Discussion:
Win32_LogicalShareSecuritySetting fails on Win2003
(too old to reply)
Gerry Hickman
2009-05-20 14:36:21 UTC
Permalink
Hi,

If I create a new Win32_Share on Win2003 Server SP2, using only required
parameters, the Share is created, but the Security is set to EVERYONE:F
(null DACL). This is NOT expected and results in calls to
Win32_LogicalShareSecuritySetting to fail.

This KB article explains the problem (but on Windows 2000)

http://support.microsoft.com/kb/321201

The article says the resolution is to apply security permissions to the
share, BUT this will only work from the GUI. I don't think there's a way to
set security on these shares using WMI because you can't obtain the
Win32_LogicalShareSecuritySetting. I don't think this should be happening on
Windows Server 2003.

If I run the same test on Vista, everything works correctly and the security
will be EVERYONE:R.
--
Gerry Hickman
London (UK)
Hongye Sun [MSFT]
2009-05-22 08:02:01 UTC
Permalink
Hi Gerry,

I can reproduce the issue on my box. I am not sure if there is any way that
you can workaround it by WMI coding.

I have reported this issue to product group and asking for more information
about it. I will get back to you soon after I get the answer.

Thanks for your waiting.

Regards,
Hongye Sun (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within?2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Gerry Hickman
2009-05-22 10:52:36 UTC
Permalink
Hello Hongye,
Post by Hongye Sun [MSFT]
I can reproduce the issue on my box.
Thank you for confirmation.
Post by Hongye Sun [MSFT]
I am not sure if there is any way that
you can workaround it by WMI coding.
Please let me know if you find a workaround. I have run some audits on our
servers, we have many shares with NULL security DACL. We can't use WMI to
fix them.
Post by Hongye Sun [MSFT]
I have reported this issue to product group and asking for more information
about it. I will get back to you soon after I get the answer.
Thank you. I would be very pleased for new information.
--
Gerry Hickman
London (UK)
Hongye Sun [MSFT]
2009-05-26 09:35:57 UTC
Permalink
Hi Gerry,

I am still consulting with product group to confirm if it is an issue in
Windows 2003.

As a workaround, can you use the parameter "Win32_SecurityDescriptor
Access" of Win32_Share.Create method to set the security descriptor when
you creating the share?

As I will take a leave, whenever we get any message from product group. My
colleague will post it here. Thanks.

Regards,
Hongye Sun (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
Jialiang Ge [MSFT]
2009-06-01 04:06:08 UTC
Permalink
Hello Gerry

How are you?

The product group has confirmed this product issue.

The sample codes are made for your references to work around it:

'CODE USING THE CREATE METHOD

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

'*************************************************************************
nAccessMask = 2032127
nAceFlags = 3
nAceType = 0

Dim objTrustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
objTrustee.Domain = ""
objTrustee.Name = "Everyone"
objTrustee.Properties_.Item("SID") = Array(1, 1, 0, 0, 0, 0, 0, 1, 0,
0, 0, 0)

Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee

Dim objSecDescriptor
Dim arrDACL
Set objSecDescriptor =
objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '**
SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
arrDACL = Array()
AddToArray arrDACL, objAce
objSecDescriptor.Properties_.Item("DACL") = arrDACL

Sub AddToArray(ByRef Arr, ByVal Val)
ReDim Preserve Arr (UBound(Arr)+1)
If (IsObject(Val)) Then
Set Arr(UBound(Arr)) = Val
Else
Arr(UBound(Arr)) = Val
End If
End Sub ' AddToArray

'*************************************************************************
' Obtain the definition of the class.
Set objShare = objWMIService.Get("Win32_Share")

' Obtain an InParameters object specific to the method.
Set objInParam = objShare.Methods_("Create").inParameters.SpawnInstance_()

' Add the input parameters.
objInParam.Properties_.Item("Description") = "testing"
'objInParam.Properties_.Item("Access") = objSecDescriptor
objInParam.Properties_.Item("Name") = "\\jialiang\share1"
objInParam.Properties_.Item("Path") = "d:\test"
objInParam.Properties_.Item("Type") = 0

' Execute the method and obtain the return status.
' The OutParameters object in objOutParams is created by the provider.
Set objOutParams = objWMIService.ExecMethod("Win32_Share", "Create",
objInParam)

' List OutParams
Wscript.Echo "Out Parameters: "
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue



'CODE USING THE SetShareInfo Method
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

nAccessMask = 2032127
nAceFlags = 3
nAceType = 0

Dim objTrustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
objTrustee.Domain = ""
objTrustee.Name = "Everyone"
objTrustee.Properties_.Item("SID") = Array(1, 1, 0, 0, 0, 0, 0, 1, 0, 0,
0, 0)

Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee

Dim objSecDescriptor
Dim arrDACL
Set objSecDescriptor =
objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '**
SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
arrDACL = Array()
AddToArray arrDACL, objAce
objSecDescriptor.Properties_.Item("DACL") = arrDACL

Sub AddToArray(ByRef Arr, ByVal Val)
ReDim Preserve Arr (UBound(Arr)+1)
If (IsObject(Val)) Then
Set Arr(UBound(Arr)) = Val
Else
Arr(UBound(Arr)) = Val
End If
End Sub ' AddToArray

