Need to clear a value 2

[Jerz]

How hard can it be, right? The more I learn, the more I learn I need to learn.

I wrote this script to parse all shares in AD, and report 'everyone' groups ACL (if present) at each NTFS share root folder. It actually works pretty good, but I'm unhappy with one thing. The IPC$ share has no NTFS ACL, and I expect it to return nothing. And it does at 'point A' the first loop through, echo shows "intcontrolflags:", and strPerms = "No DACL present.....". Somehow, by the time I get to 'point B', echo shows "intcontrolflags:0". The next loop, and every successive loop, (I.E. the IPC$ share on the next server), it is holding the last value to come out of the previous loop, and strPerms also holds incorrect info held over from last share enumerated, IF A NEW VALUE is not present. If the next enumerated share is not an IPC$, it reports correctly 'everyone' group's ACL (or the lack thereof).

OK, I just read that back, and it's confusing. Let me put it another way: Normal share - works every time. IPC$ 'share' - Works first time, does not work again. Incorrectly reports data from previous normal share.

The checking code is straight from MS, and oddly, the "SE_DACL_PRESENT" seems to always equal 4, and it's the value (or lack thereof) of "intcontrolflags" that sends you to the "No DACL present...." message....

On Error Resume Next
Const ForReading = 1
Const ForWriting = 2
'****************************************************************
'*    Loop through all Computer accounts in AD                  *
'****************************************************************
'Set objFSO4 = CreateObject("Scripting.FileSystemObject")
'Set objTextFile = objFSO4.CreateTextFile(path & "reports\report.csv", True)
on error resume next
Set objRootDSE = GetObject("LDAP://RootDSE") 
strDNSDomain = objRootDSE.Get("defaultNamingContext") 
Set objCommand = CreateObject("ADODB.Command") 
Set objConnection = CreateObject("ADODB.Connection") 
objConnection.Provider = "ADsDSOObject" 
objConnection.Open "Active Directory Provider" 
objCommand.ActiveConnection = objConnection
strDNSDomain = objRootDSE.Get("DefaultNamingContext") 
strBase = "<LDAP://" & strDNSDomain & ">" 
strFilter = "(&(objectCategory=computer)(objectClass=computer))" 
strAttributes = "name,distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" 
objCommand.CommandText = strQuery 
objCommand.Properties("Page Size") = 100 
objCommand.Properties("Timeout") = 30 
objCommand.Properties("Cache Results") = False 
Set RecordSet0 = objCommand.Execute 
Do Until RecordSet0.EOF 
'  strComputer = RecordSet0.Fields("name")
'  dn = RecordSet0.Fields("distinguishedName")
 strcomputer = "OTM"
 dn="CN=Corp-DC1,OU=Servers,OU=corp,DC=Thadmin,DC=com"
  Set objComputer = GetObject("LDAP://" & dn )
'****************************************************************
'*    Check AD to see if it's a server                          *
'****************************************************************
  strOSName = objComputer.Get("OperatingSystem")
  If instr(strOSName,"Server") <> 0 or instr(strOSName,"NT") <> 0 then
    objTextFile.WriteLine strComputer & ",Connecting and scanning shares NTFS permission settings"
    err.clear
    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    If err.number = 0 then
'****************************************************************
'*    Enumerate shares with WMI                                 *
'****************************************************************
      Set colShares = objWMIService.ExecQuery("Select * from Win32_Share")
      For each objShare in colShares
'****************************************************************
'*    Check permision for 'everyone' group with WMI             *
'****************************************************************
        strFolderName = objShare.Path
        strShareName = objShare.name
wscript.echo "Path: " & strFolderName & vbcrlf & "Name: " & strShareName
        If instr(strFolderName,",") = 0 then
          strcsvname = strFolderName
        Else
          half=Split(strFolderName,",")
          strcsvname=half(0) & "_" & half(1)
        end if
        SE_DACL_PRESENT = &h4
        ACCESS_ALLOWED_ACE_TYPE = &h0
        ACCESS_DENIED_ACE_TYPE  = &h1
        FILE_ALL_ACCESS         = &h1f01ff
        FOLDER_ADD_SUBDIRECTORY = &h000004
        FILE_DELETE             = &h010000
        FILE_DELETE_CHILD       = &h000040
        FOLDER_TRAVERSE         = &h000020
        FILE_READ_ATTRIBUTES    = &h000080
        FILE_READ_CONTROL       = &h020000
        FOLDER_LIST_DIRECTORY   = &h000001
        FILE_READ_EA            = &h000008
        FILE_SYNCHRONIZE        = &h100000
        FILE_WRITE_ATTRIBUTES   = &h000100
        FILE_WRITE_DAC          = &h040000
        FOLDER_ADD_FILE         = &h000002
        FILE_WRITE_EA           = &h000010
        FILE_WRITE_OWNER        = &h080000
        Set objFolderSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")
        intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)
        intControlFlags = objSD.ControlFlags
wscript.echo "ICF: " & intcontrolflags & vbcrlf & "DACL Present: " & SE_DACL_PRESENT

