目标:将本地用户帐户共享级别的读/写入权限到现有文件共享。
我正在开发这一障碍时遇到了障碍。显然,微软希望您将用户的ACE添加到DACL中,然后回到共享的安全描述符中。(1)。(否,净共享/加上现有股票不可用,我感到惊讶。)
理论上应该足够简单,但是我的主要恐惧是做错了并丢失了现有的份额权限(很多网络用户,特定组)。该解决方案需要扩展到几千股。我正在开发解决现有DACL数据的解决方案,以防我需要退出。我应该编写代码来解释该日志,并准备在任何问题上都添加回去。
目前我正在使用vbscript-我觉得PowerShell可能会更强大,但是VBScript/WMI是已知数量。
研究:(1)http://blogs.msdn.com/b/helledorld/archive/2008/07/22/editing-share-permission.aspx
将现有aces复制到数组:
rc = shareSec.GetSecurityDescriptor(sd)
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
将新王牌添加到该数组:
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), 2032127)
功能NewTrustee()和NewACE()封装了创建受托人和ACE的指令。该数字是完全控制的访问掩码。
创建一个新的安全描述符并将其分配给共享:
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
rc = shareSec.SetSecurityDescriptor(sd)
检查此页面以获取有关安全描述符,受托人,ACL和ACE的更多详细信息。
完整脚本:
Const FullControl = 2032127
' modify these variables according to your requirements:
computer = "."
share = "..."
username = "..."
domain = CreateObject("WScript.Network").UserDomain
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" _
& computer & "/root/cimv2")
Set shareSec = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" _
& share & "'")
Function NewTrustee(name, domain)
Dim trustee, account
Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
trustee.Name = name
trustee.Domain = domain
Set account = wmi.Get("Win32_UserAccount.Domain='" & domain & "',Name='" _
& name & "'")
trustee.Properties_.Item("SID") = wmi.Get("Win32_SID.SID='" & account.SID _
& "'").BinaryRepresentation
Set NewTrustee = trustee
End Function
Function NewACE(trustee, permissions)
Dim ace : Set ace = wmi.Get("Win32_Ace").SpawnInstance_
ace.Properties_.Item("AccessMask") = permissions
ace.Properties_.Item("AceFlags") = 3
ace.Properties_.Item("AceType") = 0
ace.Properties_.Item("Trustee") = trustee
Set NewACE = ace
End Function
' copy existing ACEs
rc = shareSec.GetSecurityDescriptor(sd)
flags = sd.ControlFlags
ReDim acl(UBound(sd.DACL)+1) '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
Set acl(i) = sd.DACL(i)
Next
Set sd = Nothing
' add new ACE
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), FullControl)
' prepare new security descriptor
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
' assign new security descriptor
rc = shareSec.SetSecurityDescriptor(sd)