• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

ACL and deleted groups

T

Thijs

#1
Hi, I'm writing a script which writes the ACL of folders to a file.
This work fine however there are folders that show deleted groups in the ACL.
In the file you only see blanc's where domain and groups should have been
displayed.

Is there a way to "show" the deleted folder (it shows on ACL as S-1)

see the script below.

kind regards,

Thijs

Dim Tekst
On Error Resume Next

'versie 4 voor MS001

Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set filesys = CreateObject("Scripting.FileSystemObject")

Set FileTXT=FileSYS.GetFile("MS001-folder-ACL.txt")
Datum = FileTXT.DateLastModified
Jaar = DatePart("yyyy", Datum)
Maand = DatePart("m", Datum)
Dag = DatePart("d", Datum)
FileSYS.MoveFile "MS001-folder-ACL.txt", Jaar & "-" & Maand & "-" & Dag &
"-" & "MS001-folder-ACL.txt"

Set filetxt = filesys.OpenTextFile("1st_level.txt", ForAppending, True)

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colSubfolders = objWMIService.ExecQuery _
("Associators of {Win32_Directory.Name='E:\project'} " _
& "Where AssocClass = Win32_Subdirectory " _
& "ResultRole = PartComponent")

For Each objFolder In colSubfolders
filetxt.WriteLine(objFolder.Name)
Next

filetxt.close

Set filetxt = filesys.OpenTextFile("1st_level.txt", ForReading, True)

' -----------
Set filetxt = filesys.OpenTextFile("1st_level.txt", ForReading, True)
Set filetxt3 = filesys.OpenTextFile("MS001-folder-ACL.txt", ForAppending,
True)

SE_DACL_PRESENT = &h4
ACCESS_ALLOWED_ACE_TYPE = &h0
ACCESS_DENIED_ACE_TYPE = &h1

FILE_ALL_ACCESS = &h1f01ff
FOLDER_ADD_SUBDIRECTORY = &h000004
FILE_DELETE = &h010000
FILE_DELETE_CHILD = &h000040
FOLDER_TRAVERSE = &h000020
FILE_READ_ATTRIBUTES = &h000080
FILE_READ_CONTROL = &h020000
FOLDER_LIST_DIRECTORY = &h000001
FILE_READ_EA = &h000008
FILE_SYNCHRONIZE = &h100000
FILE_WRITE_ATTRIBUTES = &h000100
FILE_WRITE_DAC = &h040000
FOLDER_ADD_FILE = &h000002
FILE_WRITE_EA = &h000010
FILE_WRITE_OWNER = &h080000

FileTxt3.WriteLine("Foldername" & vbtab & "Domain" & vbtab & "Security
Group" & vbtab & "Permissions" & vbtab & "Cumulatief")

While Not filetxt.AtEndOfStream
strFolderName = filetxt.readline

Set objWMIService = GetObject("winmgmts:")
Set objFolderSecuritySettings = _
objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")
intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)

intControlFlags = objSD.ControlFlags
If intControlFlags AND SE_DACL_PRESENT Then
arrACEs = objSD.DACL
For Each objACE in arrACEs
'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
objACE.Trustee.Name)
If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
objACE.Trustee.Name & ";Allowed:")
ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
objACE.Trustee.Name & ";Denied:")
End If
If objACE.AccessMask AND FILE_ALL_ACCESS Then
Result=Result + FILE_ALL_ACCESS
End If
If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
Result=Result + FOLDER_ADD_SUBDIRECTORY
End If
If objACE.AccessMask AND FILE_DELETE Then
Result=Result + FILE_DELETE
End If
If objACE.AccessMask AND FILE_DELETE_CHILD Then
Result=Result + FILE_DELETE_CHILD
End If
If objACE.AccessMask AND FOLDER_TRAVERSE Then
Result=Result + FOLDER_TRAVERSE
End If
If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
Result=Result + FILE_READ_ATTRIBUTES
End If
If objACE.AccessMask AND FILE_READ_CONTROL Then
Result=Result + FILE_READ_CONTROL
End If
If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
Result=Result + FOLDER_LIST_DIRECTORY
End If
If objACE.AccessMask AND FILE_READ_EA Then
Result=Result + FILE_READ_EA
End If
If objACE.AccessMask AND FILE_SYNCHRONIZE Then
Result=Result + FILE_SYNCHRONIZE
End If
If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
Result=Result + FILE_WRITE_ATTRIBUTES
End If
If objACE.AccessMask AND FILE_WRITE_DAC Then
Result=Result + FILE_WRITE_DAC
End If
If objACE.AccessMask AND FOLDER_ADD_FILE Then
Result=Result + FOLDER_ADD_FILE
End If
If objACE.AccessMask AND FILE_WRITE_EA Then
Result=Result + FILE_WRITE_EA
End If
If objACE.AccessMask AND FILE_WRITE_OWNER Then
Result=Result + FILE_WRITE_OWNER
End If
strcheckname=objAce.Trustee.sid
WScript.Echo strcheckName &vbTab& objace.trustee.sid
If strcheckname = "" Then
strname= "Deleted"
Else
strname=objAce.Trustee.name
End If

