wntAccessAdd

Adds or updates Discretionary Access Control List [DACL, a.k.a. permission] records for a resource.

Syntax:

wntAccessAdd( server-name, resource/share-name, account-name, object-type, access-string [, flags])

Parameters:

(s) server-name Name of a network file server or empty string ("") to indicate the current machine.

(s) resource/share-name Identifies the object to be modified.

(s) account-name Name of a user or a group to whom access is being granted. If necessary, it can be fully qualified as 'server\user'.

(i) object-type Identifies the object type of the 'resource/share-name' object. See below.

(i) access-string The type of access that is being granted. Either a predefined access type, or a delimited list. See below.

(i) flags [optional] Controls behavior of the function. See below.

Returns:

(i) 1 [@TRUE] or 0 [@FALSE]. See below.

 

Server-Name

All attempts to work with permissions or auditing settings on remote computers will require that those remote computers have the "Server" service running.

 

Object-Type

 

Object-type

Resource/share-name description

100

Share (e.g., a directory share or a printer share). This is just the name of the share; no server information should be included with the share name [e.g. "MyShare", not "MyServer\MyShare"].

 

200

Printer object. The syntax for the resource name must be "\\server-name\printer-object-name". If the printer is on a remote NT/2K system then the server name must be passed as the first parameter [e.g. "\\server-name"] in addition to the resource name [that also contains the server name]. Whenever the permissions or audit settings on a printer object are changed, the permissions on any print shares associated with that printer object will also be modified. Printer object security and printer share security are linked at a very low level in WinNT/Win2K. Adding various types of permissions to a printer object will automatically add certain corresponding types of permissions to all printer shares associated with the printer object. These "linked" permissions are not identical, in that, if you grant one type of permissions on the printer object for a user/group, then a more generic set of permissions gets set on any associated printer shares. Security for printer objects can be managed. Security on printer shares should never be directly modified since the modifications will most likely be undone if the share's printer object security is ever directly modified.

 

300

Directory or file in a NTFS partition. This can be either a UNC folder/file specification [e.g. "\\server-name\share-name\some-folder\some-file"], or it can be a reference to a folder/file on a drive letter. If the referenced folder/file is on a drive letter that is mapped to a remote server, or it is a UNC specification for a folder/file on a remote server, then the "server-name" parameter's value must specify the name of the remote server [with a pair of leading backslash "\\" characters].

 

301

Directory in a NTFS partition, and all its subdirectories (*)

 

302

Directory in a NTFS partition, and all files in the directory (*)

 

303

Directory in a NTFS partition, and all its subdirectories, and all files in the directory and all its subdirectories (*)

 

400

Registry key. This should be the handle of an open registry key (opened with the RegOpenKey() function), or a predefined registry handle. (Registration Functions are listed in the WIL help file under "Registration Database Operations".)

 

401

Registry key, and all its subkeys (*). See object type 400.

 

500

Window station

Use extreme caution when altering the security of a window station or desktop object. Improperly manipulating the security of a window station or desktop object may result in making your system unusable and may require a hard-reset of the system in order to regain access to the system console [e.g. the keyboard, mouse and monitor]

 

501

Desktop

Use extreme caution when altering the security of a window station or desktop object. Improperly manipulating the security of a window station or desktop object may result in making your system unusable and may require a hard-reset of the system in order to regain access to the system console [e.g. the keyboard, mouse and monitor]

 

600

Service Display Name

Manipulates the security settings on NT services.

 

601

Service Key Name

Manipulates the security settings on NT services.

 

 

* Note: the object types 301, 302, 303 and 401 cannot be used to manipulate ACLs on resources that are located on a Win2K system. Whenever one of these object types is specified for a resource on a Win2K system, the object type will automatically be converted to either "300" or "400" as is appropriate. This restriction was implemented due to the fact that Win2K does have inheritable ACLs that do get automatically propagated to all child objects under a folder or registry key. Allowing a user to explicitly add/remove an ACE [which is also inheritable] to/from an entire hierarchy of folders & files or registry keys could have a negative effect by creating unexpected types of access or auditing ACLs.

Access-string:

'Access-string' specifies the type of access that is being granted. It can be either (A) a pre-defined access type, or (B) a delimited list of one or more specific 'access-records'.

 

Also, it is now possible to combine both pre-defined access-strings with specific 'access-records' as well as combining multiple pre-defined access-strings. This is done by separating multiple pre-defined access-string values and specific 'access-record' values with the vertical bar "|" character. For example, you can have an access-string value of "Dir:Read|Dir:Add" or "Dir:Read|0:2:1179817".

 

Both types of access-string values are described below:

 

(A) Pre-defined access types:

 

These get translated into specific access records, as shown. It is possible that the appropriate values may vary depending on your system configuration, or among different versions of the WinNT/Win2K family of operating systems.

 

Access-string

Meaning

Specific equivalent

 

NTFS Folders on WinNT (object-type = 300, 301, 302 & 303)

 

"DirNT:Add"

Add

"0:2:1180086"

"DirNT:AddRead"

Add & Read

"0:9:-1610612736|0:2:1180095"

"DirNT:Change" or "DirNT:Modify"

Change

"0:9:-536805376|0:2:1245631"

"DirNT:Full"

Full Control

"0:9:268435456|0:2:2032127"

"DirNT:List"

List

"0:2:1179817"

"DirNT:None"

No Access

"1:9:268435456|1:2:2032127"

"DirNT:Read"

Read

"0:9:-1610612736|0:2:1179817"

NTFS Folders on Win2K (object-type = 300)

 

"Dir2K:Full"

Full Control

"0:3:2032127"

"Dir2K:List"

List

"0:2:1179817"

"Dir2K:Modify" or "Dir2K:Change"

Modify

"0:3:1245631"

"Dir2K:None"

No Acesss

"1:3:983551"

"Dir2K:Read"

Read

"0:3:1179785"

"Dir2K:ReadExecute"

Read & Execute

"0:3:1179817"

"Dir2K:Write"

Write

"0:3:1048854"

 

NTFS Folders on either WinNT (object-type = 300, 302 & 303)
or Win2K (object-type = 300)

 

"Dir:Add"

Add

Translates to "DirNT:Add" or "Dir2K:Write" based on the system that the folder is located on.

 

"Dir:AddRead"

Add & Read

Translates to "DirNT:AddRead" or "Dir2K:Write" based on the system that the folder is located on.

 

"Dir:Change" or "Dir:Modify"

Change or Modify

Translates to "DirNT:Change"/"DirNT:Modify" or "Dir2K:Modify"/"Dir2K:Change" based on the system that the folder is located on.

 

"Dir:Full"

Full Control

Translates to "DirNT:Full" or "Dir2K:Full" based on the system that the folder is located on.

 

"Dir:List"

List

Translates to "DirNT:List" or "Dir2K:List" based on the system that the folder is located on.

 

"Dir:None"

No Access

Translates to "DirNT:None" or "Dir2K:None" based on the system that the folder is located on.

 

"Dir:Read"

Read

Translates to "DirNT:Read" or "Dir2K:Read" based on the system that the folder is located on.

 

"Dir:ReadExecute"

Read & Execute

Translates to "DirNT:Read" or "Dir2K:ReadExecute" based on the system that the folder is located on.

 

"Dir:Write"

Write

Translates to "DirNT:Add" or "Dir2K:Write" based on the system that the folder is located on.

Directory Share (object-type = 100)

 

"DirShare:Read"

Read

"0:0:1179817"

"DirShare:Change"

Change

"0:0:1245631"

"DirShare:Full"

Full Control

"0:0:2032127"

"DirShare:None"

No Access

"1:0:2032127"

 

NTFS Files (not folders) on WinNT (object-type = 300, 302 & 303)

 

"FileNT:Read"

Read

"0:0:1179817"

"FileNT:Change" or "FileNT:Modify"

Change or Modify

"0:0:1245631"

"FileNT:Full"

Full Control

"0:0:2032127"

"FileNT:None"

No Access

"1:0:2032127"

 

NTFS Files (not folders) on Win2K (object-type = 300)

 

"File2K:Read"

Read

"0:3:1179785"

"File2K:Modify" or "File2K:Change"

Modify or Change

"0:3:1245631"

"File2K:ReadExecute"

Read & Execute

"0:3:1179817"

"File2K:Write"

Write

"0:3:1048854"

"File2K:Full"

Full Control

"0:3:2032127"

"File2K:None"

No Access

"1:3:983551"

 

NTFS Files (not folders) on either WinNT (object-type = 300, 302 & 303)
or Win2K (object-type = 300)

 

"File:Read"

Read

Translates to "FileNT:Read" or "File2K:Read" based on the system that the file is located on.

