cs_Angus59
Messages postés12Date d'inscriptionjeudi 8 avril 2004StatutMembreDernière intervention 8 avril 2005
-
8 avril 2005 à 16:02
crenaud76
Messages postés4172Date d'inscriptionmercredi 30 juillet 2003StatutMembreDernière intervention 9 juin 2006
-
9 avril 2005 à 21:38
Bonjour à tous,
Il y a quelques jours j'ai posté un message pour un probleme de Permissions NTFS mais je n'ai pas eu de reponses.
La j'ai trouvé une API qui fonctionne bien MAIS il ne chnage pas les sous repertoires il changent juste les permissions du repertroie parent, pouvez vous m'aider. Avez vous uen idee de modifications du code pour que les permissisons choix chnagées aussi dans les sous repertoires , merci.
---------------------------------------------------------------------------------------------
'Example from MSDN (Q240176)
'The following code changes permissions on a folder to Add & Read or Change.
'The folder needs to be created on an NTFS partition.
'You need to be an Administrator on the machine in question and have read/write
'(READ_CONTROL and WRITE_DAC) access to the file or directory.
'1. Create a Standard EXE project in Visual Basic. Form1 is created by default.
'2. Add two Textboxes (Text1 and Text2) and two CommandButtons (Command1 and Command2) to Form1.
'3. Add the following code to the form and the module
'4. Run the application.
'5. In the Test1 TextBox, enter the name of the folder you want to change permissions on. (D:\test is entered by default.)
' In the Test2 Textbox, enter the name of the user you want to give these permissions to.
'6. Click the Add & Read permissions button to give Add & Read permissions to the folder, or click the Change Permissions
' button to give Change permissions to the folder.
'7. To check the permissions on the folder, right-click Explorer. Select the Properties menu item, and click the Security
' Tab of the Properties dialog box. On the Security tab, click the Permissions button. The specific account should say
' Add & Read or Change depending on which button you clicked in the preceding sample.
'Add this code to the form
PrivateSub Command1_Click()
Dim sUserName As String
Dim sFolderName As String
sUserName = Trim$( CStr (Text2.Text))
sFolderName = Trim$(CStr(Text1.Text))
SetAccess sUserName, sFolderName, GENERIC_READ Or GENERIC_EXECUTE Or DELETE Or GENERIC_WRITE
End Sub
Private Sub Command2_Click()
Dim sUserName As String
Dim sFolderName As String
sUserName = Trim$(Text2.Text)
sFolderName = Trim$(Text1.Text)
SetAccess sUserName, sFolderName, GENERIC_EXECUTE Or GENERIC_READ
End Sub
Private Sub Form_Load()
Text1.Text = "enter folder name"
Text2.Text = "enter username"
Command1.Caption = "Change"
Command2.Caption = "Read && Add"
End Sub
'Add this code to a module
' Constants used within our API calls. Refer to the MSDN for more
' information on how/what these constants are used for.
' The file/security API call constants.
' Refer to the MSDN for more information on how/what these constants
' are used for.
PublicConst DACL_SECURITY_INFORMATION = &H4
PublicConst SECURITY_DESCRIPTOR_REVISION = 1
Public Const SECURITY_DESCRIPTOR_MIN_LENGTH = 20
PublicConst SD_SIZE = (65536 + SECURITY_DESCRIPTOR_MIN_LENGTH)
PublicConst ACL_REVISION2 = 2
PublicConst ACL_REVISION = 2
Public Const MAXDWORD = &HFFFFFFFF
PublicConst SidTypeUser = 1
Public Const AclSizeInformation = 2
' The following are the inherit flags that go into the AceFlags field
' of an Ace header.
' Structures used by our API calls.
' Refer to the MSDN for more information on how/what these
' structures are used for.
Type ACE_HEADER
AceType As Byte
AceFlags As Byte
AceSize As Integer
End Type
Public Type ACCESS_DENIED_ACE
Header As ACE_HEADER
Mask As Long
SidStart As Long
End Type
Type ACCESS_ALLOWED_ACE
Header As ACE_HEADER
Mask As Long
SidStart As Long
End Type
Type ACL
AclRevision As Byte
Sbz1 As Byte
AclSize As Integer
AceCount As Integer
Sbz2 As Integer
End Type
Type ACL_SIZE_INFORMATION
AceCount As Long
AclBytesInUse As Long
AclBytesFree As Long
End Type
Type SECURITY_DESCRIPTOR
Revision As Byte
Sbz1 As Byte
Control As Long
Owner As Long
Group As Long
sACL As ACL
Dacl As ACL
End Type
' API calls used within this sample. Refer to the MSDN for more
' information on how/what these APIs do.
