[prev in list] [next in list] [prev in thread] [next in thread]
List: perl-win32-users
Subject: [PMX:#] Re: [OLE] - Setting value into DiscretionaryAcl
From: "Joe Richards" <jricha34 () hotmail ! com>
Date: 2002-06-26 2:42:17
[Download RAW message or body]
RE: [OLE] - Setting value into DiscretionaryAclCool thanks a lot for the tip Steve. \
That totally helped. I have generally tried to stay away from the COM stuff \
preferring to write c++ command line tools and scripting around them but it seems it \
is the only realistic ways to dork with the AD ACL's.
I found a couple of other little bugs in how I was setting values but I was able to \
chase those down by re-enumerating what I had set in the ACL and seeing that \
everything was zero's which wasn't what I was trying to set.
thanks again.
For anyone that is interested, here is the adjusted code (note this is just a \
snippet)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$adsnewcomputer=Win32::OLE->GetObject("LDAP://$dc/cn=$computername,$computerou");
if (!$adsnewcomputer)
{
print "Couldn't open computer $computername...\a\n";
return $FALSE;
}
print "Setting security...\n";
$sd = $adsnewcomputer->ntSecurityDescriptor;
$dACL = $sd->DiscretionaryAcl;
#
# Everyone - Validated Write Service Principle Name
#
$ace = Win32::OLE->CreateObject("AccessControlEntry");
$ace->{Trustee}="everyone";
$ace->{ObjectType}="{F3A64788-5306-11D1-A9C5-0000F80367C1}";
$ace->{AccessMask}=8;
$ace->{Flags}=$ADS_FLAG_OBJECT_TYPE_PRESENT;
$ace->{AceType}=$ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
$ace->{aceflags}=0;
$dACL->AddAce($ace);
$sd->LetProperty('DiscretionaryAcl',$dACL);
$lasterror=Win32::OLE->LastError();
if ($lasterror)
{
print "Adding security 1 Error: $lasterror\n";
exit;
}
$adsnewcomputer->Put("ntSecurityDescriptor", [$sd]);
$lasterror=Win32::OLE->LastError();
if ($lasterror)
{
print "Adding security 2 Error: $lasterror\n";
exit;
}
$adsnewcomputer->SetInfo();
$lasterror=Win32::OLE->LastError();
if ($lasterror)
{
print "Adding security 3 Error: $lasterror\n";
exit;
}
---
Joe Richards
www.joeware.net
---
----- Original Message -----
From: Steven Manross
To: 'Joe Richards' ; perl-win32-users@listserv.ActiveState.com
Sent: Tuesday, June 25, 2002 7:34 PM
Subject: RE: [OLE] - Setting value into DiscretionaryAcl
Check out LetProperty instead of:
$sd->{DiscretionaryAcl}=$dACL;
If you look up 0x80020003 in activestate's archives, a number of people have found \
problems with this type of assignment in various M$ objects.
LetProperty seems to work around this problem by assigning by reference instead of \
by value (someone correct me here, because I can't fully tell the difference between \
the two assignments, except that one seems to work).
Namely:
$sd->LetProperty("DiscretionaryAcl",$dACL);
P.S. This works for Exchange 5.5 Mailbox creation (in particular).
Steven
-----Original Message-----
From: Joe Richards [mailto:jricha34@hotmail.com]
Sent: Tuesday, June 25, 2002 4:23 PM
To: perl-win32-users@listserv.ActiveState.com
Subject: [OLE] - Setting value into DiscretionaryAcl
I saw several old posts asking for info on this but no responses where
someone knew what was going on. I am going to post and hope someone now
knows what is going on.
