Wilson WindowWare Tech Support

WinBatch WinBatch+Compiler WebBatch
Home | Tech Database | Tech BBS | White Papers | Purchase

wntAccessAdd and Inherited Rights 

Keywords: 	   wntAccessAdd and Inherited Rights  error 545 wntAccessAdd wntAccessGet

Question:

After a checkdisk, I lost all ACEs in the DACL and wound up with Administrators and System with full control.

We had complex ACEs ;^)

Any way I thought I'd write a script to capture all ACEs for all files and directories. I know, it's not pretty, but here it is anyway: 

AddExtender("WWWNT34I.DLL")

server1="khzits31"
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Enumerate Shares on Server1
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
shares=wntsharelist(server1,16,0)
sharescount=itemcount(shares, @tab)
for a=1 to sharescount
share = itemextract(a,shares, @tab)

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Check if Share is a Drive (less then 3 Characters i.e. C$, D$, etc.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

driveshare=strlen(share)
if driveshare<3
; if share=="H$"

uncshare=strcat("\\",server1,"\",share)

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;List users with privileges for Share root i.e C:, D:, etc.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Users=wntAccesslist("",uncshare,300,1)

userscount=itemcount(users, @tab)

	for ab=1 to userscount
	user = itemextract(ab,users, @tab)
	records=wntAccessGet("",uncshare,user,300,0)
	owner=wntownerget("", 0, uncshare, 300, 1)
	iniwritepvt(server1,"%uncshare%=%user%","%records%=%owner%","C:\TEMP\%server1%.txt")
next

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;List users with privileges for all files and directories
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

AddExtender("wsrch34i.dll")
objectcount=0
handle=srchInit(uncshare,"*.*","","",8+16+32) 

while 1
	object=srchNext(handle)
	if object=="" then break
	objectcount=objectcount+1
	errormode(@off)
	error1 = lasterror()
	Users=wntAccesslist("",object,300,1)
	ErrorMode(@CANCEL)
	If error1 != 0 then iniwritepvt("ERRORS",object,error1,"C:\TEMP\%server1%.txt")
	
	userscount=itemcount(users, @tab)

	for b=1 to userscount
		user = itemextract(b,users, @tab)

		errormode(@off)
		error2 = lasterror()
		records=wntAccessGet("",object,user,300,0)
		owner=wntownerget("", 0, object, 300, 1)
		ErrorMode(@CANCEL)

		If error2 != 0 then iniwritepvt("ERRORS",object,error1,"C:\TEMP\%server1%.txt")
		fullpath=strcat(object,"=",user)
		iniwritepvt(server1,fullpath,"%records%=%owner%","C:\TEMP\%server1%.txt")
	next
endwhile
srchFree(handle)
endif



next

exit
It works, but the other script which (I thought) would read the file and reset the ACEs doesn't work. I get an error 545. Here it comes: 
AddExtender("WWWNT34I.DLL")


server1="khzits31"
netname=wntGetUser(@default)

ret=wntPrivGet("\\%server1%",netname,"SeRestorePrivilege", 0)
if ret==0

	string1="You need SeRestorePrivilege on %server1% in order to rewrite Ownership Information on files.%@crlf%"
	string2="DO NOT forget to log off and on again for the changes to take affect!%@crlf%%@crlf%"
	string3="If you wish to make the changes yourself, press NO. If I should make the changes for you press YES."
	
	addpriv=askyesno (netname, strcat(string1,string2,string3))
	if addpriv==@YES 
		wntPrivAdd("\\%server1%",netname,"SeRestorePrivilege", 0)
		message (netname, "Please log off and on again. After that you may run this program again!")
		exit
	else
		Message(netname, "Grant yourself the SeRestorePrivilege on %server1%, log off and on again. After that you may run this program
		again!")
		exit
	endif
endif


allerrors=iniitemizepvt ("Errors", "C:\TEMP\%server1%.txt")
allfiles=iniitemizepvt (server1, "C:\TEMP\%server1%.txt")
filescount=itemcount(allfiles, @tab)

for a=1 to filescount
	file = itemextract(a,allfiles, @tab)
	file_a=inireadpvt(server1, file, "", "C:\TEMP\%server1%.txt")
	file=strcat(file, "=", file_a)
	file=strreplace(file,"=", @TAB)
	file=strreplace(file," ", "BLANKSPACEINFILENAME")
	ParseData(file)
	
	object=strreplace(param1,"BLANKSPACEINFILENAME"," ")

	if param0 >1 then user=param2
	if param0 >2 then perms=param3
	if param0 >3 then owner=param4
	if param0 <4 then owner="VORDEFINIERT\Administratoren"
	
	errormode(@off)
	error1 = lasterror()
	wntAccessadd("",object,user,300,perms,0)
	wntownerset("", 0, object, 300,user, 0)
	ErrorMode(@CANCEL)
	
	If error1 != 0 then iniwritepvt("ERRORS",object,error1,"C:\TEMP\setperm%server1%error.txt")
next

Exit
I seem to have problems with the output from wntAccessGet. (0:16:2032127 or 0:16:1245631 and Others)

How can it be interpreted in the second program.

Answer:

Read the docs for wntAccessAdd()/wntAccessDel() again. You will note that the access string is formatted as "x:y:z", where "x" represents the type of ACE, "y" represents the ACE flags and "Z" represents the access-mask. The important part here for dealing with your problem is that the INHERITED_ACE flag bit is turned on [flags & 16 = TRUE]. You cannot directly manipulate inherited ACEs. Instead, you need to find the explicitly assigned ACE which is *inheritable* and delete it; this will cause inherited copies of it to be removed from all child objects [e.g. subfolders, files] that may have inherited it.

It is OK to report the existence of an inherited ACE for purposes of knowing what actual permissions apply to a securable object like a folder or a file, but you must not try to manipulate an inherited ACE when adding/removing permissions.

Modify your script to check for an inherited ACE and to skip all processing for inherited ACEs.

Something like: 

MyACE = '0:16:1245631'

Flags = Int(ItemExtract(1,MyACE,':'))

if (Flags & 16)
; Skip this ACE
else
; Process this ACE
endif

Article ID:   W15203