Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Changing permissions on files, folders, and registry keys/values

Changing permissions on files, folders, and registry keys/values

Changing permissions on files, folders, and registry keys/values

Hello out there,
I am constructing a script to fix least user access bugs that I encounter for a particular legacy piece of software.  I need to change security permissions on files and folders as well as registry keys and specific values.

I currently have a subroutine that calls cacls.exe to change the permissions on the files or folders, but I'd like to do it inherent to the script without having to call an executable.  I haven't found a way to do that up to this point.  Any ideas?

My main concern is to be able to change permissions on some registry keys and values as needed to add modify access so that limited Windows users can run the program.  I can't use cacls.exe for this.  I can do this manually, but am not sure how to get it done via a script.

Thanks for any ideas!


RE: Changing permissions on files, folders, and registry keys/values

Here are some resources you can check out.  Subinacl is probably your best solution but note that it does not run against remove systems and does not support x64 platforms.




I hope you find this post helpful.  



Check out my scripting solutions at http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER.  The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier!  Save time, get more work done, get the Admin Script Pack.

RE: Changing permissions on files, folders, and registry keys/values

Hi Mark,
Thanks for your suggestion, I came across that program in my research.  I'm sure it works great, but I'm a minimalist when it comes to scripting.  I usually don't want to load extra stuff if I don't have to, since I work with isolated computer labs (public school district) and don't have a homogenous environment.  

After I posted my question, I did a lot more research and found many references.  Most were in VB and I had trouble translating them to VBScript.  I then came across another source where the author listed the constants needed to modify permissions.  They are part of my script below.

Apparently the ability to modify the registry permissions did not exist a while back, even in XP.  Most of the sources refer to using ADsSecurity.dll from the ADSI 2.5 Resource Kit, but it can no longer be downloaded.  After some digging, I found out that the functionality in the ADsSecurity.dll was replaced along the line (I'm guessing XP SP2) with activeds.dll.  There are multiple objects (examples in my code below) that can be called in order to modify ACL's in the registry.

So without further ado, here's the script that I wrote to change registry and file settings in order to make Cakewalk Music Creator 2003 run as a limited user.  It's one of those old programs that has limited user access bugs.

