Rem - 15 Jun 2000

The Win32 Scripting Journal answers your questions.

Bob Wells

June 15, 2000

4 Min Read
ITPro Today logo in a gray background | ITPro Today


Do you have a scripting-related question or problem? You can send your question or problem to [email protected].

I have to change the audit settings on hundreds of files on dozens of servers. I couldn't find any command-line tool that changes auditing information, so I was happy to read about ADsSecurity.dll in your February 2000 column. According to the Microsoft Active Directory Service Interfaces (ADSI) software development kit (SDK), I should be able to use this DLL to change audit information. However, when I ran the code in Listing 1 on both a Windows 2000 system and a Windows NT system, the script stopped and displayed the error message C:script.vbs(8, 1) Microsoft VBScript runtime error: Object required: 'sacl'. What's the problem?

ADsSecurity.dll doesn't currently support the System Access Control List (SACL). Nor is it likely to in the future for two reasons:

  • ADsSecurity.dll is part of the ADSI SDK Resource Kit. As such, it's not part of the OS and not officially supported.

  • Windows Management Instrumentation (WMI) already has the Security Provider, which lets you get and set security descriptors (including SACL) for file and directory objects. This Security Provider appears to be Microsoft's recommended solution for tasks of this nature.

WmiSec.vbs in Listing 2 shows how you can use the Security Provider to read a file's discretionary access control list (DACL) and SACL. This script uses the Win32_LogicalFileSecuritySetting class and GetSecurityDescriptor method to retrieve and echo the contents of a file's DACL and SACL. By default, the target file is the script. Simply change the value of strFile to retrieve and echo the contents of a different file's DACL and SACL. When you run WmiSec.vbs, the script echoes the Trustee, AccessMask, and AceFlags for each access control entry (ACE) in the DACL and SACL to the console screen, as Figure 1 shows.

WmiSec.vbs doesn't include any error-correcting code (ECC). As a result, if the DACL or SACL doesn't contain permission or auditing ACEs, a runtime error results. To quickly remedy the situation for learning and testing purposes, you can use the file's Properties dialog box to modify the file's Access Control Settings. Right-click the target file, and select Properties. In the Properties dialog box, select the Security tab, then click Advanced. Select the Auditing tab, and add some test auditing ACEs under Auditing Entries.

To programmatically modify DACL or SACL contents in the file system, you use WMI's Win32_LogicalFileSecuritySetting class and the SetSecurityDescriptor method. You can learn about these and other classes and methods in the Security Provider in the WMI SDK documentation. To access the documentation online, go to the Microsoft Developer Network (MSDN) Online Library (http://msdn.microsoft.com/library/default.asp) and navigate to Platform SDK, Management Services, Windows Management Instrumentation, WMI Provider Programming, WMI Providers, Security Provider, Using the Security Provider.

To programmatically modify DACL or SACL contents in the Active Directory (AD), you use ADSI's standard security interfaces: IADsSecurityDescriptor, IADsAccessControlList, and IADsAccessControlEntry. (For information about these security interfaces, see Alistair Lowe-Norris, "An ADSI Primer, Part 10: Permissions and Auditing Basics," October 1999, and "An ADSI Primer, Part 11: More on Scripting Permissions and Auditing," November 1999.) When you work with AD objects' SACL, ADSI doesn't retrieve the SACL by default. To retrieve and modify the SACL, you must first use the IADsObjectOptions interface to set the ADS_SECURITY_INFO_SACL flag. For information about how to perform this operation, go to the MSDN Online Library and navigate to Platform SDK; Networking and Directory Services; Active Directory, ADSI, and Directory Services; Active Directory Service Interfaces (ADSI); ADSI Reference; ADSI Enumerations; ADS_SECURITY_INFO_ENUM.

I need to write a REG_MULTI_SZ value to the Registry. According to the Windows Script Host (WSH) 2.0 documentation, the WshShell object's RegWrite method doesn't support the REG_MULTI_SZ data type. How can I write this value?

You can write REG_MULTI_SZ values to the Registry in a couple of ways. You can use the reg.exe utility in the Microsoft Windows NT Server 4.0 Resource Kit or WMI's Standard Registry Provider to perform this task. In the Code Library on the Win32 Scripting Journal Web site (http://www.win32scripting.com), you'll find two scripts—WshReg.vbs and WmiReg.vbs—that demonstrate these solutions. WshReg.vbs uses reg.exe; WmiReg.vbs uses the Standard Registry Provider. Both scripts create a new key named tmp in the HKEY_CURRENT_USER hive, then create and initialize the REG_MULTI_SZ value.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like