DeclareFunction GetComputerName Lib "kernel32" Alias "GetComputerNameA" (ByVal lpBuffer AsString, nSize AsLong) As Long
Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer AsString, nSize AsLong) As Long
Declare Function LookupAccountName Lib "advapi32.dll" Alias "LookupAccountNameA" (lpSystemName AsString, ByVal lpAccountName AsString, sid As Any, cbSid AsLong, ByVal ReferencedDomainName AsString, cbReferencedDomainName AsLong, peUse AsLong) As Long
Declare Function InitializeSecurityDescriptor Lib "advapi32.dll" (pSecurityDescriptor As SECURITY_DESCRIPTOR, ByVal dwRevision AsLong) As Long
Declare Function GetSecurityDescriptorDacl Lib "advapi32.dll" (pSecurityDescriptor AsByte, lpbDaclPresent AsLong, pDacl AsLong, lpbDaclDefaulted AsLong) As Long
Declare Function GetFileSecurityN Lib "advapi32.dll" Alias "GetFileSecurityA" (ByVal lpFileName AsString, ByVal RequestedInformation AsLong, ByVal pSecurityDescriptor AsLong, ByVal nLength AsLong, lpnLengthNeeded AsLong) As Long
Declare Function GetFileSecurity Lib "advapi32.dll" Alias "GetFileSecurityA" (ByVal lpFileName AsString, ByVal RequestedInformation AsLong, pSecurityDescriptor AsByte, ByVal nLength AsLong, lpnLengthNeeded AsLong) As Long
Declare Function GetAclInformation Lib "advapi32.dll" (ByVal pAcl AsLong, pAclInformation As Any, ByVal nAclInformationLength AsLong, ByVal dwAclInformationClass AsLong) As Long
Public DeclareFunction EqualSid Lib "advapi32.dll" (pSid1 AsByte, ByVal pSid2 AsLong) As Long
Declare Function GetLengthSid Lib "advapi32.dll" (pSid As Any) As Long
Declare Function InitializeAcl Lib "advapi32.dll" (pAcl AsByte, ByVal nAclLength AsLong, ByVal dwAclRevision AsLong) As Long
Declare Function GetAce Lib "advapi32.dll" (ByVal pAcl AsLong, ByVal dwAceIndex AsLong, pace As Any) As Long
Declare Function AddAce Lib "advapi32.dll" (ByVal pAcl AsLong, ByVal dwAceRevision AsLong, ByVal dwStartingAceIndex AsLong, ByVal pAceList AsLong, ByVal nAceListLength AsLong) As Long
Declare Function AddAccessAllowedAce Lib "advapi32.dll" (pAcl AsByte, ByVal dwAceRevision AsLong, ByVal AccessMask AsLong, pSid AsByte) As Long
Public DeclareFunction AddAccessDeniedAce Lib "advapi32.dll" (pAcl AsByte, ByVal dwAceRevision AsLong, ByVal AccessMask AsLong, pSid AsByte) As Long
Declare Function SetSecurityDescriptorDacl Lib "advapi32.dll" (pSecurityDescriptor As SECURITY_DESCRIPTOR, ByVal bDaclPresent AsLong, pDacl AsByte, ByVal bDaclDefaulted AsLong) As Long
Declare Function SetFileSecurity Lib "advapi32.dll" Alias "SetFileSecurityA" (ByVal lpFileName AsString, ByVal SecurityInformation AsLong, pSecurityDescriptor As SECURITY_DESCRIPTOR) As Long
Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, ByVal hpvSource AsLong, ByVal cbCopy AsLong)
PublicSub SetAccess(sUserName AsString, sFileName AsString, lMask AsLong)
Dim lResult AsLong ' Result of various API calls.
Dim I AsInteger ' Used in looping.
Dim bUserSid(255) AsByte ' This will contain your SID.