When trying to set an ACL on an AD object by basically converting a simple
vbscript example. The command to set DiscretionaryAcl to the new ACE Chain
fails with
Adding security 1 Error: Win32::OLE(0.1502) error 0x80020003: "Member not
found"
in PROPERTYPUTREF "DiscretionaryAcl"
I am able to read the ACL's fine when using the GET side of
DiscretionaryACL, it is when I use the PUT side that it fails.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Here is a short code example:
$adsnewcomputer=Win32::OLE->GetObject("LDAP://$dc/cn=$computername,$computerou");
if (!$adsnewcomputer)
{
print "Couldn't open computer $computername...\a\n";
return $FALSE;
}
print "Setting security...\n";
$sd = $adsnewcomputer->ntSecurityDescriptor;
$dACL = $sd->DiscretionaryAcl;
#
# Everyone - Validated Write Service Principle Name
#
$ace = Win32::OLE->CreateObject("AccessControlEntry");
$ace->Trustee("everyone");
$ace->ObjectType("{F3A64788-5306-11D1-A9C5-0000F80367C1}");
$ace->AcessMask(8);
$ace->Flags($ADS_FLAG_OBJECT_TYPE_PRESENT);
$ace->AceType($ADS_ACETYPE_ACCESS_ALLOWED_OBJECT);
$ace->aceflags(0);
$dACL->AddAce($ace);
#******************************************************
# Fails here with member not found in PROPERTYPUTREF
#******************************************************
$sd->{DiscretionaryAcl}=$dACL;
$lasterror=Win32::OLE->LastError();
if ($lasterror)
{
print "Adding security 1 Error: $lasterror\n";
exit;
}
$adsnewcomputer->Put("ntSecurityDescriptor", [$sd]);
$lasterror=Win32::OLE->LastError();
if ($lasterror)
{
print "Adding security 2 Error: $lasterror\n";
exit;
}
$adsnewcomputer->SetInfo();
$lasterror=Win32::OLE->LastError();
if ($lasterror)
{
print "Adding security 3 Error: $lasterror\n";
exit;
}
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
_______________________________________________
Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [OLE] - Setting value into DiscretionaryAcl</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2600.0" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Cool thanks a lot for the tip Steve. That totally
helped. I have generally tried to stay away from the COM stuff preferring to
write c++ command line tools and scripting around them but it seems it is the
only realistic ways to dork with the AD ACL's. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I found a couple of other little bugs in how I was
setting values but I was able to chase those down by re-enumerating what I had
set in the ACL and seeing that everything was zero's which wasn't what I
was trying to set.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> thanks again.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>For anyone that is interested, here is the adjusted
code (note this is just a snippet)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>$adsnewcomputer=Win32::OLE->GetObject("<A
href="ldap://$dc/cn=$computername,$computerou">LDAP://$dc/cn=$computername,$computerou</A>"); \
<BR> if (!$adsnewcomputer) <BR> { <BR> print
"Couldn't open computer $computername...\a\n"; <BR> return
$FALSE; <BR> } </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> print "Setting security...\n"; </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> $sd =
$adsnewcomputer->ntSecurityDescriptor; <BR> $dACL =
$sd->DiscretionaryAcl; </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Everyone - Validated Write
Service Principle Name<BR> #<BR> $ace =
Win32::OLE->CreateObject("AccessControlEntry");<BR>
$ace->{Trustee}="everyone";<BR>
$ace->{ObjectType}="{F3A64788-5306-11D1-A9C5-0000F80367C1}";<BR>
