Database Search
If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.
TechHome
wNT
 |
- 1219 Error with AddDrive
- Account Expires after wntUserAddDat
- Add Domain Group to Local Administrator Remotely
- Add Everyone to Administrators Group
- Add Global Groups in Domain
- Adding Domain to Workstation
- Adding Users and Setting Flags
- Adds User Account to Local Administrator Group
- Allow Inheritable Permissions from Parent
- Builtin Group SID convert to Name
- Bypass NT Ctrl Alt Del to Logon
- Changing Computer Name and Machine Account
- Changing Domain Passwords Sample Code
- Check For Disabled Computer Account
- Check if You Have Local Admin Rights
- Checking an Accounts Password
- Checking for Old Users
- Convert SID to User ID
- Converting SID to Domain - Account Name
- Create Directories and Set NT Access Permissions
- Dealling With Inheritiable Permissions
- Decode Logon Hours
- Determine if Computer is in a Workgroup or Domain
- Determine if PC is Member of Domain
- Determine Inheritance
- Determining if Current User is Authenticated
- Disable Allow Inheritable Permissions
- Domain Trusts Explained
- Error 673 WntPrivAdd
- Error 684 using wntAccess functions
- Find Domain for a Computer
- Foreign Language support of the Win32 Network Extender
- Get a Users Primary Group
- Get Domain User Info
- Get Machine Administrator Userid
- Get SID from Username
- Get the Currently Logged on User in NT
- Get the SID of a Workstation
- Get User Name and wntUserProps
- How to determine if a file is in use on LAN
- How to disable Allow inheritable permissions
- How to Get the Local Adminstrator Account
- How WntServerList Determines a Server
- Inherit NTFS Persmissions
- Interpreting Access Rights
- Is Domain User a Local Admin
- Is User Logged into Domain or Local Account
- Is wntChgPswd Encrypted
- Issue with AccessMod on Remote Machine
- Keeping Track of Last User Login
- List only Windows 2000 Systems
- List Open Connections
- List Terminal Servers
- Listing Directory Shares with Permissions
- Losing Mapped Drive Connections in XP
- Matching SID to ProfileList folder
- NT Auditing
- NT Extender and NT4 No Service Packs
- NT Network Extender and UPN Account Names
- Obtain Share Permissions
- Obtain user sid
- Port Required for WntUserGetDat
- Problems caused by ADMT
- Pull Trusted Domain List
- Reboot user with no shutdown privileges
- Remotely Reboot and wntShutDown
- Remove Everyone Access from D
- Rename User in an AD Domain
- Reset Passwords in Active Directory
- Reset Permissions when Inheritable is Enabled
- Rights to use wntFileUsers
- Runwithlogon and Bad Username
- RunWithLogon Parameter Size
- RunWithLogon versus RunAsUser
- Searching NT Users and Find by Last Name
- Server Description Field
- Setting File Permissions with wntAccessAdd
- Setting NT Policies
- Setting Service Permissions
- Shutdown All NT Servers
- SID values - AD - round tripping and ADMT
- Synchronize password from NT Domain to Novell
- The NT extender functions in Active Directories
- Trouble determining admin rights
- Trusting Domain List
- Unlock Account with wntUserSetDat
- User Login and Log out Information
- User Profile Last Logon
- Win 2000 AutoAdminLogon
- wntAccess... and Specifying Remote Drives
- WntAccessAdd and Change Modify Registry
- wntAccessAdd and Inherited Rights
- WntAccessAdd and Inheritence
- wntAccessAdd and Invalid User - Group
- wntAccessAdd and NTFS
- WntAccessAdd error 546 Invalid file directory name
- wntAccessAdd Inheritable Permissions
- wntAccessAdd Problem on NT 4
- wntAccessAdd Share Problem on Windows 7
- wntAccessAdd versus w95AccessAdd Tips
- wntAccessDel Error 599 Invalid Level
- wntAccessGet and Username Parameter
- WntAccessList DFS share
- wntAccessList Problem
- wntAccessMod Registry Issue
