Wiki Home

Access Control Lists


Namespace: VB
[2000.01.07] After working all week on getting ADSI to work to create Users automatically in Win NT and to add them to pre-existing groups, I've now got some VFP code that uses the ADSI COM interface. This is translated from code in http://www.15seconds.com/issue/pv980316.htm Peter Somers

Code follows:
Parameter pUser, pPassword, pGroup
set step off
clear
#DEFINE thiscomputer "YourDomain"
dom=GetObject("WinNT://"+thiscomputer)
on Error do ErrHand
lErr=0

if parameters()=3
   usr=dom.Create("user",pUser)
   if lErr=0
      usr.SetInfo()
   else
      usr=dom.GetObject("User",pUser)
   endi
   usr.SetPassword(pPassword)
   usr.SetInfo()
   grp=dom.GetObject("Group",pGroup)
   grp.Add("WinNT://"+thiscomputer+"/"+pUser)
   cancel
else
   lErr=1
   ? "USERS"
   ? "-----"
   for each usr in dom
      if usr.class="User"
         gpx=usr.Groups
         usrgrp=''
         for each usrx in gpx
            usrgrp=usrgrp+usrx.name+","
         endfor
         ? usr.name+" ("+usrgrp+")"
      endi
   endfor
   ?
   ? "GROUPS"
   ? "------"
   for each usr in dom
      uMemb=''
      if usr.class="Group"
         grp=dom.GetObject("Group",usr.Name)
         for each Member in grp.Members
            if !isnull(Member) and Member.Class="User"
               uMemb=uMemb+Member.name+","
            endi
         endfor
         ? usr.name+" ("+uMemb+")"
      endi
   endfor
   cancel
endi
Procedure ErrHand
   if lErr=0
      lErr=1
      return
   endi
   ? "Error Num:",error()," Message:",Message()
return


---
[11/08/99], Refactored from topic Windows Scripting Host
Ed: Do any ActiveX objects allow access to Access Control Lists? I really would like some script-based components that would allow checking, assigning and removing user and group names from folder and directory ACLs. -- Randy Pearson
Randy - what you're looking for are Microsoft's ADSI ActiveX controls, which can be scripted or used directly from a VFP app. Rick Strahl has a good whitepaper on ADSI and VFP on his West Wind Web site, and I've recently run into a really good book on ADSI ISBN 186100169X from an ASP standpoint, but easy enough to translate to VFP, and if you use HTML to manage your network, it's right on topic.) The book is ADSI ASP Programmer's Reference from WROX Press, and it deals in detail with all of the ADSI automation models (and there are a lot of them.) If you're planning to administer a Win 2 K network, this is a definite must.

Ed Rauh
Ed: Thanks. I do already have the Wrox book. But there is still a piece missing. I can use ADSI to add/modify users and groups. And I can use the FileSystemObject to do various file stuff. But neither of these, as far as I can tell, give me ACL access (ie, let me set permissions). What I need to be able to do is create a directory or file (which I can do now), and then assign read/write permissions to specific users or groups under program control. If there is an object that does that, I've missed it so far. -- Randy P
Randy, you haven't missed it - take a look at p 214 of ADSI ASP for why ADSI doesn't do ACLs under NT 4, but does in Win 2 K environments. You might want to take a run out to The WSH FAQ Site and see if there are any sample scripts that might help. Another site would be devhead script library site - again, I don't know of anything that addresses your needs exactly, but these are two of the best scripting sites available.

Ed Rauh
Rick has removed the supporting file for this from the Web Connect install. He said on wwThreads:
This method is no longer supported. Well, officially it never was. It never worked quite correctly unfortunately so I had to pull it. It would set the rights properly sometimes but not always. Couldn't ever figure out how to get it to work as this is a heinous piece of Win32 code snatched from MSDN...
-- Andrew Coates

Take a look at the NTSecurity object in the WebServer.VCX in your TOOLS directory of Web Connection. It can set ACLs on files, but unfortutenately it doesn't work for directories. I couldn't figure out how to get it to work on directories. -- Rick Strahl
Unfortunately directories are the main items I need to control. I did notice that each directory has 2 ACL entries. One appears to be for the directory itself, and the other is for defaults on files placed in that directory. Maybe that has something to do with why you could not get it working? -- Randy P
What about just invoking CACLS to do this. You should be able to find some details on using it at The NT FAQ Web Site, under the topic How can I change access permissions from the command line? CACLS is pretty easy to use, and can be invoked from a script using the Wscript.Shell Run method

Ed Rauh

Good on'ya Ed! Here's an excerpt from a user management class I use. This assumes that the user's folder is set up under the main cRootFolder folder. In this case, it grants them read-only access to the folder (it's in an app where they need to be able to FTP in and download stuff only). I've not tested this against anything but the local machine either, so caveat downloader.

lParameters tcUserName

this.AddStatusLine([Setting ACL entry])

local lcUser, lcFolder, lnRights
lcUser = alltrim(this.cComputerName) + [\] + alltrim(tcUserName)
lcFolder = addbs(this.cRootFolder) + alltrim(tcUserName)


local loWSH, lcCommand
oWsh = CreateObject("WScript.Shell")
lcCommand = [cacls "] + lcFolder + [" /T /E /C /G ] + lcUser + [:R]
this.AddStatusLine(lcCommand)
if owsh.Run(lcCommand) = 0
	this.AddStatusLine([OK])
else
	this.AddStatusLine([Error Setting ACL])
	this.nError = ERROR_COULDNOTSETACL
endif

-- Andrew Coates
Category ActiveX Category Code Samples
( Topic last updated: 2003.02.24 07:53:58 PM )