[prev in list] [next in list] [prev in thread] [next in thread]
List: perl-win32-admin
Subject: RE: Setting Permissions on a user/computer/AD object...
From: "Stum, Matt" <MSTUM () bsu ! edu>
Date: 2002-12-21 17:45:40
[Download RAW message or body]
I just ran across a message posted back in October of 2001 that began with:
"I am trying to convert the following vbscript to perl. I am having trouble setting \
the copied ace to the new user and idea on the line $sd->{DiscretionaryAcl} = \
$CopyDacl;"
I recently had the same problem... you cannot apparently assign back to the \
DiscretionaryACL parameter of the SecurityDescriptor object. The error indicates that \
the attribute interface doesn't exist, even though we just used it to retrieve data.
However, I later realized that any manipulations to the $acl object (my $acl = \
$sd->{'DiscretionaryACL'}) resulted in changes to the $sd object itself. The $acl \
object must be an interface that "references" the ACL in the SD object. This isn't \
how the interface is documented, so I'm wondering if it's a kludge in the Perl \
implementation? Makes me wonder what other differences exist out there?
So, the algorithm for adding an ACE to an object is something like:
my $sd = $obj->{'ntSecurityDescriptor'};
my $acl = $sd->{'DiscretionaryACL');
$acl->AddAce($previously_created_ace_object);
$obj->Put('ntSecurityDescriptor',$sd);
$obj->SetInfo();
If you want to add an ACE to the top of the ACL, it gets a bit trickier. Normally you \
would create a brand new ACL, add your ACE to the top, copy all of the ACE's from the \
actual object to the new ACL, and then assign the DiscretionaryACL attribute the \
value of your new ACL. But since it seems you're stuck with referencing the actual \
ACL only, the only way I could think to do it was delete all of the ACE's and \
re-apply them in the order I wanted (since the only methods available are RemoveAce \
and AddAce). Here's the general algorithm I used:
my $sd = $obj->{'ntSecurityDescriptor'}; # get the security descriptor
my $acl = $sd->{'DiscretionaryACL'); # get the acl interface to the sd
my $old_acl = $acl->CopyAccessList(); # make a copy of the ace's
my $enum = Win32::OLE::Enum->new($acl); # enumerate through the real acl
while (my $ace = $enum->Next()) {
$acl->RemoveAce($ace); # delete all of the ace's
}
$acl->AddAce($my_ace); # add the ace I want at the top of the list
my $enum = Win32::OLE::Enum->new($old_acl); # enumerate through the saved acl
while (my $ace = $enum->Next()) {
$acl->AddAce($ace); # restore the ace's we saved
}
$obj->Put('ntSecurityDescriptor',$sd); # store the new sd (with updated acl)
$obj->SetInfo(); # make changes permanent
The code that I used this for was a routine that would create a Computer object and \
allow a specified third-party user to join it to the domain. If anyone would like a \
copy of the routine once I get it polished up, let me know.
Matt
_______________________________________________
Perl-Win32-Admin mailing list
Perl-Win32-Admin@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic