Are you an NT administrator? Have you tried to set up user's rights from a script?

If so: Please read on!

We have implemented a tool to create user accounts for an NT domain. This tools also creates the user's home, group, and profile directories. Of course, these directories must be properly protected from unauthorized access. To this end, we are using Microsoft's ADsSecurity package (found in the ASDI25SDK resource kit).

With the graphical tools for setting permissions on a remote file or directory we can modify ACLs on the filer. However using ADSI doesn't work on the filer. (The filer is running 5.3.7R2; ADSI is version 2.5))

We have found that the following (trivial) example program taken from the Microsoft documentation works perfectly well from an NT4 domain controller to another NT4 domain controller, an NT 4 member server, a Windows 2000 member server (of course, all belonging to the same domain), BUT: Setting the new DACL with a NTFS share on the filer does not work (the existing rights are correctly displayed, but setting just doesn't work - without returning an error code!).

Const ADS_RIGHT_GENERIC_READ = &H80000000 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Set sec = CreateObject("ADsSecurity") Set sd = sec.GetSecurityDescriptor("FILE://\SERVER\DIR\FILE.TST") Set dacl = sd.DiscretionaryAcl

'-- Show the ACEs in the DACL ---- For Each ace In dacl wscript.echo ace.Trustee wscript.echo ace.AccessMask wscript.echo ace.AceType Next

'--- Add a new ACE so that the user can read/execute this file Set ace = CreateObject("AccessControlEntry") ace.Trustee = "DOMAIN\user" ace.AccessMask = ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_EXECUTE ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED dacl.AddAce ace sd.DiscretionaryAcl = dacl sec.SetSecurityDescriptor sd

BTW: Using the Win32::Perms perl module shows the same behaviour!

Thanks, Michael Kärcher