Win32 ACLs: Local vs Global groups

I would be remiss in my monk duties if I did not begin with these cautions:

You have a long, large Perl program in which you neither:
1. use strict, nor
2. use warnings (-w).
In Perl programming, this is the equivalent of keeping a loaded gun pointed at your anesthetized foot. You *will* shoot yourself in the foot one day, and you may not even know it at the time it happens. *Please* take the time to adopt the strict and warnings habits, and to retrofit your code to work cleanly under their yoke. Most monks would be very happy to help teach you this.
You posted large sample code, much of which was not relevant to your problem. To better understand why this is not in your own best interest, please read the "Post Only Relevant Code" section of How (Not) To Ask A Question.

Here is the first piece of the puzzle: From the Win32::AdminMisc FAQ, in the section on GetGroups:

If the 3rd parameter is an array reference then upon success the user names populate the array. If it is a hash reference then it is populated with the group name, comment, type (local or global) and if the it is a global group then the groups flags.

I wrote and ran this test code:

#!/usr/bin/perl -w
use strict;
use warnings 'all';
use Win32::AdminMisc;

my $server = ''; # Use local machine.

my %groups;
Win32::AdminMisc::GetGroups($server, GROUP_TYPE_ALL, \%groups)
  or warn "Failed: $!, $^E";

foreach my $group (keys %groups) {
  printf "%s\t%s\n", $groups{$group}{type}, $group;
}

# Uncomment next two lines to see all data from %group hash.
#use Data::Dumper;
#print Dumper \%group;
[download]

I received this output:

global  None
local   Replicator
local   Users
local   Backup Operators
local   Administrators
local   Guests
local   Power Users

What do you get when you run this code on a server that you "right-clicked and selected" on? How does it differ from what you expected?

I can add this code:

use Win32::FileSecurity;

my $filename = 'C:/WINNT/twain_32';

my %hash;
Win32::FileSecurity::Get($filename,\%hash)
  or warn "Get failed: $!";
while ( my ( $ACL_owner, $mask ) = each %hash ) {
  $ACL_owner =~ s{.+\\}{};
  my @perms;
  Win32::FileSecurity::EnumerateRights($mask, \@perms)
    or warn "Enumerate failed: $!";
  my $ACL_owner_type = $groups{$ACL_owner}{type} || 'User';
  print "$ACL_owner ($ACL_owner_type):\n";
  @perms = $perms[0]; # only print one permission while testing.
  print "\t\t\t$_\n" foreach @perms;
}
[download]

and receive this output:

Administrators (local):
                        DELETE
CREATOR OWNER (User):
                        GENERIC_ALL
Power Users (local):
                        DELETE
SYSTEM (User):
                        DELETE
Users (local):
                        READ_CONTROL

I think that solves part 2 of your question. Let me know if any of my code needs further explanation.

If you will answer the question I posed above (right after the first block of output), then perhaps the answer to part 1 will be clearer to myself or another monk.

Comment on Win32 ACLs: Local vs Global groups Select or Download Code

Replies are listed 'Best First'.
Re: Win32 ACLs: Local vs Global groups by blackadder (Hermit) on Jun 12, 2002 at 10:58 UTC
Brother Kudra and all monks whom are helping me: I JUST CANNOT THANK YOU ENOUGH, your reply to me is like a ray of sunshine...I will get on with your recommendations in moment, thank you indeed (and I hope to be a Monk as well) I will get back to you all with my findins as soon as. GodBlessYou Bros	[reply]
Re: Win32 ACLs: Local vs Global groups by blackadder (Hermit) on Jun 13, 2002 at 11:23 UTC
All worked nicely, however I couldn’t use strict with the recursive routine that accesses directories and sub directories (but this is the least of my worries at the moment. I can use File::Find module I suppose but I will continue with the recursive access for the time being) Finally and most importantly is: if I wanted to remove the 'everyone' account from accessing certain directories or sub directories without having to remove the account from the PDC? is this possible? I tried using Win32::NetAdmin::UserDelete, but this did not work Can someone help me please? I have marked the bit that dosen't in my code below use Win32; use warnings 'all'; use Win32::FileSecurity; use Win32::NetAdmin; use Win32::AdminMisc; my $unc_path = shift @ARGV; my $accnt = pop @ARGV; $unc_path = "\\\\" . $unc_path; print "\n\nPath to scan=>\t'$unc_path'\t\t Account to remove=>\t'$accn +t'\n\n"; my %groups; Win32::AdminMisc::GetGroups($unc_path, GROUP_TYPE_ALL, \%groups) \|\| wa +rn "\nFailed : $!, $^E\n"; foreach my $group (keys %groups) { printf "%s\t%s\n", $groups{$group}{type}, $group; } print "\n\nUser permissioned\n"; my %hash; Win32::FileSecurity::Get("$unc_path", \ %hash ) \|\| warn "Get failed : +$!\n"; while (my ($acl_owner, $mask)=each %hash) { $acl_owner =~ s{.+\\}{}; my @perms; Win32::FileSecurity::EnumerateRights( $mask, \@perms) \|\| warn "Enu +merateRights failed : $!\n"; my $acl_owner_type = $groups{$acl_owner}{type} \|\| 'user'; print "$acl_owner ($acl_owner_type): "; if ( $acl_owner =~ /everyone/i ) { print "This account is about to be deleted\n"; #THIS BIT DOES NOT WORK Win32::NetAdmin::UserDelete($unc_path, $acl_owner); } @perms = $perms[0]; foreach (@perms) { print "\t\t\t$_\n" } } [download]	[reply] [d/l]