in reply to User Manager for Groups

I think you need to clarify, for yourself mostly, what it is you are trying to do here.

...i need to give access to some users in some groups....
  1. First what kind of access?

    Read, Write, Execute, Delete, Change permissions, Ownership.

  2. If your concerned with giving permissions to users, you should either:
    1. deal with the users as individuals and ignore the group(s) they belong to and give each individual explicit rights on a per file/directory basis.

      This allows very fine grain control, but rapidly becomes a nightmare to administer.

      When you add a new file or directory, you then need to track down all the users that need to have access by backtracking from some other file or directory set of ACLs/DACLs to find the users and groups that have access to that and then add the new file to each.

      And when you add a new user, you then need to track down every file and directory and give this new user permissions to access every one individually.

      This is what I think your asking for code to do in this post. It is the 'Wrong Way'. That way lies madness of a particularly insideous and nasty kind:)

    2. Or, the better, simpler method is to ignore the individuals and only deal with a group (or groups). You make the files/directories belong to a group that you set up for this specific purpose.

      You then make new Users members of this group and they gain all the right accesses to all the appropriate files in one simple step.

      And when you add new files or directories, you just set it/them to be owned by the special group, and everyone who is a member of the group instantly has the right permissions.

  3. Of course, if you've started out using the former method, and are now trying to automate the process, then you probably need code to do the backtracking.

    As particle mentions above, Win32::FileSecurity will allow you to find out what permissions are set on individual files.

    Specifically, the Get( $file_or_path, \%permission ); will get you a list of users and/or groups that have DACLs set for the given file.

    You can then translate the masks returned for each user and group in the hash to the corresponding set of specific permission using the EnumerateRights( $mask, \@rights );

    Win32::NetAdmin GroupGetMembers( ... ); will allow you to find the all the members for each group that has specific permissions, but you should really just apply any new permissions to the group rather than to the individual members of it.

Overall, if your currently using the former method, I strongly recommend you move to the latter method as soon as possible. From experience, I can assure you that the pain of the transition is more than compensated for by the ease of management once it is completed.

Examine what is said, not who speaks.
"Efficiency is intelligent laziness." -David Dunham
"When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong." -Richard Buckminster Fuller

Replies are listed 'Best First'.
Re: Re: User Manager for Groups
by rupesh (Hermit) on Jul 22, 2003 at 06:36 UTC
    Hey BrowserUK!,
    Thanks for your reply. It was really informative.
    The features in the perl script that i was trying to code would only list the groups, the users in those groups and apparently genrerate a report with the data, provided a folder path was given as input.
    I strongly believe in your latter suggestion of managing groups and not individual users, which i would like to automate in the near future. And I haven't been following your former method either since i'm not an admin. All i wanted to do was automate the report.

    we're born with our eyes closed and our mouths wide open, and we spend our entire life trying to rectify that mistake of nature. - anonymous.
[reply]

In Section Seekers of Perl Wisdom