Point A

        If intControlFlags AND SE_DACL_PRESENT Then
          strPerms = strComputer & "," & strcsvname & ",Everyone group has no rights here"
          arrACEs = objSD.DACL
          For Each objACE in arrACEs
            If objACE.Trustee.Name = "Everyone" then
              strPerms =  strComputer & "," & strcsvname & "," & objACE.Trustee.Name
              If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
                strPerms = strPerms & " Allowed:"
              ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
                strPerms = strPerms & " Denied:" & vbcrlf
              End If
              If objACE.AccessMask AND FILE_ALL_ACCESS Then
                strPerms = strPerms & ",FILE_ALL_ACCESS "
              End If
              If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
                strPerms = strPerms & ",FOLDER_ADD_SUBDIRECTORY "
              End If
              If objACE.AccessMask AND FILE_DELETE Then
                strPerms = strPerms & ",FILE_DELETE "
              End If
              If objACE.AccessMask AND FILE_DELETE_CHILD Then
                strPerms = strPerms  & ",FILE_DELETE_CHILD "
              End If
              If objACE.AccessMask AND FOLDER_TRAVERSE Then
                strPerms = strPerms  & ",FOLDER_TRAVERSE "
              End If
              If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
                strPerms = strPerms  & ",FILE_READ_ATTRIBUTES "
              End If
              If objACE.AccessMask AND FILE_READ_CONTROL Then
                strPerms = strPerms  & ",FILE_READ_CONTROL "
              End If
              If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
                strPerms = strPerms  & ",FOLDER_LIST_DIRECTORY "
              End If
              If objACE.AccessMask AND FILE_READ_EA Then
                strPerms = strPerms  & ",FILE_READ_EA "
              End If
              If objACE.AccessMask AND FILE_SYNCHRONIZE Then
                strPerms = strPerms  & ",FILE_SYNCHRONIZE "
              End If
              If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
                strPerms = strPerms  & ",FILE_WRITE_ATTRIBUTES "
              End If
              If objACE.AccessMask AND FILE_WRITE_DAC Then
                strPerms = strPerms  & ",FILE_WRITE_DAC "
              End If
              If objACE.AccessMask AND FOLDER_ADD_FILE Then
                strPerms = strPerms  & ",FOLDER_ADD_FILE "
              End If
              If objACE.AccessMask AND FILE_WRITE_EA Then
                strPerms = strPerms  & ",FILE_WRITE_EA "
              End If
              If objACE.AccessMask AND FILE_WRITE_OWNER Then
                strPerms = strPerms  & ",FILE_WRITE_OWNER "
              End If
            End If
          Next
        Else
          strPerms = strPerms & "No DACL present in security descriptor"
        End If
'****************************************************************
'*    Write report in CSV file format                           *
'****************************************************************
wscript.echo strperms
'        objTextFile.WriteLine strperms