Dim bTempSid(255) AsByte ' This will contain the Sid of each ACE in the ACL .
Dim sSystemName AsString ' Name of this computer system.
Dim lSystemNameLength AsLong ' Length of string that contains
' the name of this system.
Dim lLengthUserName AsLong ' Max length of user name.
'Dim sUserName As String * 255 ' String to hold the current user
' name.
Dim lUserSID AsLong ' Used to hold the SID of the
' current user.
Dim lTempSid AsLong ' Used to hold the SID of each ACE in the ACL
Dim lUserSIDSize AsLong ' Size of the SID.
Dim sDomainName AsString* 255 ' Domain the user belongs to.
Dim lDomainNameLength AsLong ' Length of domain name needed.
Dim lSIDType AsLong ' The type of SID info we are
' getting back.
Dim sFileSD As SECURITY_DESCRIPTOR ' SD of the file we want.
Dim bSDBuf() AsByte ' Buffer that holds the security
' descriptor for this file.
Dim lFileSDSize AsLong ' Size of the File SD.
Dim lSizeNeeded AsLong ' Size needed for SD for file.
Dim sNewSD As SECURITY_DESCRIPTOR ' New security descriptor.
Dim sACL As ACL ' Used in grabbing the DACL from
' the File SD.
Dim lDaclPresent AsLong ' Used in grabbing the DACL from
' the File SD.
Dim lDaclDefaulted AsLong ' Used in grabbing the DACL from
' the File SD.
Dim sACLInfo As ACL_SIZE_INFORMATION ' Used in grabbing the ACL
' from the File SD.
Dim lACLSize AsLong ' Size of the ACL structure used
' to get the ACL from the File SD.
Dim pAcl AsLong ' Current ACL for this file.
Dim lNewACLSize AsLong ' Size of new ACL to create.
Dim bNewACL() AsByte ' Buffer to hold new ACL.
Dim sCurrentACE As ACCESS_ALLOWED_ACE ' Current ACE.
Dim pCurrentAce AsLong ' Our current ACE.
Dim nRecordNumber As Long
' Get the SID of the user. (Refer to the MSDN for more information on SIDs
' and their function/purpose in the operating system.) Get the SID of this
' user by using the LookupAccountName API. In order to use the SID
' of the current user account, call the LookupAccountName API
' twice. The first time is to get the required sizes of the SID
' and the DomainName string. The second call is to actually get
' the desired information.
' Now set the sDomainName string buffer to its proper size before
' calling the API again.
sDomainName = Space (lDomainNameLength)
' Call the LookupAccountName again to get the actual SID for user.
lResult = LookupAccountName(vbNullString, sUserName, _
bUserSid(0), 255, sDomainName, lDomainNameLength, _
lSIDType)
' Return value of zero means the call to LookupAccountName failed;
' test for this before you continue.
If (lResult = 0) Then
MsgBox "Error: Unable to Lookup the Current User Account: " _
& sUserName
Exit Sub
End If
' You now have the SID for the user who is logged on.
' The SID is of interest since it will get the security descriptor
' for the file that the user is interested in.
' The GetFileSecurity API will retrieve the Security Descriptor
' for the file. However, you must call this API twice: once to get
' the proper size for the Security Descriptor and once to get the
' actual Security Descriptor information.
' Redimension the Security Descriptor buffer to the proper size.
ReDim bSDBuf(lSizeNeeded)
' Now get the actual Security Descriptor for the file.
lResult = GetFileSecurity(sFileName, DACL_SECURITY_INFORMATION, _
bSDBuf(0), lSizeNeeded, lSizeNeeded)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Get the File Security Descriptor"
Exit Sub
End If
' Call InitializeSecurityDescriptor to build a new SD for the
' file.
lResult = InitializeSecurityDescriptor(sNewSD, _
SECURITY_DESCRIPTOR_REVISION)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Initialize New Security Descriptor"
Exit Sub
End If
' You now have the file's SD and a new Security Descriptor
' that will replace the current one. Next, pull the DACL from
' the SD. To do so, call the GetSecurityDescriptorDacl API
' function.
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Get DACL from File Security " _
& "Descriptor"
Exit Sub
End If
' You have the file's SD, and want to now pull the ACL from the
' SD. To do so, call the GetACLInformation API function.
