder permissions."
    End If
End Function
Sub subSetFolderPerms(folderPath)
    Dim dacl, sd, newAce, sdutil, strFile
    Dim arrFiles(0)
    arrFiles(0)= "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"

    set dacl = createobject("AccessControlList")
    set sd = createobject("SecurityDescriptor")
    set newAce = CreateObject("AccessControlEntry")
    set sdutil = createobject("ADsSecurityUtility")

    For Each strFile In arrFiles
        Set sd = sdUtil.GetSecurityDescriptor (strFile, ADS_PATH_FILE, ADS_SD_FORMAT_IID)
        Set dacl = sd.DiscretionaryAcl
        newAce.Trustee = "NT AUTHORITY\Authenticated Users"
        newAce.AccessMask = GENERIC_ALL

        newAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
        newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
        dacl.AddAce newAce

        sdutil.SetSecurityDescriptor strFile, ADS_PATH_FILE, sd, ADS_SD_FORMAT_IID
    Next
End Sub

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To VBScript