管理文件共享上的远程 DACL:Win32_ACE 到 Win32_Share [英] Managing remote DACLs on fileshares: Win32_ACE to Win32_Share
问题描述
目标:为现有文件共享添加本地用户帐户共享级读/写权限.
Goal: Add a local user account share-level Read/Write permissions to an existing file share.
我在开发这个过程中遇到了障碍.显然,Microsoft 希望您将用户的 ACE 添加到 DACL,然后再返回到共享的安全描述符中.(1).(不,NET SHARE/ADD 不适用于现有共享,我很惊讶.)
I'm hitting a roadblock in developing this. Apparently Microsoft wants you to add your user's ACE to the DACL and then back into the security descriptor of the share. (1). (No, NET SHARE /ADD is not available for existing shares, I was surprised.)
理论上这应该很简单,但我最担心的是做错了并失去了现有的共享权限(很多网络用户、特定组).此解决方案需要扩展到几千份.我正在开发解决方案以输出有关现有 DACL 的数据,以防我需要退出.我应该编写代码来解释该日志,并准备好在出现任何问题时将它们添加回来.
In theory that should be simple enough, but my main fear is doing it wrong and losing the existing share permissions (lots of network users, specific groups). This solution needs to scale to a few thousand shares. I'm developing the solution to output data about the existing DACL in case I need to back out. I should write code to interpret that log and be prepared to add them back en-masse should anything go wrong.
目前我正在使用 VBscript——我觉得 PowerShell 可能是一种更强大的方法,但 VBscript/WMI 是一个已知的数量.
At the moment I'm using VBscript-- I feel PowerShell might be a bit stronger of an approach but VBscript/WMI is a known quantity.
研究:(1) http://blogs.msdn.com/b/helloworld/archive/2008/07/22/editing-share-permission.aspx
推荐答案
将现有的 ACE 复制到数组:
Copy the existing ACEs to an array:
rc = shareSec.GetSecurityDescriptor(sd)
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
将新的 ACE 添加到该数组:
Add the new ACE to that array:
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), 2032127)
函数NewTrustee() 和NewACE() 封装了创建受托人和ACE 的指令.该数字是完全控制的访问掩码.
The functions NewTrustee() and NewACE() encapsulate the instructions for creating the trustee and the ACE. The number is the access mask for Full Control.
创建一个新的安全描述符并将其分配给共享:
Create a new security descriptor and assign it to the share:
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
rc = shareSec.SetSecurityDescriptor(sd)
检查 此页面 了解有关安全描述符、受托人、ACL 和 ACE 的更多详细信息.
Check this page for a lot more detail information about security descriptors, trustees, ACLs and ACEs.
完整脚本:
Const FullControl = 2032127
' modify these variables according to your requirements:
computer = "."
share = "..."
username = "..."
domain = CreateObject("WScript.Network").UserDomain
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" _
& computer & "/root/cimv2")
Set shareSec = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" _
& share & "'")
Function NewTrustee(name, domain)
Dim trustee, account
Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
trustee.Name = name
trustee.Domain = domain
Set account = wmi.Get("Win32_UserAccount.Domain='" & domain & "',Name='" _
& name & "'")
trustee.Properties_.Item("SID") = wmi.Get("Win32_SID.SID='" & account.SID _
& "'").BinaryRepresentation
Set NewTrustee = trustee
End Function
Function NewACE(trustee, permissions)
Dim ace : Set ace = wmi.Get("Win32_Ace").SpawnInstance_
ace.Properties_.Item("AccessMask") = permissions
ace.Properties_.Item("AceFlags") = 3
ace.Properties_.Item("AceType") = 0
ace.Properties_.Item("Trustee") = trustee
Set NewACE = ace
End Function
' copy existing ACEs
rc = shareSec.GetSecurityDescriptor(sd)
flags = sd.ControlFlags
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
Set sd = Nothing
' add new ACE
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), FullControl)
' prepare new security descriptor
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
' assign new security descriptor
rc = shareSec.SetSecurityDescriptor(sd)
这篇关于管理文件共享上的远程 DACL:Win32_ACE 到 Win32_Share的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