Select Case Result
Case 3211944
filetxt3.WriteLine (strFolderName & vbTab & objACE.Trustee.Domain
& vbTab & objACE.Trustee.Name & vbTab & "Read&Execute" & vbTab & Result)
Case 3277758
filetxt3.WriteLine (strFolderName & vbTab & objACE.Trustee.Domain
& vbTab & objACE.Trustee.Name & vbTab & "Modify" & vbTab & Result)
Case 4064254
filetxt3.WriteLine (strFolderName & vbTab & objACE.Trustee.Domain
& vbTab & objACE.Trustee.Name & vbTab & "Full Control" & vbTab & Result)
Case Else
filetxt3.WriteLine (strFolderName & vbTab & objACE.Trustee.Domain
& vbTab & objACE.Trustee.Name & vbTab & "Special Permissions" & vbTab &
Result)
End Select
Next
Else
WScript.Echo "No DACL present in security descriptor"
End If
Wend
filetxt.Close
filetxt2.Close
filetxt3.Close
WScript.Echo "Done"
filesys.DeleteFile("1st_level.txt")
 

My Computer

A

Allan

#2
I find using fileacl works better than a script that complicated.

Try this:
http://www.microsoft.com/downloads/...EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en

Thanks,
Allan

"Thijs" <Thijs@xxxxxx> wrote in message
news:491135F3-C5EA-48BD-9BB8-748E9C83E756@xxxxxx