"File:Change" or "File:Modify"

Change or Modify

Translates to "FileNT:Change"/"FileNT:Modify" or "File2K:Modify"/"File2K:Change" based on the system that the file is located on.

"File:ReadExecute"

Read & Execute

Translates to "FileNT:Read" or "File2K:ReadExecute" based on the system that the file is located on.

"File:Write"

Write

Translates to "File2K:Write" or to an empty string ["" on WinNT] based on the system that the file is located on.

"File:Full"

Full Control

Translates to "FileNT:Full" or "File2K:Full" based on the system that the file is located on.

"File:None"

No Access

Translates to "FileNT:None" or "File2K:None" based on the system that the file is located on.

 

Printer on WinNT (object-type = 200)

 

"PrintNT:Print"

Print

"0:2:131080"

"PrintNT:Manage"

Manage Documents

"0:9:268435456|0:2:131072"

"PrintNT:Full"

Full Control

"0:9:268435456|0:2:983052"

"PrintNT:None"

No Access

"1:9:268435456|1:2:983052"

 

Printer on Win2K (object-type = 200)

 

"Print2K:Print

Print

"0:0:131080"

"Print2K:Manage"

Manage Documents

"0:10:131072|0:9:983056"

"Print2K:Full"

Full Control

"0:9:983056|0:0:983052"

"Print2K:None"

No Access

"1:0:983052|1:9:983056"

 

Printer on either WinNT or Win2K (object-type = 200)

 

"Print:Print"

Print

Translates to "PrintNT:Print" or "Print2K:Print" based on the system that the printer is located on.

"Print:Manage"

Manage Documents

Translates to "PrintNT:Manage" or "Print2K:Manage" based on the system that the printer is located on.

"Print:Full"

Full Control

Translates to "PrintNT:Full" or "Print2K:Full" based on the system that the printer is located on.

"Print:None"

No Access

Translates to "PrintNT:None" or "Print2K:None" based on the system that the printer is located on.

 

Registry Key (object-type = 400)

 

"Reg:Read"

Read

"0:2:131097"

"Reg:Full"

Full Control

"0:2:983103"

"Reg:Change" or "Reg:Modify"

Change / Modify

"0:2:196639"

"Reg:None"

No Access

"1:2:983103"

 

Print Share (object-type = 100)

 

Despite the fact that print share permissions should not generally be directly managed, here are some predefined permissions for print shares. Print share permissions differ between WinNT and Win2K even if semantically "identical" permissions were set on the corresponding printer objects via the Windows explorer. Also, if the pre-defined values of "PrintShare:Print", "PrintShare:Manage", "PrintShare:Full" or "PrintShare:None" are specified, then the appropriate "PrintShareNT:*" or "PrintShare2K:*" pre-defined permissions will be substituted.

 

"PrintShareNT:Print"

 

"0:2:2032127"

"PrintShareNT:Manage"

 

"0:2:0"

"PrintShareNT:Full"

 

"0:2:2032127"

"PrintShareNT:None"

 

"1:2:2032127"

"PrintShare2K:Print"

 

"0:0:2032127"

"PrintShare2K:Manage"

 

"" [empty string, ignored, not applicable on Win2K]

"PrintShare2K:Full"

 

"0:0:2032127"

"PrintShare2K:None"

 

"1:0:2032127"

 

Window station (object-type = 500)

Desktop (object-type = 501)

 

There are no predefined access-string values for window station and desktop objects.

 

 

 

Service Display Name (object-type = 600)

Service Key Name (object-type = 601)

 

Services, by default, are lacking any explicit permissions assignments on them. However, unlike other securable parts of the operating system, this lack of assigned permissions results in only Administrators having the ability to control a service.

 

"Service:Control"

Grants permissions for start, stop, query and interrogate access on the service to which it is applied.

"0:0:131581"

"Service:Full"

Assigns full administrative permissions.

"0:0:2032127"

Service:None

Explicitly denies any access to a service.

"1:0:2032127

 

(B) Specific 'access-records':

 

This can be a single record, or a list of records (maximum of 100) delimited with vertical bars (|). Each record is in the format:

 

record-type:access-flags:access-rights

 

where 'record-type', 'access-flags', and 'access-rights' are each a decimal number, separated with colons ( : ).