- wntAcctList Returns Incorrect Flag Values
- wntAcctPolSet Error
- wntAddDrive and Unicode
- WntAddDrive launches an Explorer window
- wntAddPrinter after WntRunAsUser
- wntauditadd and inheritance
- wntAuditAdd and MS Patch
- WntCancelCon Error 511 Device in Use
- wntChgPswd 562 Invalid User Name
- wntChgPswd and Error 586
- wntChgPswd and Error 589 Error Changing Password
- wntChgPswd and Error 677
- wntChgPswd behavior different between W2K and NT4
- wntCurrUsers Behavior
- wntDomainSync Error 695
- wntEventLog Problem
- wntGetCon Error 509 Network component is Not Started or Invalid
- wntMemberDel- error 571
- wntMemberGrps returns 0 on DC running AD
- wntMemberGrps wntMemberSet - 562 invalid user name
- wntMemberList Behavior
- wntMemberList Error 522
- wntMemberList Problems
- wntOwnerGet - wntOwnerSet Tips
- wntOwnerSet Error 547
- wntRemoteTime and 530 Access Denied Error
- wntRemoteTime and Daylight Savings Time
- wntRunAsUser -- Security Side Effects
- wntRunAsUser 713 Unable to Set Window Station Access
- wntRunAsUser and Act as Part of OS Clarification
- wntRunAsUser and Called Scripts
- wntRunAsUser and Debugging Problem
- wntRunAsUser and No Permission on Local Machine
- wntRunAsUser Discussion in French
- wntRunAsUser Error 637
- wntRunAsUser Error 638
- wntRunAsUser Function - 1
- wntRunAsUser Function - 2
- wntRunAsUser Function - 3
- wntRunAsUser Function Used Twice in Script
- wntRunAsUser RunWithLogon Security Context
- wntRunAsUser to AutoAdminLogon after Reboot
- wntRunAsUser Windowstation and Desktop Permissions on WinXP
- wntServerList and wntServiceAt
- wntServerType
- wntShutDown Error 694
- wntUser... and Update User Accounts
- wntUserAdd Adding a Domain User
- wntUserAdd Bug
- WntUserAddDat and Max_storage
- wntUserGetDat 524 Unable to Access Specified Server
- wntUserGetDat and Logon_hours Flag
- wntUserSetDat and Logon Hours
- wNTUserXXXDat Function and Flags
- wxxUserGetDat and Last Logon Date
Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
wntAccessAdd and Inherited Rights
Keywords: wntAccessAdd and Inherited Rights error 545 wntAccessAdd wntAccessGet
Question:
After a checkdisk, I lost all ACEs in the DACL and wound up with Administrators and System with full control.We had complex ACEs ;^)
Any way I thought I'd write a script to capture all ACEs for all files and directories. I know, it's not pretty, but here it is anyway:
AddExtender("WWWNT34I.DLL")
server1="khzits31"
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Enumerate Shares on Server1
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
shares=wntsharelist(server1,16,0)
sharescount=itemcount(shares, @tab)
for a=1 to sharescount
share = itemextract(a,shares, @tab)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Check if Share is a Drive (less then 3 Characters i.e. C$, D$, etc.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
driveshare=strlen(share)
if driveshare<3
; if share=="H$"
uncshare=strcat("\\",server1,"\",share)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;List users with privileges for Share root i.e C:, D:, etc.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Users=wntAccesslist("",uncshare,300,1)
userscount=itemcount(users, @tab)
for ab=1 to userscount
user = itemextract(ab,users, @tab)
records=wntAccessGet("",uncshare,user,300,0)
owner=wntownerget("", 0, uncshare, 300, 1)
iniwritepvt(server1,"%uncshare%=%user%","%records%=%owner%","C:\TEMP\%server1%.txt")
next
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;List users with privileges for all files and directories
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
AddExtender("wsrch34i.dll")
objectcount=0
handle=srchInit(uncshare,"*.*","","",8+16+32)
while 1
object=srchNext(handle)
if object=="" then break
objectcount=objectcount+1
errormode(@off)
