[prev in list] [next in list] [prev in thread] [next in thread]
List: perl-win32-admin
Subject: RE: Grant a right to User in NT
From: rothd () roth ! net
Date: 2002-01-26 4:32:02
[Download RAW message or body]
I am attaching a script from my second book
(http://www.roth.net/books/handbook/) set privileges, remove them, enumerate
them for a user, enumerate users with a priv and if you pass in -p then it
will display all of the available privileges.
dave
-----Original Message-----
From: Veeraraju_Mareddi [mailto:rajuveera@satyam.com]
Sent: Friday, January 25, 2002 3:13 AM
To: beginners@perl.org
Cc: perl-win32-admin@listserv.ActiveState.com
Subject: Grant a right to User in NT
Dear All,
Is there any way to grant a NT right to User using the Script.Any module for
this purpose
Thanks and Regards
Raju M.V
**************************************************************************
This email (including any attachments) is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or
distribution or forwarding of any or all of the contents in this message is
STRICTLY PROHIBITED. If you are not the intended recipient, please contact
the sender by email and delete all copies; your cooperation in this regard
is appreciated.
**************************************************************************
_______________________________________________
Perl-Win32-Admin mailing list Perl-Win32-Admin@listserv.ActiveState.com
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
["PRIV.PL" (application/octet-stream)]
# priv.pl
# Example :
# ----------------------------------------
# From "Win32 Perl Programming: Administrators Handbook" by Dave Roth
# Published by Macmillan Technical Publishing.
# ISBN # 1-57870-215-1
#
use Win32::API;
use Win32::Lanman;
@PRIVILEGES = qw(
SE_CREATE_TOKEN_NAME
SE_ASSIGNPRIMARYTOKEN_NAME
SE_LOCK_MEMORY_NAME
SE_INCREASE_QUOTA_NAME
SE_UNSOLICITED_INPUT_NAME
SE_MACHINE_ACCOUNT_NAME
SE_TCB_NAME
SE_SECURITY_NAME
SE_TAKE_OWNERSHIP_NAME
SE_LOAD_DRIVER_NAME
SE_SYSTEM_PROFILE_NAME
SE_SYSTEMTIME_NAME
SE_PROF_SINGLE_PROCESS_NAME
SE_INC_BASE_PRIORITY_NAME
SE_CREATE_PAGEFILE_NAME
SE_CREATE_PERMANENT_NAME
SE_BACKUP_NAME
SE_RESTORE_NAME
SE_SHUTDOWN_NAME
SE_DEBUG_NAME
SE_AUDIT_NAME
SE_SYSTEM_ENVIRONMENT_NAME
SE_CHANGE_NOTIFY_NAME
SE_REMOTE_SHUTDOWN_NAME
SE_INTERACTIVE_LOGON_NAME
SE_NETWORK_LOGON_NAME
SE_BATCH_LOGON_NAME
SE_SERVICE_LOGON_NAME
);
$LPDN = new Win32::API( 'advapi32.dll', 'LookupPrivilegeDisplayName', [P,P,P,P,P], I \
) || die "Unable to locate the LookupPrivilegeDisplayName().\n"; foreach my \
$Privilege ( @PRIVILEGES ) {
my $Size = 256;
my $szDisplayName = "\x00" x $Size;
my $dwSize = pack( "L", $Size );
my $dwLangId = pack( "L", 0 );
my $PrivString = eval "$Privilege";
$LPDN->Call( $Config{machine}, $PrivString, $szDisplayName, $dwSize, $dwLangId );
$szDisplayName =~ s/\x00//g;
$PRIVILEGES{$Privilege} = {
comment => $szDisplayName,
display => $PrivString,
name => $Privilege,
};
$PRIVILEGE_VALUES{uc $PrivString} = $Privilege;
}
Configure( \%Config, @ARGV );
if( $Config{help} )
{
Syntax();
exit( 0 );
}
if( "" eq $Config{domain} )
{
Win32::Lanman::NetGetDCName( '', $Config{domain}, \$Config{machine} );
}
elsif( "" eq $Config{machine} )
{
Win32::Lanman::NetGetDCName( '', Win32::DomainName(), \$Config{machine} );
}