 

It is not expected that most users will want to manually create or edit 'access-records' strings. Instead, you can use the wntAccessGet() function to return an 'access-records' string in the proper format for use with this function. This is useful for transferring access rights from one user to another, or for transferring users' permissions when moving files between servers. Be cautious when using this method where the 'access-records' strings are being read on one platform [e.g. WinNT] and are being applied to resources on another platform [e.g. Win2K], since the actual 'access-records' that are used on one platform may not have the same meaning on a different platform.

 

A brief description of the fields in the 'access-records' string follows. Please note that any detailed explanation is beyond the scope of this document, but might be obtained from the WIN32 SDK programmers' documentation available from Microsoft and other publishers.

 

'record-type' (a.k.a.., ACE Type) (one of the following):

 

Record-type

Meaning

0

Access Allowed ACE type

1

Access Denied ACE type

2

Audit ACE type

3

Alarm ACE Type

4

Access Allowed Compound ACE type

5

Access Allowed Object ACE type

6

Access Denied Object ACE type

7

Audit Object ACE Type

8

Alarm Object ACE Type

 

The ACE types 0 - 2 are commonly used. The NT extender can report on ACE types 0 - 8, but it can only manage ACE types 0 - 2 w/respect to wnt[Access|Audit][Add|Del]().

 

Note For access/permissions ACEs, only ACEs of type "Access Allowed ACE type" [type 0 ACEs] or "Access Denied ACE type" [type 1 ACEs] are valid.

 

'access-flags' (0, or, one or more of the following):

You can specify 0, or, one or more of the following flags, by combining them with the bitwise OR ('|') operator. These are the access flags.

Flag Value

Flag Name

Meaning

1

OBJECT_INHERIT_ACE

Non-container child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE flag bit is also set.

 

2

CONTAINER_INHERIT_ACE

Child objects that are containers, such as directories or registry keys, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.

 

4

NO_PROPAGATE_INHERIT_ACE

If the ACE is inherited by either a child object or a child container, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of child objects & containers.

 

8

INHERIT_ONLY_ACE

The ACE can be inherited by an object's children, but the ACE does not affect the object to which it has been applied. This makes the ACE a non-effective ACE.

 

16

INHERITED_ACE

Windows 2000: This flag bit cannot be set in an ACE via the wntAccessAdd() and wntAuditAdd() functions. ACEs with this flag bit enabled cannot be removed with the wntAccessDel() or wntAuditDel() functions. However, ACEs retrieved with the wntAccessGet() and wntAuditGet() functions can have this bit enabled. To manipulate an ACE that is inherited by an object from its parent requires directly manipulating the inheritable ACE on the parent object.

 

64

SUCCESSFUL_ACCESS_ACE_TYPE

[Only valid with audit ACEs]

 

Used with system-audit ACEs in a SACL to generate audit messages for successful access attempts.

 

128

FAILED_ACCESS_ACE_TYPE

[Only valid with audit ACEs]

 

Used with system-audit ACEs in a SACL to generate audit messages for failed access attempts.

 

 

'access-rights' (one or more of the following, usually several, depending on the object type.)

 

Multiple access-rights values may be bit-wise OR'd together to combine them into a single access mask value.

 

Note: For all practical purposes, this is a complete list of the individual access rights mask bits and their corresponding values. Some of the bits have different constant names associated with them if the bits are applicable to more than one object type.

 

Value (decimal)

Value (hex)

Name / Meaning

1

1

FILE_LIST_DIRECTORY (Dir)

FILE_READ_DATA (File/Pipe)

KEY_QUERY_VALUE (RegKey)

WINSTA_ENUMDESKTOPS

DESKTOP_READOBJECTS

SERVICE_QUERY_CONFIG

 

2

2

FILE_ADD_FILE (Dir)

FILE_WRITE_DATA (File/Pipe)

KEY_SET_VALUE (RegKey)

WINSTA_READATTRIBUTES

DESKTOP_CREATEWINDOW

SERVICE_CHANGE_CONFIG

 

4

4

FILE_ADD_SUBDIRECTORY (Dir)

FILE_APPEND_DATA (File)

FILE_CREATE_PIPE_INSTANCE (Pipe)

PRINTER_ACCESS_ADMINISTER (Printer)

KEY_CREATE_SUB_KEY (RegKey)