Point B

wscript.echo "ICF: " & intcontrolflags & vbcrlf & "DACL Present: " & SE_DACL_PRESENT
        set intControlFlags = null
'        set objFolderSecuritySettings = nothing
      Next
    Else
      objTextFile.WriteLine strComputer & ",is inaccessible - IP/WMI conectivity problem" 
    End if
  End If
  RecordSet0.MoveNext
Loop

I've tried setting the following:

set objFolderSecuritySettings = nothing
set intControlFlags = nothing
set objFolderSecuritySettings = null
set intControlFlags = null
set objFolderSecuritySettings = ""
set intControlFlags = ""
set objFolderSecuritySettings = empty
set intControlFlags = empty

All to no avail. I've also noticed this script uses more and more memory as it runs, and does not seem to ever give any back. Can anyone suggest something to try to clean the slate at the end of each loop?

Thanks,
Jersey

 

[PHV]

And what about this ?
Set objSD = Nothing

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[Jerz]

I've tried it here:

wscript.echo strperms
'        objTextFile.WriteLine strperms
wscript.echo "ICF: " & intcontrolflags & vbcrlf & "DACL Present: " & SE_DACL_PRESENT
      Set objSD = Nothing
      Next
    Else
      objTextFile.WriteLine strComputer & ",is inaccessible - IP/WMI conectivity problem" 
    End if
  End If

here:

              If objACE.AccessMask AND FILE_WRITE_OWNER Then
                strPerms = strPerms  & ",FILE_WRITE_OWNER "
              End If
            End If
          Next
          Set objSD = Nothing
        Else
          strPerms = strPerms & "No DACL present in security descriptor"
        End If

and here:

        FOLDER_ADD_FILE         = &h000002
        FILE_WRITE_EA           = &h000010
        FILE_WRITE_OWNER        = &h080000
        Set objSD = Nothing
        Set objFolderSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")
        intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)
        intControlFlags = objSD.ControlFlags

Same results as before, works correctly only first time through, but thanks for the response. Any other ideas?

 

[dm4ever]

You do realize that the code you posted is only checking one machine right?

' strComputer = RecordSet0.Fields("name")
' dn = RecordSet0.Fields("distinguishedName")
strcomputer = "OTM"
dn="CN=Corp-DC1,OU=Servers,OU=corp,DC=Thadmin,DC=com"
Set objComputer = GetObject("LDAP://" & dn )

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid

 

[Jerz]

Yes, I do. I remarked out the loop to focus on one machine that happens to list IPC$ first coming out of WMI. The shares seem to come out of WMI in no particular order, and this one I picked I can see work the first time. Servers that report other than IPC$ first don't ever work, by the time the IPC$ comes around, the DACL seems to be already tainted.

 

[tsuji]

Take out the on error resume next, would you?

 

[Jerz]

To clarify, even though I'm processing the same exact machine each time through the loop, the first time through I get "No DACL present in security descriptor" on IPC$, and the second and subsequent times through, I get ",Everyone group has no rights here" on IPC$. Same machine every time.

Something (many things probably ) is not getting cleared out for the next iteration. When a server has a folder which 'everyone' does have rights of some sort immediately preceeding IPC$, the script mis-reports those rights as applying to IPC$.

 

[Jerz]

Took out 'on error resume next'.

left

        Set objSD = Nothing
        Set objFolderSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")

same result.

 

[tsuji]

With on error there and without none error trapping, practically all erratic behaviour observations are just like looking at mirage.

 

[Jerz]

Tsuji & Dm4Ever,

You are on to something. I had the 'on error resume next' in there twice (embarrassed). So the end result is when the IPC$ share comes around first, there is no folder associated with it, thus strFolderName is null, and consequently,

Set objFolderSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")

is error 'not found', code 80041002, but when the script blazes forward after having looped at least once, intControlFlags, strPerms, & objSD are still hanging around from the last time through the loop, thus reporting bad data.

Clearing these out at the end, and putting back the WMI connection error trap, have resolved my issue.

Stars to you both

Jerz

 

[Jerz]

Whoops. PHV got the star for 'Set objSD = Nothing'. Though appreciated, dm4ever pointing out I wasn't changing computers wasn't teribly helpful, sorry.