' Obtain an instance of the the class using a key property value.
Set objShare = objWMIService.Get("Win32_Share.Name='\\jialge\Share2'")
' Obtain an InParameters object specific to the method.
Set objInParam =
objShare.Methods_("SetShareInfo").inParameters.SpawnInstance_()

' Add the input parameters.
objInParam.Properties_.Item("Access") = objSecDescriptor

' Execute the method and obtain the return status.
' The OutParameters object in objOutParams is created by the provider.
Set objOutParams =
objWMIService.ExecMethod("Win32_Share.Name='\\jialge\Share2'",
"SetShareInfo", objInParam)

' List OutParams
Wscript.Echo "Out Parameters: "
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue

Thanks for reporting this issue to us. If you have any other questions or
concerns, please feel free to tell us.

Regards,
Jialiang Ge (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
Gerry Hickman
2009-06-01 14:11:23 UTC
Permalink
Hello Jialiang,

Thank you for feedback from product group and for testing this.

Of course, using the Win32_Share.Create() method is only useful for new
shares, it can't fix shares that already exist, but have null DACL.

BUT, the Win32_Share.SetShareInfo() does work, even for existing shares. You
can quickly fix null DACL on these shares using this method, so it's very
helpful. I think this is a very easy workaround, thank you for finding it.
--
Gerry Hickman
London (UK)
Post by Jialiang Ge [MSFT]
Hello Gerry
How are you?
The product group has confirmed this product issue.
'CODE USING THE CREATE METHOD
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
'*************************************************************************
nAccessMask = 2032127
nAceFlags = 3
nAceType = 0
Dim objTrustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
objTrustee.Domain = ""
objTrustee.Name = "Everyone"
objTrustee.Properties_.Item("SID") = Array(1, 1, 0, 0, 0, 0, 0, 1, 0,
0, 0, 0)
Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee
Dim objSecDescriptor
Dim arrDACL
Set objSecDescriptor =
objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '**
SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
arrDACL = Array()
AddToArray arrDACL, objAce
objSecDescriptor.Properties_.Item("DACL") = arrDACL
Sub AddToArray(ByRef Arr, ByVal Val)
ReDim Preserve Arr (UBound(Arr)+1)
If (IsObject(Val)) Then
Set Arr(UBound(Arr)) = Val
Else
Arr(UBound(Arr)) = Val
End If
End Sub ' AddToArray
'*************************************************************************
' Obtain the definition of the class.
Set objShare = objWMIService.Get("Win32_Share")
' Obtain an InParameters object specific to the method.
Set objInParam = objShare.Methods_("Create").inParameters.SpawnInstance_()
' Add the input parameters.
objInParam.Properties_.Item("Description") = "testing"
'objInParam.Properties_.Item("Access") = objSecDescriptor
objInParam.Properties_.Item("Name") = "\\jialiang\share1"
objInParam.Properties_.Item("Path") = "d:\test"
objInParam.Properties_.Item("Type") = 0
' Execute the method and obtain the return status.
' The OutParameters object in objOutParams is created by the provider.
Set objOutParams = objWMIService.ExecMethod("Win32_Share", "Create",
objInParam)
' List OutParams
Wscript.Echo "Out Parameters: "
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue
'CODE USING THE SetShareInfo Method
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
nAccessMask = 2032127
nAceFlags = 3
nAceType = 0
Dim objTrustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
objTrustee.Domain = ""
objTrustee.Name = "Everyone"
objTrustee.Properties_.Item("SID") = Array(1, 1, 0, 0, 0, 0, 0, 1, 0, 0,
0, 0)
Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee
Dim objSecDescriptor
Dim arrDACL
Set objSecDescriptor =
objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '**
SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
arrDACL = Array()
AddToArray arrDACL, objAce
objSecDescriptor.Properties_.Item("DACL") = arrDACL
Sub AddToArray(ByRef Arr, ByVal Val)
ReDim Preserve Arr (UBound(Arr)+1)
If (IsObject(Val)) Then
Set Arr(UBound(Arr)) = Val
Else
Arr(UBound(Arr)) = Val
End If
End Sub ' AddToArray
' Obtain an instance of the the class using a key property value.
Set objShare = objWMIService.Get("Win32_Share.Name='\\jialge\Share2'")
' Obtain an InParameters object specific to the method.
Set objInParam =
objShare.Methods_("SetShareInfo").inParameters.SpawnInstance_()
' Add the input parameters.
objInParam.Properties_.Item("Access") = objSecDescriptor
' Execute the method and obtain the return status.
' The OutParameters object in objOutParams is created by the provider.
Set objOutParams =
objWMIService.ExecMethod("Win32_Share.Name='\\jialge\Share2'",
"SetShareInfo", objInParam)
' List OutParams
Wscript.Echo "Out Parameters: "
Wscript.echo "ReturnValue: " & objOutParams.ReturnValue
Thanks for reporting this issue to us. If you have any other questions or
concerns, please feel free to tell us.
Regards,
Microsoft Online Community Support
=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
Jialiang Ge [MSFT]
2009-06-02 08:08:32 UTC
Permalink
You are welcome, Gerry!

Regards,
Jialiang Ge
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Loading...