Changing file/folder permissions

TheMSsForum.com: The Microsoft Software Forum

Hi All

I understand I can call the cacls command from a VB script to alter
permissions on files/folders.

I was just wondering if there is a pure VB way of doing this?

Changing permissions of a folder on a PC which is a member of a domain (if
that makes a diff?)

Thanks
gerryR
Top

RE: Changing file/folder permissions by Jon

Jon
Tue Mar 18 11:31:07 CDT 2008

There is a way but it is much easier to use cacls or xcacls from the resource
kit

The script below is an example of how to set share and ntfs permissions

'================
'ShareSetup.vbs
'Author: Jonathan Warnken - jon.warnken@gmail.com
'Credits: parts of various other posted scripts used
'Requirements: Admin Rights

'Some Addition Lev Shumskii aka WildCat
'Now You may set SecurityDescriptor for NTFS
'and this script work properly under Win2k & Win2k3
'================
Option Explicit

Const FILE_SHARE = 0
Const MAXIMUM_CONNECTIONS = 15
Const strDomain = "Your Domain"
Const PERM_READ = 1179817
Const PERM_MODIFY = 1245631
Const PERM_FULL = 2032127


Dim strComputer
Dim objWMIService
Dim objNewShare

strComputer = "."

Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objNewShare = objWMIService.Get("Win32_Share")

'Worked Example
Call sharesec ("C:\Robot", "Robot", "Only Security Department", "Security
Department", Perm_Read, Perm_Modify)

Sub sharesec(Fname, shr, info, account, Share_Perm, NTFS_Perm)
Dim FSO
Dim Services
Dim SecDescClass
Dim SecDesc
Dim Trustee
Dim ACE
Dim Share
Dim InParam
Dim Network
Dim FolderName
Dim AdminServer
Dim ShareName
Dim FolderSecurity
Dim RetVal
Dim SecurityDescriptor
Dim User

FolderName = Fname
AdminServer = "\\" & strComputer
ShareName = shr
**********************START NTFS SECTION ****************
'Write New security descriptor for the FolderName

Set Services =
GetObject("WINMGMTS:{impersonationLevel=impersonate,(Security)}!" &
AdminServer & "\ROOT\CIMV2")
Set SecurityDescriptor = Services.Get("Win32_SecurityDescriptor")

Set FolderSecurity =
GetObject("winmgmts:Win32_LogicalFileSecuritySetting.Path='" & FolderName &
"'")
RetVal = FolderSecurity.GetSecurityDescriptor(SecurityDescriptor)

Set Trustee = SetGroupTrustee(strDomain, account) 'Use SetGroupTrustee for
groups and SetAccountTrustee for users
Set ACE = Services.Get("Win32_Ace").SpawnInstance_
ACE.Properties_.Item("AccessMask") = NTFS_Perm
ACE.Properties_.Item("AceFlags") = 3
ACE.Properties_.Item("AceType") = 0
ACE.Properties_.Item("Trustee") = Trustee
SecurityDescriptor.Properties_.Item("DACL") = Array(ACE)

RetVal = FolderSecurity.SetSecurityDescriptor(SecurityDescriptor)
***************** END NTFS SECTION **********************
'Create new Share

Set Services =
GetObject("WINMGMTS:{impersonationLevel=impersonate,(Security)}!" &
AdminServer & "\ROOT\CIMV2")
Set SecDescClass = Services.Get("Win32_SecurityDescriptor")
Set SecDesc = SecDescClass.SpawnInstance_()

Set Trustee = SetGroupTrustee(strDomain, account) 'Use SetGroupTrustee for
groups and SetAccountTrustee for users
Set ACE = Services.Get("Win32_Ace").SpawnInstance_
ACE.Properties_.Item("AccessMask") = Share_Perm
ACE.Properties_.Item("AceFlags") = 3
ACE.Properties_.Item("AceType") = 0
ACE.Properties_.Item("Trustee") = Trustee
SecDesc.Properties_.Item("DACL") = Array(ACE)
Set Share = Services.Get("Win32_Share")
Set InParam = Share.Methods_("Create").InParameters.SpawnInstance_()
InParam.Properties_.Item("Access") = SecDesc
InParam.Properties_.Item("Description") = Info
InParam.Properties_.Item("Name") = ShareName
InParam.Properties_.Item("Path") = FolderName
InParam.Properties_.Item("MaximumAllowed") = MAXIMUM_CONNECTIONS
InParam.Properties_.Item("Type") = 0
Share.ExecMethod_ "Create", InParam
End Sub