Option Explicit
    ' Define some constants:
    ' Define a ADS_RIGHTS_ENUM constants:
        const ADS_RIGHT_DELETE                 = &h10000
        const ADS_RIGHT_READ_CONTROL           = &h20000
        const ADS_RIGHT_WRITE_DAC              = &h40000
        const ADS_RIGHT_WRITE_OWNER            = &h80000
        const ADS_RIGHT_SYNCHRONIZE            = &h100000
        const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &h1000000
        Const ADS_RIGHT_GENERIC_READ           = &h80000000
        const ADS_RIGHT_GENERIC_WRITE          = &h40000000
        const ADS_RIGHT_GENERIC_EXECUTE        = &h20000000
        const ADS_RIGHT_GENERIC_ALL            = &h10000000
        const ADS_RIGHT_DS_CREATE_CHILD        = &h1
        const ADS_RIGHT_DS_DELETE_CHILD        = &h2
        const ADS_RIGHT_ACTRL_DS_LIST          = &h4
        const ADS_RIGHT_DS_SELF                = &h8
        const ADS_RIGHT_DS_READ_PROP           = &h10
        const ADS_RIGHT_DS_WRITE_PROP          = &h20
        const ADS_RIGHT_DS_DELETE_TREE         = &h40
        const ADS_RIGHT_DS_LIST_OBJECT         = &h80
        const ADS_RIGHT_DS_CONTROL_ACCESS      = &h100
    ' Ace Type definitions
        const ADS_ACETYPE_ACCESS_ALLOWED           = 0
        const ADS_ACETYPE_ACCESS_DENIED            = &h1
        const ADS_ACETYPE_SYSTEM_AUDIT             = &h2
        const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT      = &h7
    ' Ace Flag Constants
        const ADS_ACEFLAG_UNKNOWN                  = &h1
        const ADS_ACEFLAG_INHERIT_ACE              = &h2
        const ADS_ACEFLAG_INHERIT_ONLY_ACE         = &h8
        const ADS_ACEFLAG_INHERITED_ACE            = &h10
        const ADS_ACEFLAG_VALID_INHERIT_FLAGS      = &h1f
        Const ADS_ACEFLAG_SUCCESSFUL_ACCESS        = &h40
        const ADS_ACEFLAG_FAILED_ACCESS            = &h80
    ' Flags constants for AD objects
        const ADS_FLAG_OBJECT_TYPE_PRESENT           = &h1
    ' File Specific Access Rights
        Const  DELETE                           = &h00010000
        Const  READ_CONTROL                     = &h00020000
        Const  WRITE_DAC                        = &h00040000
        Const  WRITE_OWNER                      = &h00080000
        Const  SYNCHRONIZE                      = &h00100000
        Const  STANDARD_RIGHTS_REQUIRED         = &h000F0000
        Const  STANDARD_RIGHTS_ALL              = &h001F0000     
        Const  SPECIFIC_RIGHTS_ALL              = &h0000FFFF
    '  AccessSystemAcl access type
        Const  ACCESS_SYSTEM_SECURITY           = &h01000000
    '  MaximumAllowed access type
        Const  MAXIMUM_ALLOWED                  = &h02000000
    '   These are the generic rights.
        Const  GENERIC_READ                     = &h80000000
        Const  GENERIC_WRITE                    = &h40000000
        Const  GENERIC_EXECUTE                  = &h20000000
        Const  GENERIC_ALL                      = &h10000000
    ' AccessMask constants for FILE ACEs
        Const FILE_READ_DATA            = &h0001    '  file & pipe
        Const FILE_LIST_DIRECTORY       = &h0001    '  directory
        Const FILE_WRITE_DATA           = &h0002    '  file & pipe
        Const FILE_ADD_FILE             = &h0002    '  directory
        Const FILE_APPEND_DATA          = &h0004    '  file
        Const FILE_ADD_SUBDIRECTORY     = &h0004    '  directory
        Const FILE_CREATE_PIPE_INSTANCE = &h0004    '  named pipe
        Const FILE_READ_EA              = &h0008    '  file & directory
        Const FILE_WRITE_EA             = &h0010    '  file & directory
        Const FILE_EXECUTE              = &h0020    '  file
        Const FILE_TRAVERSE             = &h0020    '  directory
        Const FILE_DELETE_CHILD         = &h0040    '  directory
        Const FILE_READ_ATTRIBUTES      = &h0080    '  all
        Const FILE_WRITE_ATTRIBUTES     = &h0100    '  all
                                   FILE_READ_DATA         Or _
                                   FILE_READ_ATTRIBUTES   Or _
                                   FILE_READ_EA           Or _
                                     FILE_WRITE_DATA        Or _
                                     FILE_WRITE_ATTRIBUTES  Or _
                                     FILE_WRITE_EA          Or _
                                     FILE_APPEND_DATA       Or _
                                     FILE_READ_ATTRIBUTES    Or _
                                     FILE_EXECUTE            Or _
        Const FILE_SHARE_READ                = &h00000001   
        Const FILE_SHARE_WRITE               = &h00000002   
        Const FILE_SHARE_DELETE              = &h00000004
        ' AceFlags values for files
        Const OBJECT_INHERIT_ACE = &H1
        Const INHERIT_ONLY_ACE = &H8
        Const INHERITED_ACE = &H10
    '<<<<<<<<<<<<<<<<<<<<<<<<< Begin IADsSecurityUtility Constants >>>>>>>>>>>>
    ' Supported on XP
    'typedef enum
        Const  ADS_PATH_FILE = 1
        Const  ADS_PATH_FILESHARE = 2
        Const  ADS_PATH_REGISTRY = 3
        Const  ADS_SD_FORMAT_IID = 1
        Const  ADS_SD_FORMAT_RAW = 2
        Const  ADS_SD_FORMAT_HEXSTRING = 3
    '<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
'<<<<End MAIN>>>>

WScript.Echo "Cakewalk Permissions modified."