if( $Config{display_privileges} )
{
my @PrivList;
# Display all privileges
if( scalar @{$Config{items}} )
{
foreach my $Priv ( @{$Config{items}} )
{
$Priv = MatchPrivilege( $Priv ) || next;
push( @PrivList, $Priv );
}
}
else
{
push( @PrivList, sort( keys( %PRIVILEGES ) ) );
}
foreach $Key ( @PrivList )
{
print "$Key:\n";
print "\tDisplay name: $PRIVILEGES{$Key}->{display}\n";
print "\tComment: $PRIVILEGES{$Key}->{comment}\n" if( "" ne \
$PRIVILEGES{$Key}->{comment} ); print "\n";
}
}
elsif( $Config{user_rights} )
{
# Display who has been enabled for a specific privilege
foreach $Privilege ( @{$Config{items}} )
{
my @SidList;
my $PrivKey = uc MatchPrivilege( $Privilege ) || next;
print "$PrivKey ($PRIVILEGES{$PrivKey}->{display}):\n";
if( Win32::Lanman::LsaEnumerateAccountsWithUserRight( $Config{machine}, \
$PRIVILEGES{$PrivKey}->{display}, \@SidList ) ) {
my @SidData;
Win32::Lanman::LsaLookupSids( $Config{machine}, \@SidList, \@SidData );
foreach my $Data ( @SidData )
{
print "\t", ( ( "" ne $Data->{domain} )? "$Data->{domain}\\" : "" );
print "$Data->{name}\n";
}
}
print "\n";
}
}
else
{
# Display what privilege has been enabled for specific accounts
my @AccountList;
my @AccountInfo;
my %TempAccountList;
# Expand any wildcards in the user groups...
foreach my $Account ( @{$Config{items}} )
{
if( $Account =~ /\*$/ )
{
use Win32::AdminMisc;
my( $Prefix ) = ( $Account =~ /^(.*)\*$/ );
my @Accounts;
Win32::AdminMisc::GetUsers( $Config{machine}, $Prefix, \@Accounts );
map
{
$TempAccountList{lc $_} = $_;
} @Accounts;
}
else
{
$TempAccountList{uc $Account} = $Account;
}
}
# Create a non-duplicate list of user accounts from the temp hash
foreach my $Key ( sort( keys( %TempAccountList ) ) )
{
push( @AccountList, $TempAccountList{$Key} );
}
if( scalar @{$Config{add_privileges}}
|| scalar @{$Config{remove_privileges}} )
{
my @SidList;
Win32::Lanman::LsaLookupNames( $Config{machine}, \@AccountList, \@SidList );
foreach my $Sid ( @SidList )
{
if( scalar @{Config{add_privileges}} )
{
Win32::Lanman::LsaAddAccountRights( $Config{machine}, $Sid->{sid}, \
$Config{add_privileges} ); }
if( scalar @{Config{remove_privileges}} )
{
Win32::Lanman::LsaRemoveAccountRights( $Config{machine}, $Sid->{sid}, \
$Config{remove_privileges}, $Config{remove_all} ); }
}
}
ReportAccountPrivileges( @AccountList );
}
sub ReportAccountPrivileges
{
my( @AccountList ) = @_;
$~ = PrivilegeDump;
Win32::Lanman::LsaLookupNames( $Config{machine}, \@AccountList, \@AccountInfo );
for( $Index = 0; $Index < scalar @AccountInfo; $Index++ )
{
my @Rights;
my $Account = $AccountInfo[$Index];
$Account->{name} = $AccountList[$Index];
print "$Account->{domain}\\" if( "" ne $Account->{domain} );
print "$Account->{name}";
# Check that the account exists
if( 8 > $Account->{use} )
{
print ":\n";
if( Win32::Lanman::LsaEnumerateAccountRights( $Config{machine}, \
$Account->{sid}, \@Rights ) ) {
map
{
$Priv{name} = $PRIVILEGE_VALUES{uc $_};
$Priv{display} = $_;
$Priv{comment} = $PRIVILEGES{$Priv{name}}->{comment};
write;
} @Rights;
}
}
else
{
print " ... account does not exist.\n";
}
print "\n";
}
return;
}
sub MatchPrivilege
{
my( $PrivRoot ) = uc shift @_;
my $PrivKey = $PrivRoot;
# Is the privilege a valid display name privilige?
if( ! defined ( $PrivKey = $PRIVILEGE_VALUES{$PrivKey} ) )