Function SetAccountTrustee(strDomain, strName)
Dim objTrustee
Dim account
Dim accountSID
set objTrustee =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Trustee").Spawninstance_
set account =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Account.Name='" & strName & "',Domain='" & strDomain &"'")
set accountSID =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_SID.SID='" & account.SID &"'")
objTrustee.Domain = strDomain
objTrustee.Name = strName
objTrustee.Properties_.item("SID") = accountSID.BinaryRepresentation
set accountSID = nothing
set account = nothing
set SetAccountTrustee = objTrustee
End Function


Function SetGroupTrustee(strDomain, strName)
Dim objTrustee
Dim account
Dim accountSID
set objTrustee =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Trustee").Spawninstance_
set account =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Group.Name='" & strName & "',Domain='" & strDomain &"'")
set accountSID =
getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_SID.SID='" & account.SID &"'")
objTrustee.Domain = strDomain
objTrustee.Name = strName
objTrustee.Properties_.item("SID") = accountSID.BinaryRepresentation
set accountSID = nothing
set account = nothing
set SetGroupTrustee = objTrustee
End Function

Top

Re: Changing file/folder permissions by gerryR

gerryR
Wed Mar 19 04:19:48 CDT 2008

Thanks for the reply John,

Just had anotehr look at cacls and it will probably do what I need without
using VB at all ......

Ahh well, maybe the next thing will force me to use/ learn VB!!


"Jon" <Jon@discussions.microsoft.com> wrote in message
news:EC0E53CE-C1DE-4D1A-98E9-22E0DB33AE87@microsoft.com...
> There is a way but it is much easier to use cacls or xcacls from the
> resource
> kit
>
> The script below is an example of how to set share and ntfs permissions
>
> '================
> 'ShareSetup.vbs
> 'Author: Jonathan Warnken - jon.warnken@gmail.com
> 'Credits: parts of various other posted scripts used
> 'Requirements: Admin Rights
>
> 'Some Addition Lev Shumskii aka WildCat
> 'Now You may set SecurityDescriptor for NTFS
> 'and this script work properly under Win2k & Win2k3
> '================
> Option Explicit
>
> Const FILE_SHARE = 0
> Const MAXIMUM_CONNECTIONS = 15
> Const strDomain = "Your Domain"
> Const PERM_READ = 1179817
> Const PERM_MODIFY = 1245631
> Const PERM_FULL = 2032127
>
>
> Dim strComputer
> Dim objWMIService
> Dim objNewShare
>
> strComputer = "."
>
> Set objWMIService = GetObject("winmgmts:" &
> "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
> Set objNewShare = objWMIService.Get("Win32_Share")
>
> 'Worked Example
> Call sharesec ("C:\Robot", "Robot", "Only Security Department", "Security
> Department", Perm_Read, Perm_Modify)
>
> Sub sharesec(Fname, shr, info, account, Share_Perm, NTFS_Perm)
> Dim FSO
> Dim Services
> Dim SecDescClass
> Dim SecDesc
> Dim Trustee
> Dim ACE
> Dim Share
> Dim InParam
> Dim Network
> Dim FolderName
> Dim AdminServer
> Dim ShareName
> Dim FolderSecurity
> Dim RetVal
> Dim SecurityDescriptor
> Dim User
>
> FolderName = Fname
> AdminServer = "\\" & strComputer
> ShareName = shr
> **********************START NTFS SECTION ****************
> 'Write New security descriptor for the FolderName
>
> Set Services =
> GetObject("WINMGMTS:{impersonationLevel=impersonate,(Security)}!" &
> AdminServer & "\ROOT\CIMV2")
> Set SecurityDescriptor = Services.Get("Win32_SecurityDescriptor")
>
> Set FolderSecurity =
> GetObject("winmgmts:Win32_LogicalFileSecuritySetting.Path='" & FolderName
> &
> "'")
> RetVal = FolderSecurity.GetSecurityDescriptor(SecurityDescriptor)
>
> Set Trustee = SetGroupTrustee(strDomain, account) 'Use SetGroupTrustee for
> groups and SetAccountTrustee for users
> Set ACE = Services.Get("Win32_Ace").SpawnInstance_
> ACE.Properties_.Item("AccessMask") = NTFS_Perm
> ACE.Properties_.Item("AceFlags") = 3
> ACE.Properties_.Item("AceType") = 0
> ACE.Properties_.Item("Trustee") = Trustee
> SecurityDescriptor.Properties_.Item("DACL") = Array(ACE)
>
> RetVal = FolderSecurity.SetSecurityDescriptor(SecurityDescriptor)
> ***************** END NTFS SECTION **********************
> 'Create new Share
>
> Set Services =
> GetObject("WINMGMTS:{impersonationLevel=impersonate,(Security)}!" &
> AdminServer & "\ROOT\CIMV2")
> Set SecDescClass = Services.Get("Win32_SecurityDescriptor")
> Set SecDesc = SecDescClass.SpawnInstance_()
>
> Set Trustee = SetGroupTrustee(strDomain, account) 'Use SetGroupTrustee for
> groups and SetAccountTrustee for users
> Set ACE = Services.Get("Win32_Ace").SpawnInstance_
> ACE.Properties_.Item("AccessMask") = Share_Perm
> ACE.Properties_.Item("AceFlags") = 3
> ACE.Properties_.Item("AceType") = 0
> ACE.Properties_.Item("Trustee") = Trustee
> SecDesc.Properties_.Item("DACL") = Array(ACE)
> Set Share = Services.Get("Win32_Share")
> Set InParam = Share.Methods_("Create").InParameters.SpawnInstance_()
> InParam.Properties_.Item("Access") = SecDesc
> InParam.Properties_.Item("Description") = Info
> InParam.Properties_.Item("Name") = ShareName
> InParam.Properties_.Item("Path") = FolderName
> InParam.Properties_.Item("MaximumAllowed") = MAXIMUM_CONNECTIONS
> InParam.Properties_.Item("Type") = 0
> Share.ExecMethod_ "Create", InParam
> End Sub
>
>
> Function SetAccountTrustee(strDomain, strName)
> Dim objTrustee
> Dim account
> Dim accountSID
> set objTrustee =
> getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Trustee").Spawninstance_
> set account =
> getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Account.Name='"
> & strName & "',Domain='" & strDomain &"'")
> set accountSID =
> getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_SID.SID='"
> & account.SID &"'")
> objTrustee.Domain = strDomain
> objTrustee.Name = strName
> objTrustee.Properties_.item("SID") = accountSID.BinaryRepresentation
> set accountSID = nothing
> set account = nothing
> set SetAccountTrustee = objTrustee
> End Function
>
>
> Function SetGroupTrustee(strDomain, strName)
> Dim objTrustee
> Dim account
> Dim accountSID
> set objTrustee =
> getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Trustee").Spawninstance_
> set account =
> getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Group.Name='"
> & strName & "',Domain='" & strDomain &"'")
> set accountSID =
> getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_SID.SID='"
> & account.SID &"'")
> objTrustee.Domain = strDomain
> objTrustee.Name = strName
> objTrustee.Properties_.item("SID") = accountSID.BinaryRepresentation
> set accountSID = nothing
> set account = nothing
> set SetGroupTrustee = objTrustee
> End Function
>

