Managing remote DACLs on fileshares: Win32_ACE to Win32_Share - vbscript

Goal: Add a local user account share-level Read/Write permissions to an existing file share.
I'm hitting a roadblock in developing this. Apparently Microsoft wants you to add your user's ACE to the DACL and then back into the security descriptor of the share. (1). (No, NET SHARE /ADD is not available for existing shares, I was surprised.)
In theory that should be simple enough, but my main fear is doing it wrong and losing the existing share permissions (lots of network users, specific groups). This solution needs to scale to a few thousand shares. I'm developing the solution to output data about the existing DACL in case I need to back out. I should write code to interpret that log and be prepared to add them back en-masse should anything go wrong.
At the moment I'm using VBscript-- I feel PowerShell might be a bit stronger of an approach but VBscript/WMI is a known quantity.
Research:
(1) http://blogs.msdn.com/b/helloworld/archive/2008/07/22/editing-share-permission.aspx

Copy the existing ACEs to an array:
rc = shareSec.GetSecurityDescriptor(sd)
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
Add the new ACE to that array:
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), 2032127)
The functions NewTrustee() and NewACE() encapsulate the instructions for creating the trustee and the ACE. The number is the access mask for Full Control.
Create a new security descriptor and assign it to the share:
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
rc = shareSec.SetSecurityDescriptor(sd)
Check this page for a lot more detail information about security descriptors, trustees, ACLs and ACEs.
Full script:
Const FullControl = 2032127
' modify these variables according to your requirements:
computer = "."
share = "..."
username = "..."
domain = CreateObject("WScript.Network").UserDomain
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" _
& computer & "/root/cimv2")
Set shareSec = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" _
& share & "'")
Function NewTrustee(name, domain)
Dim trustee, account
Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
trustee.Name = name
trustee.Domain = domain
Set account = wmi.Get("Win32_UserAccount.Domain='" & domain & "',Name='" _
& name & "'")
trustee.Properties_.Item("SID") = wmi.Get("Win32_SID.SID='" & account.SID _
& "'").BinaryRepresentation
Set NewTrustee = trustee
End Function
Function NewACE(trustee, permissions)
Dim ace : Set ace = wmi.Get("Win32_Ace").SpawnInstance_
ace.Properties_.Item("AccessMask") = permissions
ace.Properties_.Item("AceFlags") = 3
ace.Properties_.Item("AceType") = 0
ace.Properties_.Item("Trustee") = trustee
Set NewACE = ace
End Function
' copy existing ACEs
rc = shareSec.GetSecurityDescriptor(sd)
flags = sd.ControlFlags
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
Set sd = Nothing
' add new ACE
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), FullControl)
' prepare new security descriptor
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
' assign new security descriptor
rc = shareSec.SetSecurityDescriptor(sd)

