2

目标:向现有文件共享添加本地用户帐户共享级别的读/写权限。

我在开发这个时遇到了障碍。显然,Microsoft 希望您将用户的 ACE 添加到 DACL,然后再返回到共享的安全描述符中。(1)。(不,NET SHARE /ADD 不适用于现有共享,我很惊讶。)

理论上这应该很简单,但我主要担心做错了并失去现有的共享权限(很多网络用户,特定组)。该解决方案需要扩展到几千个共享。我正在开发解决方案以输出有关现有 DACL 的数据,以防我需要退出。我应该编写代码来解释该日志,并准备好在出现任何问题时将它们全部添加回来。

目前我正在使用 VBscript——我觉得 PowerShell 可能是一种更强大的方法,但 VBscript/WMI 是一个已知数量。

研究:(1)http://blogs.msdn.com/b/helloworld/archive/2008/07/22/editing-share-permission.aspx

4

1 回答 1

1

将现有 ACE 复制到数组中:

rc = shareSec.GetSecurityDescriptor(sd)
ReDim acl(UBound(sd.DACL)+1)  '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
  Set acl(i) = sd.DACL(i)
Next

将新的 ACE 添加到该数组中:

Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), 2032127)

函数NewTrustee()NewACE()封装了用于创建受托者和 ACE 的指令。该数字是完全控制的访问掩码。

创建一个新的安全描述符并将其分配给共享:

Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl
rc = shareSec.SetSecurityDescriptor(sd)

查看此页面以获取有关安全描述符、受托者、ACL 和 ACE 的更多详细信息。

完整脚本:

Const FullControl = 2032127

' modify these variables according to your requirements:
computer = "."
share    = "..."
username = "..."
domain   = CreateObject("WScript.Network").UserDomain

Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" _
  & computer & "/root/cimv2")
Set shareSec = GetObject("winmgmts:Win32_LogicalShareSecuritySetting.Name='" _
  & share & "'")

Function NewTrustee(name, domain)
  Dim trustee, account

  Set trustee = wmi.Get("Win32_Trustee").SpawnInstance_
  trustee.Name   = name
  trustee.Domain = domain
  Set account = wmi.Get("Win32_UserAccount.Domain='" & domain & "',Name='" _
    & name & "'")
  trustee.Properties_.Item("SID") = wmi.Get("Win32_SID.SID='" & account.SID _
    & "'").BinaryRepresentation

  Set NewTrustee = trustee
End Function

Function NewACE(trustee, permissions)
  Dim ace : Set ace = wmi.Get("Win32_Ace").SpawnInstance_
  ace.Properties_.Item("AccessMask") = permissions
  ace.Properties_.Item("AceFlags") = 3
  ace.Properties_.Item("AceType") = 0
  ace.Properties_.Item("Trustee") = trustee
  Set NewACE = ace
End Function

' copy existing ACEs
rc = shareSec.GetSecurityDescriptor(sd)
flags = sd.ControlFlags
ReDim acl(UBound(sd.DACL)+1)  '+1 for the new ACL we're going to add
For i = 0 To UBound(sd.DACL)
  Set acl(i) = sd.DACL(i)
Next
Set sd = Nothing

' add new ACE
Set acl(UBound(acl)) = NewACE(NewTrustee(username, domain), FullControl)

' prepare new security descriptor
Set sd = wmi.Get("Win32_SecurityDescriptor").SpawnInstance_
sd.ControlFlags = flags
sd.DACL = acl

' assign new security descriptor
rc = shareSec.SetSecurityDescriptor(sd)
于 2012-11-12T09:50:44.777 回答