> Hi, I'm writing a script which writes the ACL of folders to a file.
> This work fine however there are folders that show deleted groups in the
> ACL.
> In the file you only see blanc's where domain and groups should have been
> displayed.
>
> Is there a way to "show" the deleted folder (it shows on ACL as S-1)
>
> see the script below.
>
> kind regards,
>
> Thijs
>
> Dim Tekst
> On Error Resume Next
>
> 'versie 4 voor MS001
>
> Const ForReading = 1, ForWriting = 2, ForAppending = 8
> Set filesys = CreateObject("Scripting.FileSystemObject")
>
> Set FileTXT=FileSYS.GetFile("MS001-folder-ACL.txt")
> Datum = FileTXT.DateLastModified
> Jaar = DatePart("yyyy", Datum)
> Maand = DatePart("m", Datum)
> Dag = DatePart("d", Datum)
> FileSYS.MoveFile "MS001-folder-ACL.txt", Jaar & "-" & Maand & "-" & Dag &
> "-" & "MS001-folder-ACL.txt"
>
> Set filetxt = filesys.OpenTextFile("1st_level.txt", ForAppending, True)
>
> strComputer = "."
>
> Set objWMIService = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
>
> Set colSubfolders = objWMIService.ExecQuery _
> ("Associators of {Win32_Directory.Name='E:\project'} " _
> & "Where AssocClass = Win32_Subdirectory " _
> & "ResultRole = PartComponent")
>
> For Each objFolder In colSubfolders
> filetxt.WriteLine(objFolder.Name)
> Next
>
> filetxt.close
>
> Set filetxt = filesys.OpenTextFile("1st_level.txt", ForReading, True)
>
> ' -----------
> Set filetxt = filesys.OpenTextFile("1st_level.txt", ForReading, True)
> Set filetxt3 = filesys.OpenTextFile("MS001-folder-ACL.txt", ForAppending,
> True)
>
> SE_DACL_PRESENT = &h4
> ACCESS_ALLOWED_ACE_TYPE = &h0
> ACCESS_DENIED_ACE_TYPE = &h1
>
> FILE_ALL_ACCESS = &h1f01ff
> FOLDER_ADD_SUBDIRECTORY = &h000004
> FILE_DELETE = &h010000
> FILE_DELETE_CHILD = &h000040
> FOLDER_TRAVERSE = &h000020
> FILE_READ_ATTRIBUTES = &h000080
> FILE_READ_CONTROL = &h020000
> FOLDER_LIST_DIRECTORY = &h000001
> FILE_READ_EA = &h000008
> FILE_SYNCHRONIZE = &h100000
> FILE_WRITE_ATTRIBUTES = &h000100
> FILE_WRITE_DAC = &h040000
> FOLDER_ADD_FILE = &h000002
> FILE_WRITE_EA = &h000010
> FILE_WRITE_OWNER = &h080000
>
> FileTxt3.WriteLine("Foldername" & vbtab & "Domain" & vbtab & "Security
> Group" & vbtab & "Permissions" & vbtab & "Cumulatief")
>
> While Not filetxt.AtEndOfStream
> strFolderName = filetxt.readline
>
> Set objWMIService = GetObject("winmgmts:")
> Set objFolderSecuritySettings = _
> objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName &
> "'")
> intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)
>
> intControlFlags = objSD.ControlFlags
> If intControlFlags AND SE_DACL_PRESENT Then
> arrACEs = objSD.DACL
> For Each objACE in arrACEs
> 'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
> objACE.Trustee.Name)
> If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
> 'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
> objACE.Trustee.Name & ";Allowed:")
> ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
> 'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
> objACE.Trustee.Name & ";Denied:")
> End If
> If objACE.AccessMask AND FILE_ALL_ACCESS Then
> Result=Result + FILE_ALL_ACCESS
> End If
> If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
> Result=Result + FOLDER_ADD_SUBDIRECTORY
> End If
> If objACE.AccessMask AND FILE_DELETE Then
> Result=Result + FILE_DELETE
> End If
> If objACE.AccessMask AND FILE_DELETE_CHILD Then
> Result=Result + FILE_DELETE_CHILD
> End If
> If objACE.AccessMask AND FOLDER_TRAVERSE Then
> Result=Result + FOLDER_TRAVERSE
> End If
> If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
> Result=Result + FILE_READ_ATTRIBUTES
> End If
> If objACE.AccessMask AND FILE_READ_CONTROL Then
> Result=Result + FILE_READ_CONTROL
> End If
> If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
> Result=Result + FOLDER_LIST_DIRECTORY
> End If
> If objACE.AccessMask AND FILE_READ_EA Then
> Result=Result + FILE_READ_EA
> End If
> If objACE.AccessMask AND FILE_SYNCHRONIZE Then
> Result=Result + FILE_SYNCHRONIZE
> End If
> If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
> Result=Result + FILE_WRITE_ATTRIBUTES
> End If
> If objACE.AccessMask AND FILE_WRITE_DAC Then
> Result=Result + FILE_WRITE_DAC
> End If
> If objACE.AccessMask AND FOLDER_ADD_FILE Then
> Result=Result + FOLDER_ADD_FILE
> End If
> If objACE.AccessMask AND FILE_WRITE_EA Then
> Result=Result + FILE_WRITE_EA
> End If
> If objACE.AccessMask AND FILE_WRITE_OWNER Then
> Result=Result + FILE_WRITE_OWNER
> End If
> strcheckname=objAce.Trustee.sid
> WScript.Echo strcheckName &vbTab& objace.trustee.sid
> If strcheckname = "" Then
> strname= "Deleted"
> Else
> strname=objAce.Trustee.name
> End If
>
> Select Case Result
> Case 3211944
> filetxt3.WriteLine (strFolderName & vbTab & objACE.Trustee.Domain
> & vbTab & objACE.Trustee.Name & vbTab & "Read&Execute" & vbTab & Result)
> Case 3277758
> filetxt3.WriteLine (strFolderName & vbTab &
> objACE.Trustee.Domain
> & vbTab & objACE.Trustee.Name & vbTab & "Modify" & vbTab & Result)
> Case 4064254
> filetxt3.WriteLine (strFolderName & vbTab &
> objACE.Trustee.Domain
> & vbTab & objACE.Trustee.Name & vbTab & "Full Control" & vbTab & Result)
> Case Else
> filetxt3.WriteLine (strFolderName & vbTab &
> objACE.Trustee.Domain
> & vbTab & objACE.Trustee.Name & vbTab & "Special Permissions" & vbTab &
> Result)
> End Select
> Next
> Else
> WScript.Echo "No DACL present in security descriptor"
> End If
> Wend
> filetxt.Close
> filetxt2.Close
> filetxt3.Close
> WScript.Echo "Done"
> filesys.DeleteFile("1st_level.txt")
>
 