WINSTA_ACCESSCLIPBOARD

DESKTOP_CREATEMENU

SERVICE_QUERY_STATUS

 

8

8

FILE_READ_EA (File/Dir)

PRINTER_ACCESS_USE (Printer)

KEY_ENUMERATE_SUB_KEYS (RegKey)

WINSTA_CREATEDESKTOP

DESKTOP_HOOKCONTROL

SERVICE_ENUMERATE_DEPENDENTS

 

16

10

FILE_WRITE_EA (File/Dir)

JOB_ACCESS_ADMINISTER (Print Job)

KEY_NOTIFY (RegKey)

WINSTA_WRITEATTRIBUTES

DESKTOP_JOURNALRECORD

SERVICE_START

 

32

20

FILE_TRAVERSE (Dir)

FILE_EXECUTE (File)

KEY_CREATE_LINK (RegKey)

WINSTA_ACCESSGLOBALATOMS

DESKTOP_JOURNALPLAYBACK

SERVICE_STOP

 

64

40

FILE_DELETE_CHILD (Dir)

WINSTA_EXIT_WINDOWS

DESKTOP_ENUMERATE

SERVICE_PAUSE_CONTINUE

 

128

80

FILE_READ_ATTRIBUTES (File/Dir)

DESKTOP_WRITEOBJECTS

SERVICE_INTERROGATE

 

256

100

FILE_WRITE_ATTRIBUTES (File/Dir)

WINSTA_ENUMERATE

DESKTOP_SWITCHDESKTOP

SERVICE_USER_DEFINED_CONTROL

 

512

200

WINSTA_READSCREEN

 

65536

10000

DELETE

 

131072

20000

READ_CONTROL

 

262144

40000

WRITE_DAC

 

524288

80000

WRITE_OWNER

 

1048576

100000

SYNCHRONIZE

 

16777216

1000000

ACCESS_SYSTEM_SECURITY

 

268435456

10000000

GENERIC_ALL

 

536870912

20000000

GENERIC_EXECUTE

 

1073741824

40000000

GENERIC_WRITE

 

-2147483648

80000000

GENERIC_READ

 

The following table lists combinations of access rights mask bits that are used to grant specific types of access on different types of objects. There are specific combinations of access mask bits that are commonly used; these combinations are given specific names so that they can be referred to easily. Another important thing to note here is that generic access mask values such as "read", "write", "execute" and "all" get mapped to different specific rights values based on the particular object type that the access mask applies to. This means that adding an ACE with one or more generic access mask bits enabled may result in the creation of an ACE with different specific access mask bits on different types of objects. It should also be noted that WinNT and Win2K handle generic rights differently in that WinNT tends to leave generic access bits enabled in an ACE while Win2K tends to convert generic access mask values to object-type specific access mask values when it creates an ACE. These access mask values will look familiar since they are the basis for the pre-defined ACEs that are presented elsewhere in this help text.

 

Value (decimal)

Value (hex)

Name / Meaning

983040

F0000

STANDARD_RIGHTS_REQUIRED = DELETE | READ_CONTROL | WRITE_DAC | WRITE_OWNER

 

131072

20000

STANDARD_RIGHTS_READ = READ_CONTROL

 

131072

20000

STANDARD_RIGHTS_WRITE = READ_CONTROL

 

131072

20000

STANDARD_RIGHTS_EXECUTE = READ_CONTROL

 

2031616

1F0000

STANDARD_RIGHTS_ALL = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE

 

65535

FFFF

SPECIFIC_RIGHTS_ALL

 

2032127

1F01FF

FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF

 

1179785

120089

FILE_GENERIC_READ = STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE

 

1179926

120116

FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE

 

1179808

1200A0

FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE

 

983052

F000C

PRINTER_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | PRINTER_ACCESS_ADMINISTER | PRINTER_ACCESS_USE

 

131080

20008

PRINTER_READ = STANDARD_RIGHTS_READ | PRINTER_ACCESS_USE

 

131080

20008

PRINTER_WRITE = STANDARD_RIGHTS_WRITE | PRINTER_ACCESS_USE

 

131080

20008

PRINTER_EXECUTE = STANDARD_RIGHTS_EXECUTE | PRINTER_ACCESS_USE

 

983056

F0010

JOB_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | JOB_ACCESS_ADMINISTER

 