{
# Is the privilege a normal privilege?
$PrivKey = $PrivRoot;
if( ! defined ( $PrivKey = $PRIVILEGES{$PrivKey}->{name} ) )
{
# In case the user entered only the base name of the privilege
$PrivKey = "SE_" . $PrivRoot . "_NAME";
if( ! defined ( $PrivKey = $PRIVILEGES{uc $PrivKey}->{name} ) )
{
# In case the user entered only the base of the display name
$PrivKey = "Se" . $PrivRoot . "Privilege";
if( ! defined ( $PrivKey = $PRIVILEGE_VALUES{uc $PrivKey} ) )
{
# One last chance...
$PrivKey = "SE" . $PrivRoot . "Right";
$PrivKey = $PRIVILEGE_VALUES{uc $PrivKey};
}
}
}
}
return( $PrivKey );
}
sub Configure
{
my( $Config, @Args ) = @_;
while( my $Arg = shift @Args )
{
my( $Prefix ) = ( $Arg =~ /^([+-\/])/ );
if( "" ne $Prefix )
{
$Arg =~ s#^[+-/]##;
if( "+" eq $Prefix )
{
# Adding a privilege
my $Priv = MatchPrivilege( $Arg ) || next;
push( @{$Config->{add_privileges}}, $PRIVILEGES{$Priv}->{display} );
}
elsif( $Arg =~ /^p$/i )
{
# Request to display all rights
$Config->{display_privileges} = 1;
}
elsif( $Arg =~ /^s$/i )
{
# Specified displaying user rights
$Config->{user_rights} = 1;
}
elsif( $Arg =~ /^d$/i )
{
# Specify a domain to create the account
$Config->{domain} = shift @Args;
}
elsif( $Arg =~ /^m$/i )
{
# Specify what machine the account lives on
$Config->{machine} = "\\\\" . shift @Args;
$Config->{machine} =~ s/^(\\\\)+/\\\\/;
}
elsif( $Arg =~ /^(\?|h|help)/i )
{
# Request help
$Config->{help} = 1;
}
else
{
if( "/" eq $Prefix )
{
# An unknown switch
$Config->{help} = 1;
}
else
{
# We get here if the prefix was -
# and no valid flag matched the switch therefore...
# Removing a privilege
if( "*" eq $Arg )
{
$Config->{remove_all} = 1;
# Push * onto the the remove array. It will be ignored
# anyway since we will use the "remove all" flag.
# This way the script will see the array is not empty
# and attempt to remove privileges.
push( @{$Config->{remove_privileges}}, $Arg );
}
else
{
my $Priv = MatchPrivilege( $Arg ) || ($Config->{help} = 1);
push( @{$Config->{remove_privileges}}, \
$PRIVILEGES{$Priv}->{display} ); }
}
}
}
else
{
push( @{$Config->{items}}, $Arg );
}
}
if( 0 == scalar @{$Config->{items}} && ! $Config->{display_privileges} )
{
$Config->{help} = 1;
}
}
sub Syntax
{
my( $Script ) = ( $0 =~ /([^\\\/]*?)$/ );
my( $Line ) = "-" x length( $Script );
print <<EOT;
$Script
$Line
Manages account privileges
Syntax:
perl $Script [-m Machine | -d Domain] -p
perl $Script [-m Machine | -d Domain] -s Priv [Priv2 ...]
perl $Script [-m Machine | -d Domain] [-|+Priv] Account [Account2 ...]
-m Machine..All accounts and privileges are resident on the specifed
machine.
-d Domain...All accounts and privileges are resident in the specified
domain.
-s Priv.....Show all accounts that have been granted the specified
privilege. Some accounts may not show if they are granted
the privilege through a group membership.
-Priv.......Removes the privilege from the specified accounts.
Specify as many of these switches as necessary.
Specify * to remove ALL privileges.
+Priv.......Adds the privilege to the specified accounts.
Specify as many of these switches as necessary.
Account.....Show all privileges granted to this specified account.
If used in conjunction with the -Priv or +Priv then the
privileges are assigned or removed first. The resulting
privilege set is then displayed.
This account can end with a * char to indicate
all accounts that begin with the specified string.
If no domain or machine is specified then the current domain
is used.
EOT
}
format PrivilegeDump =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$Priv{name}, $Priv{comment}
~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$Priv{comment}
.
_______________________________________________
Perl-Win32-Admin mailing list
Perl-Win32-Admin@listserv.ActiveState.com
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic