Windows Vista Forums

Set security DACL issues

  1. #1


    Jason Ferguson Guest

    Set security DACL issues

    Hi,

    I'm trying to debug a script that imports share info to recreate backup
    shares, however I've run into a problem with a line of code:

    PS H:\> $sd = new-object system.management.managementclass
    Win32_SecurityDescriptor
    PS H:\> $sd

    NameSpace: ROOT\cimv2

    Name Methods Properties
    ---- ------- ----------
    Win32_SecurityDescriptor {} {ControlFlags,
    DACL, Group, Owner...}

    PS H:\> $sd.DACL = @()

    Gives the error:

    Property 'DACL' cannot be found on this object; make sure it exists and is
    settable.
    At line:1 char:5
    + $sd. <<<< DACL = @()
    + CategoryInfo : InvalidOperation: ( [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

    Any ideas and pointers to why this is happening? I'm only two weeks into
    working with powershell and am getting to grips with the basics.

      My System SpecsSystem Spec

  2. #2


    Chris Dent Guest

    Re: Set security DACL issues


    It's part of the Properties set:

    $sd.Properties.DACL

    HTH

    Chris

    Jason Ferguson wrote:

    > Hi,
    >
    > I'm trying to debug a script that imports share info to recreate backup
    > shares, however I've run into a problem with a line of code:
    >
    > PS H:\> $sd = new-object system.management.managementclass
    > Win32_SecurityDescriptor
    > PS H:\> $sd
    >
    > NameSpace: ROOT\cimv2
    >
    > Name Methods Properties
    > ---- ------- ----------
    > Win32_SecurityDescriptor {} {ControlFlags,
    > DACL, Group, Owner...}
    >
    > PS H:\> $sd.DACL = @()
    >
    > Gives the error:
    >
    > Property 'DACL' cannot be found on this object; make sure it exists and is
    > settable.
    > At line:1 char:5
    > + $sd. <<<< DACL = @()
    > + CategoryInfo : InvalidOperation: ( [], RuntimeException
    > + FullyQualifiedErrorId : PropertyAssignmentException
    >
    > Any ideas and pointers to why this is happening? I'm only two weeks into
    > working with powershell and am getting to grips with the basics.

      My System SpecsSystem Spec

  3. #3


    Jason Ferguson Guest

    Re: Set security DACL issues

    Thanks Chris that makes a bit more sense but I'm still having issues working
    with it.

    PS H:\> $sd.properties.DACL = @()

    Property 'DACL' cannot be found on this object; make sure it exists and is
    settable.
    At line:1 char:16
    + $sd.properties. <<<< DACL = @()
    + CategoryInfo : InvalidOperation: ( [], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException

    I suspect it's something to do with the way the original script was written.


    "Chris Dent" wrote:

    >
    > It's part of the Properties set:
    >
    > $sd.Properties.DACL
    >
    > HTH
    >
    > Chris
    >
    > Jason Ferguson wrote:

    > > Hi,
    > >
    > > I'm trying to debug a script that imports share info to recreate backup
    > > shares, however I've run into a problem with a line of code:
    > >
    > > PS H:\> $sd = new-object system.management.managementclass
    > > Win32_SecurityDescriptor
    > > PS H:\> $sd
    > >
    > > NameSpace: ROOT\cimv2
    > >
    > > Name Methods Properties
    > > ---- ------- ----------
    > > Win32_SecurityDescriptor {} {ControlFlags,
    > > DACL, Group, Owner...}
    > >
    > > PS H:\> $sd.DACL = @()
    > >
    > > Gives the error:
    > >
    > > Property 'DACL' cannot be found on this object; make sure it exists and is
    > > settable.
    > > At line:1 char:5
    > > + $sd. <<<< DACL = @()
    > > + CategoryInfo : InvalidOperation: ( [], RuntimeException
    > > + FullyQualifiedErrorId : PropertyAssignmentException
    > >
    > > Any ideas and pointers to why this is happening? I'm only two weeks into
    > > working with powershell and am getting to grips with the basics.
    > .
    >

      My System SpecsSystem Spec

  4. #4


    Chris Dent Guest

    Re: Set security DACL issues


    Hi Jason,

    Apologies, it should have been $SD.Properties["DACL"]. However, if
    you're creating a security descriptor you need the ManagementObject not
    the ManagementClass.

    Extending that with a bit of an example we end up with:

    # A shortcut to create the management class
    $SDClass = [WMIClass]"Win32_SecurityDescriptor"
    # Create a new instance of the management object from the class.
    $SD = $SDClass.CreateInstance()

    # Create an Access Control Entry - shorter version of creation
    $ACE = ([WMIClass]"Win32_ACE").CreateInstance()
    # Create a Trustee
    $Trustee = ([WMIClass]"Win32_Trustee").CreateInstance()
    # Assign a username and password. Setting a SID is an alternative here.
    $Trustee.Name = "someone"
    $Trustee.Domain = "domain"

    # Assign the trustee to the ACE
    $ACE.Trustee = $Trustee

    # These need values according to the rights you wish to grant
    # An Allow ACE:
    $ACE.AceType = [Security.AccessControl.AceType]::AccessAllowed
    # Full Control:
    $ACE.AccessMask = [Security.AccessControl.FileSystemRights]::FullControl

    # Add the new ACE to the (currently blank) DACL
    $SD.DACL = $ACE

    # etc...

    You're trying to create a Security Descriptor for use with the Create
    method under Win32_Share?

    AccessMask values are here:

    http://msdn.microsoft.com/en-us/libr...temrights.aspx

    AceTypes here:

    http://msdn.microsoft.com/en-us/libr...l.acetype.aspx

    AceFlags aren't really relevant for shares, they tend to be nothing.

    HTH

    Chris

      My System SpecsSystem Spec


Set security DACL issues
Similar Threads
Thread Forum
firewall/security issues Vista security
Security issues Vista General
Replace Filesystem DACL PowerShell
two security issues Vista General
Security Center Issues Vista security