131088

20010

JOB_READ = STANDARD_RIGHTS_READ | JOB_ACCESS_ADMINISTER

 

131088

20010

JOB_WRITE = STANDARD_RIGHTS_WRITE | JOB_ACCESS_ADMINISTER

 

131088

20010

JOB_EXECUTE = STANDARD_RIGHTS_EXECUTE | JOB_ACCESS_ADMINISTER

 

131097

20019

KEY_READ = (STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & (~SYNCHRONIZE)

 

131078

20006

KEY_WRITE = (STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY) & (~SYNCHRONIZE)

 

131097

20019

KEY_EXECUTE = (KEY_READ) & (~SYNCHRONIZE)

 

983103

F003F

KEY_ALL_ACCESS = (STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_CREATE_LINK) & (~SYNCHRONIZE)

 

 

If any access records already exist in the DACL for 'resource/share-name' for the specified 'account-name', they will be removed before adding the records specified by 'access-string'.

Flags

The flags value is an integer bit mask value. The values of different flag bits may be bit-wise OR'd together if multiple flag bits are to be "set" [e.g. enabled] at the same time. The following flag bits are valid:

 

Flag bit number

Flag bit value when set/enabled

Flag bit meaning

0

1

A SID string has been passed in as the value of the "account-name" parameter.

5

32

Display a progress dialog box while adding permissions.

6

64

Force a 1 second delay between updates to the progress dialog box. Note: this flag slows down the processing to be able to see what was going on in the progress dialog

7

128

If folders or files are being handled [e.g. object type 300, 301, 302 or 303], then display long names instead of short 8.3 names.

 

Returns

The return value of wntAccessAdd() will be 1 [@TRUE] if it successfully processes all of the resources that were specified. Certain object types, namely folders & files and registry keys, can have recursive processing performed to add an ACE to the DACL of multiple objects, such as when an entire subdirectory tree is processed or when a branch of the registry is processed. Also, on Win2K, ACL inheritance may cause recursive processing to happen even though only a single folder or registry key has had its DACL modified. If recursive processing is done and one or more child objects cannot have their DACLs properly accessed/modified, then wntAccessAdd() will return a value of 0 [@FALSE]. The wntLastErrMsg() function should be called with an error code of "-1" specified to get the list of objects that could not be properly processed.

 

Please note that it is possible for wntAccessAdd() to return a zero value and not cause the script to abort with an error. The only time that wntAccessAdd() will raise an error that needs to be trapped with the use of ErrorMode(@OFF) is when the specific resource/share-name that has been specified cannot have its DACL modified properly. Any other errors that occur during recursive processing of child objects simply result in wntAccessAdd() returning a zero value [@FALSE]. It is the programmer's responsibility to check the return value of wntAccessAdd() and then execute any error handling code should a zero value be returned.

 

Note: If you have not previously added any permissions to a share, it may implicitly have some default permissions. For example, when you create a share for a directory, it defaults to giving "Full Control" access to "Everyone". When wntAccessAdd() is used to create an access record for such a share, it will supersede those default permissions (i.e., the default permissions will be removed). If you wish to keep the default permissions, use wntAccessAdd() to set them explicitly.

 

To use wntAccessAdd() to change the permissions on a file on a remote server (ie, not the local machine), you need to specify the file name as a UNC, eg:

 

wntAccessAdd("server2", "\\server2\C$\test", "Everyone", 300, "DirNT:Read")

 

("C$" and "D$" are standard admin shares to "C:\" and "D:\", etc.)

 

Note: It is not possible for WinNT v3.51/v4.0 to properly manage the permissions on a remote Win2K [or newer] systems. Attempting to use the wnt[Access|Audit]*() functions on WinNT v3.51/v4.0 to view/modify the permissions on a remote Win2K [or newer] system will result in error 716 [Win2K or newer required] being raised.

Example:

; Load Appropriate Extender
AddExtender('wwwnt34i.dll',0,'wwwnt64i.dll')

;This example sets the share called "Public" on the current machine so ;that any member of the group "Everybody" has full access to the contents ;of the directory associated with the "Public" share. This function does ;not affect any permissions that may have been set with a NTFS file system ;with respect to the directory associated with the share. ; wntAccessAdd("","Public","Everybody",100,"DirShare:Full",0)
See Also:

wntAccessDel, wntAccessGet, wntAccessList, wntAccessMod, About SID [Security Identifier] values