My Computer

T

Thijs

#3
Hello Alan,

Thanks for your reply. I'll try fileACL. But on the other hand, I still
would like to know if it is possible.

Regads,

Thijs

"Allan" wrote:

> I find using fileacl works better than a script that complicated.
>
> Try this:
> http://www.microsoft.com/downloads/...EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en
>
> Thanks,
> Allan
>
> "Thijs" <Thijs@xxxxxx> wrote in message
> news:491135F3-C5EA-48BD-9BB8-748E9C83E756@xxxxxx

> > Hi, I'm writing a script which writes the ACL of folders to a file.
> > This work fine however there are folders that show deleted groups in the
> > ACL.
> > In the file you only see blanc's where domain and groups should have been
> > displayed.
> >
> > Is there a way to "show" the deleted folder (it shows on ACL as S-1)
> >
> > see the script below.
> >
> > kind regards,
> >
> > Thijs
> >
> > Dim Tekst
> > On Error Resume Next
> >
> > 'versie 4 voor MS001
> >
> > Const ForReading = 1, ForWriting = 2, ForAppending = 8
> > Set filesys = CreateObject("Scripting.FileSystemObject")
> >
> > Set FileTXT=FileSYS.GetFile("MS001-folder-ACL.txt")
> > Datum = FileTXT.DateLastModified
> > Jaar = DatePart("yyyy", Datum)
> > Maand = DatePart("m", Datum)
> > Dag = DatePart("d", Datum)
> > FileSYS.MoveFile "MS001-folder-ACL.txt", Jaar & "-" & Maand & "-" & Dag &
> > "-" & "MS001-folder-ACL.txt"
> >
> > Set filetxt = filesys.OpenTextFile("1st_level.txt", ForAppending, True)
> >
> > strComputer = "."
> >
> > Set objWMIService = GetObject("winmgmts:" _
> > & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
> >
> > Set colSubfolders = objWMIService.ExecQuery _
> > ("Associators of {Win32_Directory.Name='E:\project'} " _
> > & "Where AssocClass = Win32_Subdirectory " _
> > & "ResultRole = PartComponent")
> >
> > For Each objFolder In colSubfolders
> > filetxt.WriteLine(objFolder.Name)
> > Next
> >
> > filetxt.close
> >
> > Set filetxt = filesys.OpenTextFile("1st_level.txt", ForReading, True)
> >
> > ' -----------
> > Set filetxt = filesys.OpenTextFile("1st_level.txt", ForReading, True)
> > Set filetxt3 = filesys.OpenTextFile("MS001-folder-ACL.txt", ForAppending,
> > True)
> >
> > SE_DACL_PRESENT = &h4
> > ACCESS_ALLOWED_ACE_TYPE = &h0
> > ACCESS_DENIED_ACE_TYPE = &h1
> >
> > FILE_ALL_ACCESS = &h1f01ff
> > FOLDER_ADD_SUBDIRECTORY = &h000004
> > FILE_DELETE = &h010000
> > FILE_DELETE_CHILD = &h000040
> > FOLDER_TRAVERSE = &h000020
> > FILE_READ_ATTRIBUTES = &h000080
> > FILE_READ_CONTROL = &h020000
> > FOLDER_LIST_DIRECTORY = &h000001
> > FILE_READ_EA = &h000008
> > FILE_SYNCHRONIZE = &h100000
> > FILE_WRITE_ATTRIBUTES = &h000100
> > FILE_WRITE_DAC = &h040000
> > FOLDER_ADD_FILE = &h000002
> > FILE_WRITE_EA = &h000010
> > FILE_WRITE_OWNER = &h080000
> >
> > FileTxt3.WriteLine("Foldername" & vbtab & "Domain" & vbtab & "Security
> > Group" & vbtab & "Permissions" & vbtab & "Cumulatief")
> >
> > While Not filetxt.AtEndOfStream
> > strFolderName = filetxt.readline
> >
> > Set objWMIService = GetObject("winmgmts:")
> > Set objFolderSecuritySettings = _
> > objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName &
> > "'")
> > intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)
> >
> > intControlFlags = objSD.ControlFlags
