0

我是 Python 新手。我正在尝试为此代码中的所有用户设置访问权限。脚本运行,但未反映或设置访问权限。我正在尝试为这些用户的所有打印机设置以下权限:

  • 每个人 - 打印
  • CREATOR OWNER - 管理文档
  • 任何管理员 - 打印、管理打印机、管理文档
  • 管理员 - 打印、管理打印机、管理文档
  • 所有其他用户 - 打印

这是代码:

import win32com.client
import win32security
from win32security import DACL_SECURITY_INFORMATION, TRUSTEE_IS_NAME, TRUSTEE_IS_USER
import win32net
import win32security
import win32netcon
import win32file

ManagePrinters = 983052
ManageDocuments = 983088
Print = 131080
ReadPermissions = 131072
GenericAll = 268435456
GenericExecute =  536870912

administrators = []

compliant = True

for x in win32net.NetLocalGroupGetMembers("localhost","Administrators", 2)[0]:
username =  x["domainandname"]
usersid = str(win32security.LookupAccountName("",username)[0])[6:]
administrators.append(usersid)

info=win32security.DACL_SECURITY_INFORMATION

strComputer = "."
objWMIService = win32com.client.Dispatch("WbemScripting.SWbemLocator")
objSWbemServices = objWMIService.ConnectServer(strComputer,"root\cimv2")
colItems = objSWbemServices.ExecQuery("SELECT * FROM Win32_Printer")
for objItem in colItems:
secDes = win32security.GetNamedSecurityInfo(objItem.DeviceID, win32security.SE_PRINTER, win32security.DACL_SECURITY_INFORMATION)
dacl = secDes.GetSecurityDescriptorDacl()
for count in range(dacl.GetAceCount()):
    ace = dacl.GetAce(count)
    accessMask = ace[1]
    sidArr = str(ace[2]).split(":",1)
    sid = sidArr[1]
    newAcl = win32security.ACL(128)


    if "S-1-3-0" in sid:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
        newAcl.AddAccessAllowedAce(GenericAll, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
    elif "S-1-1-0" in sid:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
    elif "S-1-5-32-544" in sid:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
        newAcl.AddAccessAllowedAce(GenericAll, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
        newAcl.AddAccessAllowedAce(ManagePrinters, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
    elif sid in administrators:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(ManageDocuments, ace[2])
        newAcl.AddAccessAllowedAce(GenericAll, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
        newAcl.AddAccessAllowedAce(ManagePrinters, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])
    else:
        newAcl.AddAccessAllowedAce(Print, ace[2])
        newAcl.AddAccessAllowedAce(GenericExecute, ace[2])
        newAcl.AddAccessAllowedAce(ReadPermissions, ace[2])

    secDes.SetSecurityDescriptorDacl(1, newAcl, 0)

print "done"
4

1 回答 1

1

看起来您实际上并未将修改后的 DACL 应用于打印机。尝试使用 win32security.SetNamedSecurityInfo。

于 2012-07-27T01:28:57.723 回答