$ace->{AccessMask}=8;<BR>
$ace->{Flags}=$ADS_FLAG_OBJECT_TYPE_PRESENT;<BR>
$ace->{AceType}=$ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;<BR>
$ace->{aceflags}=0;<BR> $dACL->AddAce($ace); </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV><BR> $sd->LetProperty('DiscretionaryAcl',$dACL); <BR>
$lasterror=Win32::OLE->LastError(); <BR> if ($lasterror)
<BR> { <BR> print "Adding security 1 Error:
$lasterror\n"; <BR> exit; <BR> } </DIV>
<DIV> </DIV>
<DIV><BR> $adsnewcomputer->Put("ntSecurityDescriptor", [$sd]);
<BR> $lasterror=Win32::OLE->LastError(); <BR> if ($lasterror)
<BR> { <BR> print "Adding security 2 Error:
$lasterror\n"; <BR> exit; <BR> } </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> $adsnewcomputer->SetInfo(); <BR>
$lasterror=Win32::OLE->LastError(); <BR> if ($lasterror)
<BR> { <BR> print "Adding security 3 Error:
$lasterror\n"; <BR> exit; <BR> } </DIV>
<DIV> </DIV>
<DIV></FONT><FONT face=Arial size=2></FONT> </DIV>
<DIV>---<BR>Joe Richards<BR><A
href="http://www.joeware.net">www.joeware.net</A><BR>---</DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 \
2px solid; MARGIN-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message \
----- </DIV> <DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=smanross@Insight.com href="mailto:smanross@Insight.com">Steven
Manross</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=jricha34@hotmail.com
href="mailto:jricha34@hotmail.com">'Joe Richards'</A> ; <A
title=perl-win32-users@listserv.ActiveState.com
href="mailto:perl-win32-users@listserv.ActiveState.com">perl-win32-users@listserv.ActiveState.com</A> \
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, June 25, 2002 7:34
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [OLE] - Setting value into
DiscretionaryAcl</DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR></DIV>
<P><FONT size=2>Check out LetProperty instead of:</FONT> </P>
<P><FONT size=2>$sd->{DiscretionaryAcl}=$dACL;</FONT> </P>
<P><FONT size=2>If you look up 0x80020003 in activestate's archives, a number
of people have found problems with this type of assignment in various M$
objects.</FONT></P>
<P><FONT size=2>LetProperty seems to work around this problem by assigning by
reference instead of by value (someone correct me here, because I can't fully
tell the difference between the two assignments, except that one seems to
work).</FONT></P>
<P><FONT size=2>Namely: </FONT></P>
<P><FONT size=2>$sd->LetProperty("DiscretionaryAcl",$dACL);</FONT> </P>
<P><FONT size=2>P.S. This works for Exchange 5.5 Mailbox creation (in
particular).</FONT> </P>
<P><FONT size=2>Steven</FONT> </P>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Joe
Richards [<A
href="mailto:jricha34@hotmail.com">mailto:jricha34@hotmail.com</A>]
</FONT><BR><FONT size=2>Sent: Tuesday, June 25, 2002 4:23 PM</FONT> <BR><FONT
size=2>To: perl-win32-users@listserv.ActiveState.com</FONT> <BR><FONT
size=2>Subject: [OLE] - Setting value into DiscretionaryAcl</FONT> </P><BR>
<P><FONT size=2>I saw several old posts asking for info on this but no
responses where </FONT><BR><FONT size=2>someone knew what was going on. I am
going to post and hope someone now </FONT><BR><FONT size=2>knows what is going
on.</FONT> </P>
<P><FONT size=2>When trying to set an ACL on an AD object by basically
converting a simple </FONT><BR><FONT size=2>vbscript example. The command to
set DiscretionaryAcl to the new ACE Chain </FONT><BR><FONT size=2>fails
with</FONT> </P>
<P><FONT size=2>Adding security 1 Error: Win32::OLE(0.1502) error 0x80020003:
"Member not </FONT><BR><FONT size=2>found"</FONT> <BR><FONT