Top

Re: Changing file/folder permissions by mayayana

mayayana
Wed Mar 19 08:48:06 CDT 2008

> Just had anotehr look at cacls and it will probably do what I need without
> using VB at all ......
>
> Ahh well, maybe the next thing will force me to use/ learn VB!!
>

Are you sure you mean VB? VBScript is not
the same as VB, and what Jon posted was not
"pure" of either. It was VBScript using WMI.

VB would use the Windows API, like this:
http://support.microsoft.com/kb/295004/

Then there's also VB.Net, which Microsoft is now
calling just "VB". VBScript, VB and VB.Net are all
entirely different things that would usually use
entirely different methods.

WMI is a scriptable set of methods that runs as a
service on NT systems and provides a number of
functions (mainly related to network administration
chores) that VBScript would otherwise not have
access to.



Top

Re: Changing file/folder permissions by gerryR

gerryR
Wed Mar 19 09:40:34 CDT 2008

Hi Mayayana

Yeah I meant VBScript, forgot that abbreviating it changed it to an entirely
different language ;)


"mayayana" <mayaXXyana1a@mindXXspring.com> wrote in message
news:uw6BjfciIHA.2268@TK2MSFTNGP02.phx.gbl...
>> Just had anotehr look at cacls and it will probably do what I need
>> without
>> using VB at all ......
>>
>> Ahh well, maybe the next thing will force me to use/ learn VB!!
>>
>
> Are you sure you mean VB? VBScript is not
> the same as VB, and what Jon posted was not
> "pure" of either. It was VBScript using WMI.
>
> VB would use the Windows API, like this:
> http://support.microsoft.com/kb/295004/
>
> Then there's also VB.Net, which Microsoft is now
> calling just "VB". VBScript, VB and VB.Net are all
> entirely different things that would usually use
> entirely different methods.
>
> WMI is a scriptable set of methods that runs as a
> service on NT systems and provides a number of
> functions (mainly related to network administration
> chores) that VBScript would otherwise not have
> access to.
>
>
>

Top