> > If intControlFlags AND SE_DACL_PRESENT Then
> > arrACEs = objSD.DACL
> > For Each objACE in arrACEs
> > 'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
> > objACE.Trustee.Name)
> > If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
> > 'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
> > objACE.Trustee.Name & ";Allowed:")
> > ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
> > 'filetxt3.WriteLine(strFolderName & ";" & objACE.Trustee.Domain & "\" &
> > objACE.Trustee.Name & ";Denied:")
> > End If
> > If objACE.AccessMask AND FILE_ALL_ACCESS Then
> > Result=Result + FILE_ALL_ACCESS
> > End If
> > If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
> > Result=Result + FOLDER_ADD_SUBDIRECTORY
> > End If
> > If objACE.AccessMask AND FILE_DELETE Then
> > Result=Result + FILE_DELETE
> > End If
> > If objACE.AccessMask AND FILE_DELETE_CHILD Then
> > Result=Result + FILE_DELETE_CHILD
> > End If
> > If objACE.AccessMask AND FOLDER_TRAVERSE Then
> > Result=Result + FOLDER_TRAVERSE
> > End If
> > If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
> > Result=Result + FILE_READ_ATTRIBUTES
> > End If
> > If objACE.AccessMask AND FILE_READ_CONTROL Then
> > Result=Result + FILE_READ_CONTROL
> > End If
> > If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
> > Result=Result + FOLDER_LIST_DIRECTORY
> > End If
> > If objACE.AccessMask AND FILE_READ_EA Then
> > Result=Result + FILE_READ_EA
> > End If
> > If objACE.AccessMask AND FILE_SYNCHRONIZE Then
> > Result=Result + FILE_SYNCHRONIZE
> > End If
> > If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
> > Result=Result + FILE_WRITE_ATTRIBUTES
> > End If
> > If objACE.AccessMask AND FILE_WRITE_DAC Then
> > Result=Result + FILE_WRITE_DAC
> > End If
> > If objACE.AccessMask AND FOLDER_ADD_FILE Then
> > Result=Result + FOLDER_ADD_FILE
> > End If
> > If objACE.AccessMask AND FILE_WRITE_EA Then
> > Result=Result + FILE_WRITE_EA
> > End If
> > If objACE.AccessMask AND FILE_WRITE_OWNER Then
> > Result=Result + FILE_WRITE_OWNER
> > End If
> > strcheckname=objAce.Trustee.sid
> > WScript.Echo strcheckName &vbTab& objace.trustee.sid
> > If strcheckname = "" Then
> > strname= "Deleted"
> > Else
> > strname=objAce.Trustee.name
> > End If
> >
> > Select Case Result
> > Case 3211944
> > filetxt3.WriteLine (strFolderName & vbTab & objACE.Trustee.Domain
> > & vbTab & objACE.Trustee.Name & vbTab & "Read&Execute" & vbTab & Result)
> > Case 3277758
> > filetxt3.WriteLine (strFolderName & vbTab &
> > objACE.Trustee.Domain
> > & vbTab & objACE.Trustee.Name & vbTab & "Modify" & vbTab & Result)
> > Case 4064254
> > filetxt3.WriteLine (strFolderName & vbTab &
> > objACE.Trustee.Domain
> > & vbTab & objACE.Trustee.Name & vbTab & "Full Control" & vbTab & Result)
> > Case Else
> > filetxt3.WriteLine (strFolderName & vbTab &
> > objACE.Trustee.Domain
> > & vbTab & objACE.Trustee.Name & vbTab & "Special Permissions" & vbTab &
> > Result)
> > End Select
> > Next
> > Else
> > WScript.Echo "No DACL present in security descriptor"
> > End If
> > Wend
> > filetxt.Close
> > filetxt2.Close
> > filetxt3.Close
> > WScript.Echo "Done"
> > filesys.DeleteFile("1st_level.txt")
> >
 

My Computer

Users Who Are Viewing This Thread (Users: 1, Guests: 0)