Richard
Wed Feb 11 21:34:45 CST 2004
"me" <me@msn.com> wrote in message
news:erJ$OiK8DHA.2168@TK2MSFTNGP12.phx.gbl...
> I'm getting the error "The permissions on XXXX are incorrectly ordered..."
> on several directories/files on one of my Win2K servers. Is there a way
to
> fix this with vbscript (something that will scan all files/directories on
a
> drive and order the permissions correctly)? I found a reference to this
> (
http://support.microsoft.com/default.aspx?scid=kb;[LN];269159) on google,
> but can't figure out what it's talking about to see if it would help.
>
> Any help is appreciated.
>
Hi,
Based on info in the KB article (or a similar one), I have used the function
below to reorder the ACE's in a DACL. I have used this on objects in Active
Directory, but not file system objects. Still, I believe it would work. See
KB 279682 for code to retrieve the DACL for a folder using AdsSecurity. I
leave it to you to scan your file system. That sounds like a big job.
' Define constants.
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
' Bind to Active Directory object.
Set objComputer = GetObject("LDAP://cn=Idaho,ou=Sales,dc=MyDomain,dc=com")
' Bind to security descriptor.
Set objSecDescriptor = objComputer.Get("ntSecurityDescriptor")
' Retrieve DACL.
Set objDACL = objSecDescriptor.descretionaryACL
' Reorder ACE's in DACL.
objSecDescriptor.discretionaryACL = Reorder(objDACL)
' Update the Computer object.
objComputer.Put "ntSecurityDescriptor", objSecDescriptor
objComputer.SetInfo
Function Reorder(objDACL)
' Reorder ACE's in DACL.
Dim objNewDACL, objInheritedDACL, objAllowDACL, objDenyDACL
Dim objAllowObjectDACL, objDenyObjectDACL, objACE
Set objNewDACL = CreateObject("AccessControlList")
Set objInheritedDACL = CreateObject("AccessControlList")
Set objAllowDACL = CreateObject("AccessControlList")
Set objDenyDACL = CreateObject("AccessControlList")
Set objAllowObjectDACL = CreateObject("AccessControlList")
Set objDenyObjectDACL = CreateObject("AccessControlList")
For Each objACE In objDACL
If ((objACE.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = _
ADS_ACEFLAG_INHERITED_ACE) Then
objInheritedDACL.AddAce objACE
Else
Select Case objACE.AceType
Case ADS_ACETYPE_ACCESS_ALLOWED
objAllowDACL.AddAce objACE
Case ADS_ACETYPE_ACCESS_DENIED
objDenyDACL.AddAce objACE
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAllowObjectDACL.AddAce objACE
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
objDenyObjectDACL.AddAce objACE
End Select
End If
Next
For Each objACE In objDenyDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objDenyObjectDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objAllowDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objAllowObjectDACL
objNewDACL.AddAce objACE
Next
For Each objACE In objInheritedDACL
objNewDACL.AddAce objACE
Next
objNewDACL.ACLRevision = objDACL.ACLRevision
Set Reorder = objNewDACL
Set objNewDACL = Nothing
Set objInheritedDACL = Nothing
Set objAllowDACL = Nothing
Set objDenyDACL = Nothing
Set objAllowObjectDACL = Nothing
Set objDenyObjectDACL = Nothing
Set objACE = Nothing
End Function
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site -
http://www.rlmueller.net
--