error1 = lasterror()
Users=wntAccesslist("",object,300,1)
ErrorMode(@CANCEL)
If error1 != 0 then iniwritepvt("ERRORS",object,error1,"C:\TEMP\%server1%.txt")
userscount=itemcount(users, @tab)
for b=1 to userscount
user = itemextract(b,users, @tab)
errormode(@off)
error2 = lasterror()
records=wntAccessGet("",object,user,300,0)
owner=wntownerget("", 0, object, 300, 1)
ErrorMode(@CANCEL)
If error2 != 0 then iniwritepvt("ERRORS",object,error1,"C:\TEMP\%server1%.txt")
fullpath=strcat(object,"=",user)
iniwritepvt(server1,fullpath,"%records%=%owner%","C:\TEMP\%server1%.txt")
next
endwhile
srchFree(handle)
endif
next
exit
It works, but the other script which (I thought) would read the file and reset the ACEs doesn't work. I get an error 545. Here it
comes:
AddExtender("WWWNT34I.DLL")
server1="khzits31"
netname=wntGetUser(@default)
ret=wntPrivGet("\\%server1%",netname,"SeRestorePrivilege", 0)
if ret==0
string1="You need SeRestorePrivilege on %server1% in order to rewrite Ownership Information on files.%@crlf%"
string2="DO NOT forget to log off and on again for the changes to take affect!%@crlf%%@crlf%"
string3="If you wish to make the changes yourself, press NO. If I should make the changes for you press YES."
addpriv=askyesno (netname, strcat(string1,string2,string3))
if addpriv==@YES
wntPrivAdd("\\%server1%",netname,"SeRestorePrivilege", 0)
message (netname, "Please log off and on again. After that you may run this program again!")
exit
else
Message(netname, "Grant yourself the SeRestorePrivilege on %server1%, log off and on again. After that you may run this program
again!")
exit
endif
endif
allerrors=iniitemizepvt ("Errors", "C:\TEMP\%server1%.txt")
allfiles=iniitemizepvt (server1, "C:\TEMP\%server1%.txt")
filescount=itemcount(allfiles, @tab)
for a=1 to filescount
file = itemextract(a,allfiles, @tab)
file_a=inireadpvt(server1, file, "", "C:\TEMP\%server1%.txt")
file=strcat(file, "=", file_a)
file=strreplace(file,"=", @TAB)
file=strreplace(file," ", "BLANKSPACEINFILENAME")
ParseData(file)
object=strreplace(param1,"BLANKSPACEINFILENAME"," ")
if param0 >1 then user=param2
if param0 >2 then perms=param3
if param0 >3 then owner=param4
if param0 <4 then owner="VORDEFINIERT\Administratoren"
errormode(@off)
error1 = lasterror()
wntAccessadd("",object,user,300,perms,0)
wntownerset("", 0, object, 300,user, 0)
ErrorMode(@CANCEL)
If error1 != 0 then iniwritepvt("ERRORS",object,error1,"C:\TEMP\setperm%server1%error.txt")
next
Exit
I seem to have problems with the output from wntAccessGet. (0:16:2032127 or 0:16:1245631 and Others)
How can it be interpreted in the second program.
Answer:
Read the docs for wntAccessAdd()/wntAccessDel() again. You will note that the access string is formatted as "x:y:z", where "x" represents the type of ACE, "y" represents the ACE flags and "Z" represents the access-mask. The important part here for dealing with your problem is that the INHERITED_ACE flag bit is turned on [flags & 16 = TRUE]. You cannot directly manipulate inherited ACEs. Instead, you need to find the explicitly assigned ACE which is *inheritable* and delete it; this will cause inherited copies of it to be removed from all child objects [e.g. subfolders, files] that may have inherited it.It is OK to report the existence of an inherited ACE for purposes of knowing what actual permissions apply to a securable object like a folder or a file, but you must not try to manipulate an inherited ACE when adding/removing permissions.
Modify your script to check for an inherited ACE and to skip all processing for inherited ACEs.
Something like:
MyACE = '0:16:1245631' Flags = Int(ItemExtract(1,MyACE,':')) if (Flags & 16) ; Skip this ACE else ; Process this ACE endif
Article ID: W15203
File Created: 2002:09:05:13:50:34
Last Updated: 2002:09:05:13:50:34