Related

How to get MST properties from vbscript

So, I am creating a vbscript that will read an MSI and MST file. The idea is that if the user that will run the script is testing an MSI with an MST file involved, the script should create a "report" of the new properties that this MST have.
I am able to get the properties from a regular MSI, the problem is when I am trying to get into the MST section. While doing research I found out about the _TransformView Table and this should help me to obtain this information but I think I am not sure I know how to handle that table.
Const msiTransformErrorViewTransform = 256
Const msiOpenDB = 2
Dim FS, TS, WI, DB, View, Rec
Set WI = CreateObject("WindowsInstaller.Installer")
Set DB = WI.OpenDatabase(msiPath,msiOpenDB)
DB.ApplyTransform mstPath, msiTransformErrorViewTransform
If Err.number Then
Exit Function
End If
For i = 0 To 24 'Number of properties on the arrPropertyList
Set View = DB.OpenView("Select `Value` From Property WHERE `Property` = " & "'" & arrPropertyList(i) & "'")
View.Execute
Set Rec = View.Fetch
If Not Rec Is Nothing Then
objLog.WriteLine arrPropertyList(i) & " = " & Rec.StringData(1)
End If
Next
That code will display the msi properties that I have added on the arrPropertyList. The thing is that I am looking for the MST properties and I am only getting the MSI ones. I know that I should change the Query to access the _TransformView Table when calling the DB.OpenView but not sure how can I get to this information! Any knowledge you can share would be welcome.
It works slightly differently to what you think. Run the following to see what I mean (maybe force the VBS to run with Cscript.exe from a command prompt if you're expecting a lot of output):
'create 2 constants - one for when we want to just query the MSI (read) and one for when we want to make changes (write)
Const msiOpenDatabaseModeReadOnly = 0
Const msiOpenDatabaseModeTransact = 1
Const msiTransformErrorViewTransform = 256
'create WindowsInstaller.Installer object
Dim oInstaller : Set oInstaller = CreateObject("WindowsInstaller.Installer")
'open the MSI (the first argument supplied to the vbscript)
Dim oDatabase : Set oDatabase = oInstaller.OpenDatabase("C:\Temp\Temp.msi",msiOpenDatabaseModeReadOnly)
oDatabase.ApplyTransform "C:\Temp\Temp.mst", msiTransformErrorViewTransform
'create a view of the registry we want to see
Dim sql : sql = "SELECT * FROM `_TransformView`"
Dim regView : Set regView = oDatabase.OpenView(sql)
'execute the query
regView.Execute
'fetch the first row of data (if there is one!)
Dim regRecord : Set regRecord = regView.Fetch
'whilst we've returned a row and therefore regRecord is not Nothing
While Not regRecord Is Nothing
'print out the registry key
wscript.echo "Table: " & regRecord.StringData(1)
wscript.echo "Column: " & regRecord.StringData(2)
wscript.echo "Row: " & regRecord.StringData(3)
wscript.echo "Data: " & regRecord.StringData(4)
wscript.echo "Current: " & regRecord.StringData(5)
wscript.echo "***"
'go and fetch the next row of data
Set regRecord = regView.Fetch
Wend
regView.Close
Set regView = Nothing
Set regRecord = Nothing
Set oDatabase = Nothing
Set oInstaller = Nothing
So if you only wanted to see changes in the Property table, you would change the SQL query to:
Dim sql : sql = "SELECT * FROM `_TransformView` WHERE `Table` = 'Property'"
As well as storing the column names of the changed entries, the 'Column' column in the '_TransformView' table also stores whether the value was inserted, removed etc by using the values:
INSERT, DELETE, CREATE, or DROP.
You can find lots of VBScript Windows Installer tutorials for reference - don't forget to set your objects to Nothing otherwise you'll leave handles open. And of course use the link you provided for further reference.
WiLstXfm.vbs: Are you familiar with the MSI SDK sample: wilstxfm.vbs (View a Transform)? It can be used to view transform files. Usage is as follows:
cscript.exe WiLstXfm.vbs MySetup.msi MySetup.mst
Mock-up output:
Property Value [INSTALLLEVEL] {100}->{102}
File DELETE [Help.chm]
I think all you need is in there? Maybe give it a quick look. There is a whole bunch of such MSI API Samples - for all kinds of MSI purposes.
Github.com / Windows SDK: These VBScripts are installed with the Windows SDK, so you can find them on your local disk if you have Visual Studio installed, but you can also find them on Github.com:
Github: WiLstXfm.vbs - Microsoft repository on github.com.
Disk: On your local disk, search under Program Files (x86) if you have Visual Studio installed. Current Example: %ProgramFiles(x86)%\Windows Kits\10\bin\10.0.17763.0\x86.

VB Script - Mailbox permissions finder

I've come across the following setting and trying to figure out what an AceFlag value of 18 means, context is below:
dn = "LDAP://" & replace(rs.Fields("distinguishedName").Value,"/","\/")
set objuser = getobject(dn)
Set oSecurityDescriptor = objuser.Get("msExchMailboxSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
For Each ace In dacl
if ace.AceFlags <> 18 then
end if
Anyone got any ideas?
It means that the ACE an inherited container ACE (0x10 + 0x02). See here.