Function funcRegPerms
    '<<<<<<<<<<<<<<<< Registry Keys to be modified >>>>>>>>>>>>>>>>>>>>>>>>>>
    Dim arrRegKeys(25)
    arrRegKeys(0) = "HKCR\Cakewalk.Application"
    arrRegKeys(1) = "HKCR\Cakewalk.Application\CLSID"
    arrRegKeys(2) = "HKCR\CakewalkProjectFile\CLSID"
    arrRegKeys(3) = "HKCR\CakewalkProjectFile\Insertable"
    arrRegKeys(4) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\server"
    arrRegKeys(5) = "HKCR\CakewalkProjectFile\protocol\StdFileEditing\verb\0"
    arrRegKeys(6) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}"
    arrRegKeys(7) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\2"
    arrRegKeys(8) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\AuxUserType\3"
    arrRegKeys(9) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\DefaultIcon"
    arrRegKeys(10) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\InprocHandler32"
    arrRegKeys(11) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Insertable"
    arrRegKeys(12) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\LocalServer32"
    arrRegKeys(13) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\MiscStatus"
    arrRegKeys(14) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\ProgID"
    arrRegKeys(15) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\0"
    arrRegKeys(16) = "HKCR\CLSID\{0FC60C25-FF6D-11D0-9A6E-00A0C90DA1EF}\Verb\1"
    arrRegKeys(17) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}"
    arrRegKeys(18) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\InprocHandler32"
    arrRegKeys(19) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\LocalServer32"
    arrRegKeys(20) = "HKCR\CLSID\{6AB48C63-2461-11D1-A04E-444553540000}\ProgID"
    arrRegKeys(21) = "HKLM\System\CurrentControlSet\Control\MediaResources"
    arrRegKeys(22) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound"
    arrRegKeys(23) = "HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Device Presence"
    arrRegKeys(24) = "HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF\DirectSound"
    arrRegKeys(25) = "HKLM\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ISAPNP\TBA03B0\FFFFFFFF"
    Dim dacl, sd, newAce, sdutil, strRegKey
    set dacl = createobject("AccessControlList")
    set sd = createobject("SecurityDescriptor")
    set newAce = CreateObject("AccessControlEntry")
    set sdutil = createobject("ADsSecurityUtility")
    For Each strRegKey In arrRegKeys
        WScript.Echo strRegKey
        Set sd = sdUtil.GetSecurityDescriptor (strRegKey, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)
        Set dacl = sd.DiscretionaryAcl
        newAce.Trustee = "NT AUTHORITY\Authenticated Users"
        newAce.AccessMask = ADS_RIGHT_GENERIC_READ Or _
            ADS_RIGHT_DELETE Or _
            ADS_RIGHT_WRITE_DAC Or _
        dacl.AddAce newAce
        sdutil.SetSecurityDescriptor strRegKey, ADS_PATH_REGISTRY, sd, ADS_SD_FORMAT_IID
    WScript.Echo "Set Registry permissions."
End Function

Function funcFolderPerms
    Dim objFSO, strSourceFile, strDestLoc
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    strDestLoc = "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"
    'Check for and change folder permissions
    If objFSO.FolderExists(strDestLoc) Then
        'Set Full permissions on the folder
        WScript.Echo "Set Cakewalk folder permissions."
    End If
End Function
Sub subSetFolderPerms(folderPath)
    Dim dacl, sd, newAce, sdutil, strFile
    Dim arrFiles(0)
    arrFiles(0)= "C:\Program Files\Cakewalk\Cakewalk Music Creator 2003"
    set dacl = createobject("AccessControlList")
    set sd = createobject("SecurityDescriptor")
    set newAce = CreateObject("AccessControlEntry")
    set sdutil = createobject("ADsSecurityUtility")
    For Each strFile In arrFiles
        Set sd = sdUtil.GetSecurityDescriptor (strFile, ADS_PATH_FILE, ADS_SD_FORMAT_IID)
        Set dacl = sd.DiscretionaryAcl
        newAce.Trustee = "NT AUTHORITY\Authenticated Users"
        newAce.AccessMask = GENERIC_ALL
        newAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
        dacl.AddAce newAce
        sdutil.SetSecurityDescriptor strFile, ADS_PATH_FILE, sd, ADS_SD_FORMAT_IID
End Sub

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close