' See if ACL exists for this file before getting the ACL
' information.
If (lDaclPresent = False ) Then
MsgBox "Error: No ACL Information Available for this File"
Exit Sub
End If
' Attempt to get the ACL from the file's Security Descriptor.
lResult = GetAclInformation(pAcl, sACLInfo, Len(sACLInfo), 2&)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Get ACL from File Security Descriptor"
Exit Sub
End If
' Now that you have the ACL information, compute the new ACL size
' requirements.
lNewACLSize = sACLInfo.AclBytesInUse + (Len(sCurrentACE) + _
GetLengthSid(bUserSid(0))) * 2 - 4
' Resize our new ACL buffer to its proper size.
ReDim bNewACL(lNewACLSize)
' Use the InitializeAcl API function call to initialize the new
' ACL.
lResult = InitializeAcl(bNewACL(0), lNewACLSize, ACL_REVISION)
' A return code of zero means the call failed; test for this
' before continuing.
If (lResult = 0) Then
MsgBox "Error: Unable to Initialize New ACL"
Exit Sub
End If
' If a DACL is present, copy it to a new DACL.
If (lDaclPresent) Then
' Copy the ACEs from the file to the new ACL.
If (sACLInfo.AceCount > 0) Then
' Grab each ACE and stuff them into the new ACL.
nRecordNumber = 0
For I = 0 To (sACLInfo.AceCount - 1)
' Attempt to grab the next ACE.
lResult = GetAce(pAcl, I, pCurrentAce)
' Make sure you have the current ACE under question.
If (lResult = 0) Then
MsgBox "Error: Unable to Obtain ACE (" & I & ")"
Exit Sub
End If
' You have a pointer to the ACE. Place it
' into a structure, so you can get at its size.
CopyMemory sCurrentACE, pCurrentAce, LenB(sCurrentACE)
'Skip adding the ACE to the ACL if this is same usersid
lTempSid = pCurrentAce + 8
If EqualSid(bUserSid(0), lTempSid) = 0 Then
' Now that you have the ACE, add it to the new ACL.
lResult = AddAce(VarPtr(bNewACL(0)), ACL_REVISION, _
MAXDWORD, pCurrentAce, _
sCurrentACE.Header.AceSize)
' Make sure you have the current ACE under question.
If (lResult = 0) Then
MsgBox "Error: Unable to Add ACE to New ACL"
Exit Sub
End If
nRecordNumber = nRecordNumber + 1
End If
Next I
' You have now rebuilt a new ACL and want to add it to
' the newly created DACL.
lResult = AddAccessAllowedAce(bNewACL(0), ACL_REVISION, _
lMask, bUserSid(0))
' Make sure added the ACL to the DACL.
If (lResult = 0) Then
MsgBox "Error: Unable to Add ACL to DACL"
Exit Sub
End If
'If it's directory, we need to add inheritance staff.
If GetAttr(sFileName) And vbDirectory Then
' Attempt to grab the next ACE which is what we just added.
lResult = GetAce(VarPtr(bNewACL(0)), nRecordNumber, pCurrentAce)
' Make sure you have the current ACE under question.
If (lResult = 0) Then
MsgBox "Error: Unable to Obtain ACE (" & I & ")"
Exit Sub
End If
' You have a pointer to the ACE. Place it
' into a structure, so you can get at its size.
CopyMemory sCurrentACE, pCurrentAce, LenB(sCurrentACE)
sCurrentACE.Header.AceFlags = OBJECT_INHERIT_ACE + INHERIT_ONLY_ACE
CopyMemory ByVal pCurrentAce, VarPtr(sCurrentACE), LenB(sCurrentACE)
'add another ACE for files
lResult = AddAccessAllowedAce(bNewACL(0), ACL_REVISION, _
lMask, bUserSid(0))
' Make sure added the ACL to the DACL.
If (lResult = 0) Then
MsgBox "Error: Unable to Add ACL to DACL"
Exit Sub
End If
' Attempt to grab the next ACE.
lResult = GetAce(VarPtr(bNewACL(0)), nRecordNumber + 1, pCurrentAce)
' Make sure you have the current ACE under question.