ADS user details - subdomain - from vbs file

I managed to get ADS users without specifying authentication details from my ADS domain(ex,mydomain.com). I used ADODB.Connection and ADODB.Command.
I also have sub-domains like test.mydomain.com. How to get user details from sub-domain, by specifying authentication details of a user belonging to test.mydomain.com .
You can query records from trusted domains by using their LDAP name as the search base. However, since the DC of the parent domain doesn't contain the information about objects in the child domain it will generate a referral. The ADODB.Command object won't automatically chase that referral, because the respective named property "Chase referrals" defaults to 0x00 (ADS_CHASE_REFERRALS_NEVER). You have to set the property to one of the following two values
ADS_CHASE_REFERRALS_SUBORDINATE (0x20)
ADS_CHASE_REFERRALS_ALWAYS (0x60)
to make your query follow the referral. Example:
base = "<LDAP://dc=test,dc=example,dc=org>"
filter = "(&(objectCategory=computer)(name=foo*))"
attr = "name,description"
scope = "subtree"
Set conn = CreateObject("ADODB.Connection")
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set cmd = CreateObject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = base & ";" & filter & ";" & attr & ";" & scope
cmd.Properties("Chase referrals") = &h60 ' <-- here
Set rs = cmd.Execute
I wrote a wrapper class (ADQuery) to encapsulate the boilerplate code for Active Directory queries (because I got fed up with writing it over and over again). With that you could simplify the above to something like this:
Set qry = New ADQuery
qry.SearchBase = "dc=test,dc=example,dc=org"
qry.Filter = "(&(objectCategory=computer)(name=foo*))"
qry.Attributes = Array("name", "description")
Set rs = qry.Execute
Either way you may still need to run the script on a DC, though.

