[2000.01.07] After working all week on getting ADSI to work to create Users automatically in Win NT and to add them to pre-existing groups, I've now got some VFP code that uses the ADSI COM interface. This is translated from code in http://www.15seconds.com/issue/pv980316.htm Peter Somers
Parameter pUser, pPassword, pGroup
set step off
#DEFINE thiscomputer "YourDomain"
on Error do ErrHand
for each usr in dom
for each usrx in gpx
? usr.name+" ("+usrgrp+")"
for each usr in dom
for each Member in grp.Members
if !isnull(Member) and Member.Class="User"
? usr.name+" ("+uMemb+")"
? "Error Num:",error()," Message:",Message()
[11/08/99], Refactored from topic Windows Scripting Host
Ed: Do any ActiveX objects allow access to Access Control Lists? I really would like some script-based components that would allow checking, assigning and removing user and group names from folder and directory ACLs. -- Randy Pearson
Randy - what you're looking for are Microsoft's ADSI ActiveX controls, which can be scripted or used directly from a VFP app. Rick Strahl has a good whitepaper on ADSI and VFP on his West Wind Web site, and I've recently run into a really good book on ADSI ISBN 186100169X from an ASP standpoint, but easy enough to translate to VFP, and if you use HTML to manage your network, it's right on topic.) The book is ADSI ASP Programmer's Reference from WROX Press, and it deals in detail with all of the ADSI automation models (and there are a lot of them.) If you're planning to administer a Win 2 K network, this is a definite must.
Ed: Thanks. I do already have the Wrox book. But there is still a piece missing. I can use ADSI to add/modify users and groups. And I can use the
FileSystemObject to do various file stuff. But neither of these, as far as I can tell, give me ACL access (ie, let me set permissions). What I need to be able to do is create a directory or file (which I can do now), and then assign read/write permissions to specific users or groups under program control. If there is an object that does that, I've missed it so far. -- Randy P
Randy, you haven't missed it - take a look at p 214 of ADSI ASP for why ADSI doesn't do ACLs under NT 4, but does in Win 2 K environments. You might want to take a run out to The WSH FAQ Site and see if there are any sample scripts that might help. Another site would be devhead script library site - again, I don't know of anything that addresses your needs exactly, but these are two of the best scripting sites available.
Rick has removed the supporting file for this from the Web Connect install. He said on wwThreads:
This method is no longer supported. Well, officially it never was. It never worked quite correctly unfortunately so I had to pull it. It would set the rights properly sometimes but not always. Couldn't ever figure out how to get it to work as this is a heinous piece of Win32 code snatched from MSDN...
-- Andrew Coates
Take a look at the NTSecurity object in the
WebServer.VCX in your TOOLS directory of Web Connection. It can set ACLs on files, but unfortutenately it doesn't work for directories. I couldn't figure out how to get it to work on directories. -- Rick Strahl
Unfortunately directories are the main items I need to control. I did notice that each directory has 2 ACL entries. One appears to be for the directory itself, and the other is for defaults on files placed in that directory. Maybe that has something to do with why you could not get it working? -- Randy P
What about just invoking CACLS to do this. You should be able to find some details on using it at The NT FAQ Web Site, under the topic How can I change access permissions from the command line?
CACLS is pretty easy to use, and can be invoked from a script using the
Wscript.Shell Run method
Good on'ya Ed! Here's an excerpt from a user management class I use. This assumes that the user's folder is set up under the main cRootFolder folder. In this case, it grants them read-only access to the folder (it's in an app where they need to be able to FTP in and download stuff only). I've not tested this against anything but the local machine either, so caveat downloader.
this.AddStatusLine([Setting ACL entry])
local lcUser, lcFolder, lnRights
lcUser = alltrim(this.cComputerName) + [\] + alltrim(tcUserName)
lcFolder = addbs(this.cRootFolder) + alltrim(tcUserName)
local loWSH, lcCommand
oWsh = CreateObject("WScript.Shell")
lcCommand = [cacls "] + lcFolder + [" /T /E /C /G ] + lcUser + [:R]
if owsh.Run(lcCommand) = 0
this.AddStatusLine([Error Setting ACL])
this.nError = ERROR_COULDNOTSETACL
-- Andrew Coates
Category ActiveX Category Code Samples
( Topic last updated: 2003.02.24 07:53:58 PM )