size=2> in PROPERTYPUTREF "DiscretionaryAcl"</FONT> </P>
<P><FONT size=2>I am able to read the ACL's fine when using the GET side of
</FONT><BR><FONT size=2>DiscretionaryACL, it is when I use the PUT side that
it fails.</FONT> </P><BR>
<P><FONT size=2>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</FONT>
<BR><FONT size=2>Here is a short code example:</FONT> </P><BR>
<P><FONT size=2> </FONT><BR><FONT
size=2>$adsnewcomputer=Win32::OLE->GetObject("LDAP://$dc/cn=$computername,$computerou");</FONT> \
<BR><FONT size=2> if (!$adsnewcomputer)</FONT> <BR><FONT
size=2> {</FONT> <BR><FONT size=2> print
"Couldn't open computer $computername...\a\n";</FONT> <BR><FONT
size=2> return $FALSE;</FONT> <BR><FONT size=2>
}</FONT> </P>
<P><FONT size=2> print "Setting security...\n";</FONT> </P>
<P><FONT size=2> $sd = $adsnewcomputer->ntSecurityDescriptor;</FONT>
<BR><FONT size=2> $dACL = $sd->DiscretionaryAcl;</FONT> </P><BR>
<P><FONT size=2> #</FONT> <BR><FONT size=2> # Everyone - Validated
Write Service Principle Name</FONT> <BR><FONT size=2> #</FONT> <BR><FONT
size=2> $ace = Win32::OLE->CreateObject("AccessControlEntry");</FONT>
<BR><FONT size=2> $ace->Trustee("everyone");</FONT> <BR><FONT
size=2>
$ace->ObjectType("{F3A64788-5306-11D1-A9C5-0000F80367C1}");</FONT>
<BR><FONT size=2> $ace->AcessMask(8);</FONT> <BR><FONT size=2>
$ace->Flags($ADS_FLAG_OBJECT_TYPE_PRESENT);</FONT> <BR><FONT size=2>
$ace->AceType($ADS_ACETYPE_ACCESS_ALLOWED_OBJECT);</FONT> <BR><FONT
size=2> $ace->aceflags(0);</FONT> <BR><FONT size=2>
$dACL->AddAce($ace);</FONT> </P><BR><BR>
<P><FONT size=2>
#******************************************************</FONT> <BR><FONT
size=2> # Fails here with member not found in PROPERTYPUTREF</FONT>
<BR><FONT size=2>
#******************************************************</FONT> </P>
<P><FONT size=2> $sd->{DiscretionaryAcl}=$dACL;</FONT> <BR><FONT
size=2> $lasterror=Win32::OLE->LastError();</FONT> <BR><FONT
size=2> if ($lasterror)</FONT> <BR><FONT size=2> {</FONT>
<BR><FONT size=2> print "Adding security 1 Error:
$lasterror\n";</FONT> <BR><FONT size=2> exit;</FONT>
<BR><FONT size=2> }</FONT> </P><BR>
<P><FONT size=2> $adsnewcomputer->Put("ntSecurityDescriptor",
[$sd]);</FONT> <BR><FONT size=2>
$lasterror=Win32::OLE->LastError();</FONT> <BR><FONT size=2> if
($lasterror)</FONT> <BR><FONT size=2> {</FONT> <BR><FONT
size=2> print "Adding security 2 Error:
$lasterror\n";</FONT> <BR><FONT size=2> exit;</FONT>
<BR><FONT size=2> }</FONT> </P><BR>
<P><FONT size=2> $adsnewcomputer->SetInfo();</FONT> <BR><FONT
size=2> $lasterror=Win32::OLE->LastError();</FONT> <BR><FONT
size=2> if ($lasterror)</FONT> <BR><FONT size=2> {</FONT>
<BR><FONT size=2> print "Adding security 3 Error:
$lasterror\n";</FONT> <BR><FONT size=2> exit;</FONT>
<BR><FONT size=2> }</FONT>
</P><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
<P><FONT
size=2>_________________________________________________________________</FONT>
<BR><FONT size=2>Chat with friends online, try MSN Messenger: <A
href="http://messenger.msn.com"
target=_blank>http://messenger.msn.com</A></FONT> </P>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>Perl-Win32-Users mailing list
Perl-Win32-Users@listserv.ActiveState.com</FONT> <BR><FONT size=2>To
unsubscribe: <A href="http://listserv.ActiveState.com/mailman/mysubs"
target=_blank>http://listserv.ActiveState.com/mailman/mysubs</A></FONT>
</P></BLOCKQUOTE></BODY></HTML>
_______________________________________________
Perl-Win32-Users mailing list
Perl-Win32-Users@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic