Returns Discretionary Access Control List [DACL, a.k.a. permission] records for a resource.
wntAccessGet(server-name, resource/share-name, account-name, object-type[, flags])
(s) server-name Name of a network file server or empty string ("") to indicate the current machine.
(s) resource/share-name Identifies the object to be accessed.
(s) account-name Name of a user or of a group for whom access is being determined. If necessary, it can be fully qualified as 'server\user'.
(i) object-type Identifies the type of the 'resource/share-name' object. See below.
(i) flags [optional] Controls behavior of the function. See below.
(s) A delimited list of access records or ("") if no records were found.
The function wntAccessGet() returns a list of access records for 'resource/share-name' for the specified 'account-name', delimited with vertical bars ( | ). If there are no appropriate records, it returns a blank string (""). See wntAccessAdd() for information on the format of the access records.
Server-Name
All attempts to work with permissions or auditing settings on remote computers will require that those remote computers have the "Server" service running.
Object-type |
Resource/share-name description |
100 |
Share (e.g., a directory share or a printer share). This is just the name of the share; no server information should be included with the share name [e.g. "MyShare", not "MyServer\MyShare"].
|
200 |
Printer object. The syntax for the resource name must be "\\server-name\printer-object-name". If the printer is on a remote NT/2K system then the server name must be passed as the first parameter [e.g. "\\server-name"] in addition to the resource name [that also contains the server name]. Whenever the permissions or audit settings on a printer object are changed, the permissions on any print shares associated with that printer object will also be modified. Printer object security and printer share security are linked at a very low level in WinNT/Win2K. Adding various types of permissions to a printer object will automatically add certain corresponding types of permissions to all printer shares associated with the printer object. These "linked" permissions are not identical, in that, if you grant one type of permissions on the printer object for a user/group, then a more generic set of permissions gets set on any associated printer shares. Security for printer objects can be managed. Security on printer shares should never be directly modified since the modifications will most likely be undone if the share's printer object security is ever directly modified.
|
300 |
Directory or file in a NTFS partition. This can be either a UNC folder/file specification [e.g. "\\server-name\share-name\some-folder\some-file"], or it can be a reference to a folder/file on a drive letter. If the referenced folder/file is on a drive letter that is mapped to a remote server, or it is a UNC specification for a folder/file on a remote server, then the "server-name" parameter's value must specify the name of the remote server [with a pair of leading backslash "\\" characters].
|
400 |
Registry key. This should be the handle of an open registry key (opened with the RegOpenKey() function), or a predefined registry handle. (Registration Functions are listed in the WIL help file under "Registration Database Operations".)
|
500 |
Window station Use extreme caution when altering the security of a window station or desktop object. Improperly manipulating the security of a window station or desktop object may result in making your system unusable and may require a hard-reset of the system in order to regain access to the system console [e.g. the keyboard, mouse and monitor]
|
501 |
Desktop Use extreme caution when altering the security of a window station or desktop object. Improperly manipulating the security of a window station or desktop object may result in making your system unusable and may require a hard-reset of the system in order to regain access to the system console [e.g. the keyboard, mouse and monitor]
|
600 |
Service Display Name Manipulates the security settings on NT services.
|
601 |
Service Key Name Manipulates the security settings on NT services.
|
Flags
The flags value is an integer bit mask value. The values of different flag bits may be bit-wise OR'd together if multiple flag bits are to be "set" [e.g. enabled] at the same time. The following flag bits are valid:
Flag bit number |
Flag bit value when set/enabled |
Flag bit meaning |
0 |
1 |
A SID string has been passed in as the value of the "account-name" parameter. |
Note: If no permissions were previously added to a share, it may implicitly have some default permissions. For example, when a share is created for a directory, it defaults to giving "Full Control" access to "Everyone", although there may not actually be any access records for the share. Therefore, wntAccessGet() may return a blank string (""). However, implicit permissions will become actual permissions when from the File Manager (or Explorer) the "Permissions" dialog for the share is brought up and "OK" is selected. The function wntAccessGet() can then retrieve the actual permissions.
Note: It is not possible for WinNT v3.51/v4.0 to properly manage the permissions on a remote Win2K [or newer] systems. Attempting to use the wnt[Access|Audit]*() functions on WinNT v3.51/v4.0 to view/modify the permissions on a remote Win2K [or newer] system will result in error 716 [Win2K or newer required] being raised.
; Load Appropriate Extender AddExtender('wwwnt34i.dll',0,'wwwnt64i.dll') localgroups = wntListGroups("",@LOCALGROUP, 1) group = AskItemlist("Local Groups",localgroups,@TAB,@SORTED,@SINGLE) records = wntAccessGet("",DirWindows(0),group,300,0) If records=="" Message("wntAccessGet","No access records found for the group") Else Message("wntAccessGet","Access records are " : records) EndIf
wntAccessAdd, wntAccessDel, wntAccessList, wntAccessMod, About SID [Security Identifier] values…