How to automate Public folder calender to show in Favorite Folder of mail

How to automate the process to show my public folder calender in Mail Favorite folder?
I wanted to do it either by login script or by group policy.
I am using Microsoft Exchange server 2007 with Windows Server 2008 R2 and Domain controller running Windows Server 2003 R2.
All workstation system have either Outlook 2010 or Outlook 2007.
While searching on this I found the script below, but by this script (already modified the path) I am just able to make public folder calender to show in public folder favorite but not in mail favorite folder.
Const olPublicFoldersAllPublicFolders = 18
Dim olkApp, olkSes, olkFolder
Set olkApp = CreateObject("Outlook.Application")
Set olkSes = olkApp.GetNameSpace("MAPI")
'Change the profile name on the next line'
olkSes.Logon "Outlook"
'Change the folder name on the next line. Repeat the next two lines for each folder
you want to add.'
Set olkFolder =
olkSes.GetDefaultFolder(olPublicFoldersAllPublicFolders).Folders("Public
calender").Folders("p cal")
olkFolder.AddToPFFavorites
'Change the folder name on the next line. Repeat the next two lines for each folder
you want to add.'
Set olkFolder = OpenOutlookFolder("Public Folders\Favorites\P cal")
AddFavoriteFolder olkFolder
olkSes.Logoff
Set olkApp = Nothing
Set olkSes = Nothing
Set olkFolder = Nothing
WScript.Quit
Sub AddFavoriteFolder(olkFolder)
' Purpose: Add a folder to Favorite Folders.'
' Written: 5/2/2009'
' Author: BlueDevilFan'
' Outlook: 2007'
Const olModuleMail = 0
Const olFavoriteFoldersGroup = 4
Dim olkPane, olkModule, olkGroup
Set olkPane = olkApp.ActiveExplorer.NavigationPane
Set olkModule = olkPane.Modules.GetNavigationModule(olModuleMail)
Set olkGroup =
olkModule.NavigationGroups.GetDefaultNavigationGroup(olFavoriteFoldersGroup)
olkGroup.NavigationFolders.Add olkFolder
Set olkPane = Nothing
Set olkModule = Nothing
Set olkGroup = Nothing
End Sub
Function OpenOutlookFolder(strFolderPath)
' Purpose: Opens an Outlook folder from a folder path.'
' Written: 4/24/2009'
' Author: BlueDevilFan'
' Outlook: All versions'
Dim arrFolders, varFolder, bolBeyondRoot
On Error Resume Next
If strFolderPath = "" Then
Set OpenOutlookFolder = Nothing
Else
Do While Left(strFolderPath, 1) = "\"
strFolderPath = Right(strFolderPath, Len(strFolderPath) - 1)
Loop
arrFolders = Split(strFolderPath, "\")
For Each varFolder In arrFolders
Select Case bolBeyondRoot
Case False
Set OpenOutlookFolder = olkSes.Folders(varFolder)
bolBeyondRoot = True
Case True
Set OpenOutlookFolder = OpenOutlookFolder.Folders(varFolder)
End Select
If Err.Number <> 0 Then
Set OpenOutlookFolder = Nothing
Exit For
End If
Next
End If
On Error GoTo 0
End Function
You can't do this. You can only add mail folders or search folders to the Mail Favorites view. Quoting Outlook's help, Favorites contain "shortcuts to folders such as your Inbox, Sent Items, and Search Folders. You can add, remove, and arrange folders [...] access your mail folders more easily" (my emphasis).
From MSFT's point of view, this is logically consistent.
Adding a public object to your public folder favorites is the type of activity that a user is expected to do infrequently. So it's not appropriate to handle that in a login script. It's like adding resources to your personal library of information, eg a folder with project status or manuals.
Adding a mail folder to your Mail Favorites is a quick and dirty trick for frequently used items. This is more like adding a bookmark.
You could argue that if you have to set up a large number of users that all need access to a public folder, that it makes sense to handle that in a login script, and that is fine, but again, it would be adding it to the public folder favotires, not the mail one....and you've have to have code to not create the favorite if it already existed.

Secure LDAP object manipulation with VBscript using alternate credentials

I'm aware of using ADsDSOobject with explicit credentials to connect to an AD object to read attributes, list members, etc. And the GetObject("LDAP//...") method for manipulating those objects (adding group members, changing properties, etc.), but is there a way to manipulate attributes and memberships with explicit credentials?
The first method I'm referring to is something like...
Set conn = Server.CreateObject("ADODB.Connection")
Set cmd = Server.CreateObject("ADODB.Command")
conn.Provider = "ADsDSOobject"
conn.Properties("User ID") = AD_Username
conn.Properties("Password") = AD_Password
conn.Properties("Encrypt Password") = True
conn.Open "Active Directory Provider"
Set cmd.ActiveConnection = conn
But none of the script examples that perform tasks like adding a user to a domain group can use this approach as far as I know. Is there a way to do that somehow?
In VBScript, very often, you are using ADSI to add user to group. Here is a sample code to add a user to a domain group
Set objUser = GetObject("LDAP://CN=jeffsmith,DC=fabrikam,DC=com")
Set objGroup = GetObject("LDAP://CN=group1,DC=fabrikam,DC=com")
objGroup.add(objUser.ADsPath)
It works fine but it's always using your current user credentails. It's because GetObject doesn't allow you to specify alternate credentials.
To specify another credentails, you need to replace GetObject by OpenDSObject
Const ADS_SECURE_AUTHENTICATION = 1
Set openDS = GetObject("LDAP:")
Set objUser = openDS.OpenDSObject("LDAP://CN=jeffsmith,DC=fabrikam,DC=com",
"username",
"password",
ADS_SECURE_AUTHENTICATION)
Set objGroup = openDS.OpenDSObject("LDAP://CN=group1,DC=fabrikam,DC=com",
"username",
"password",
ADS_SECURE_AUTHENTICATION)
objGroup.add(objUser.ADsPath)

Resources