If (lResult = 0) Then
MsgBox "Error: Unable to Obtain ACE (" & I & ")"
Exit Sub
End If
CopyMemory sCurrentACE, pCurrentAce, LenB(sCurrentACE)
sCurrentACE.Header.AceFlags = CONTAINER_INHERIT_ACE
CopyMemory ByVal pCurrentAce, VarPtr(sCurrentACE), LenB(sCurrentACE)
End If
' Set the file's Security Descriptor to the new DACL.
lResult = SetSecurityDescriptorDacl(sNewSD, 1, _
bNewACL(0), 0)
' Make sure you set the SD to the new DACL.
If (lResult = 0) Then
MsgBox "Error: " & _
"Unable to Set New DACL to Security Descriptor"
Exit Sub
End If
' The final step is to add the Security Descriptor back to
' the file!
lResult = SetFileSecurity(sFileName, _
DACL_SECURITY_INFORMATION, sNewSD)
' Make sure you added the Security Descriptor to the file!
If (lResult = 0) Then
MsgBox "Error: Unable to Set New Security Descriptor " _
& " to File : " & sFileName
MsgBox Err.LastDllError
Else
MsgBox "Updated Security Descriptor on File: " _
& sFileName
End If
crenaud76
Messages postés4172Date d'inscriptionmercredi 30 juillet 2003StatutMembreDernière intervention 9 juin 200628 8 avril 2005 à 17:11
Faire une boucle qui va lister les sous-répertoires et appeler la fonction SetAccess() depuis le coeur de cette boucle. Il y a plein d'ex sur ce site de source pour rechercher les sous-dossiers .. je te laisse le plaisir de chercher
cs_Angus59
Messages postés12Date d'inscriptionjeudi 8 avril 2004StatutMembreDernière intervention 8 avril 2005 8 avril 2005 à 20:09
bonjour,
En effet ca peut le faire
mais le probleme c'est qu'il faut savoir que le dossier , sous dossiers et fichiers ont les permissions utilisateurs en Controle Total donc lister les sous dossier s et fichiers ne sera pas possible , je pense
Je resume et je precise que j'ai une signature admin
Exemple avec l 'arborescence d'un repertoire utilisateur
Permissions attribués sur le repertoire utilisateur , sous repertoire et fichiers.
- "le compte nt de l'uti" en Controle Total
- "Auditeurs" en Lister
Ce que je veux :
Rajouter ou remplacer les permissions initiales par "Administrateurs" en Controle Total sur le repertoire utilisateur , sous repertoire et fichiers.
Le probleme :
Ce que je ne veux pas utiliser la fonction Appropriation de Windows.
J'ai deja essayé avec un shell utilisant XCACLS mais pas assez puissant dans ce cas la car je me repete mais les permissions exclusives sont "compte nt de l'uti" en CT et Auditeurs en Lister.
Sinon on a un autre outil : FSA , c'est rapide mais c'est sur un poste exclusiement FSA donc il faut bouger de bureau et moi mon but c'est de tout regrouper dans une appli VB que je suis en train de monter
C'est une appli qui servira dans le cas d'une mutation d'un utilisateur vers un nouveau serveur :
Etape 1 appropriation de l'integralite du repertoire utilisateur
Etape 2 Copie vers le nouveau serveur
Etape 3 Modification du compte Nt de l'uti ( chgt des droits, Nouveau serveur etc etc)
Etape 4 Reattribution des nouvelles permissions sur l'integralite du repertoire uti sur le serveur d'arrivée
Etape 5 Suppression de l'ancien repertoire uti sur le serveur de depart.
Voila ca resume en gros mon appli : le seul probleme c'est au niveau de l'attribution et la reattribution des droits sinon tout les autres etapes sont operationnelles.
crenaud76
Messages postés4172Date d'inscriptionmercredi 30 juillet 2003StatutMembreDernière intervention 9 juin 200628 9 avril 2005 à 21:38
Une solution toute con, très bourrin mais qui fonctionne. Sauvegarde tes données, puis restaure les en ne restaurant pas les droits NTFS !!! Ainsi, tu auras le CT sur les données restaurées (tu en sera en effet le créateur) et tu balance ensuite ta moulinette pour refixer correctement tous les droits comme il faut.
Je sais, c'est super bourrin, mais cela fonctionne. J'ai déjà fait cela.