wntAccessList

Returns list of users who have Discretionary Access Control List [DACL, a.k.a. permission] records for a resource.

Syntax:

wntAccessList(server-name, resource/share-name, object-type, flags)

Parameters:

(s) server-name Name of a network file server or empty string ("") to indicate the current machine.

(s) resource/share-name Identifies the object to be accessed.

(i) object-type Identifies the type of the 'resource/share-name'object. See below.

(i) flags Controls behavior of the function. See below.

Returns:

(s) A tab-delimited list of accounts who have access records for "resource/share-name"; e.g. users and groups for whom permissions have explicitly been set. Returns a blank string ("") if there are no appropriate records.

 

Server-Name

All attempts to work with permissions or auditing settings on remote computers will require that those remote computers have the "Server" service running.

 

Object-Type

 

Object-type

Resource/share-name description

100

Share (e.g., a directory share or a printer share). This is just the name of the share; no server information should be included with the share name [e.g. "MyShare", not "MyServer\MyShare"].

 

200

Printer object. The syntax for the resource name must be "\\server-name\printer-object-name". If the printer is on a remote NT/2K system then the server name must be passed as the first parameter [e.g. "\\server-name"] in addition to the resource name [that also contains the server name]. Whenever the permissions or audit settings on a printer object are changed, the permissions on any print shares associated with that printer object will also be modified. Printer object security and printer share security are linked at a very low level in WinNT/Win2K. Adding various types of permissions to a printer object will automatically add certain corresponding types of permissions to all printer shares associated with the printer object. These "linked" permissions are not identical, in that, if you grant one type of permissions on the printer object for a user/group, then a more generic set of permissions gets set on any associated printer shares. Security for printer objects can be managed. Security on printer shares should never be directly modified since the modifications will most likely be undone if the share's printer object security is ever directly modified.

 

300

Directory or file in a NTFS partition. This can be either a UNC folder/file specification [e.g. "\\server-name\share-name\some-folder\some-file"], or it can be a reference to a folder/file on a drive letter. If the referenced folder/file is on a drive letter that is mapped to a remote server, or it is a UNC specification for a folder/file on a remote server, then the "server-name" parameter's value must specify the name of the remote server [with a pair of leading backslash "\\" characters].

 

400

Registry key. This should be the handle of an open registry key (opened with the RegOpenKey() function), or a predefined registry handle. (Registration Functions are listed in the WIL help file under "Registration Database Operations".)

 

500

Window station

Use extreme caution when altering the security of a window station or desktop object. Improperly manipulating the security of a window station or desktop object may result in making your system unusable and may require a hard-reset of the system in order to regain access to the system console [e.g. the keyboard, mouse and monitor]

 

501

Desktop

Use extreme caution when altering the security of a window station or desktop object. Improperly manipulating the security of a window station or desktop object may result in making your system unusable and may require a hard-reset of the system in order to regain access to the system console [e.g. the keyboard, mouse and monitor]

 

600

Service Display Name

Manipulates the security settings on NT services.

 

601

Service Key Name

Manipulates the security settings on NT services.

 

 

Flags

The flags value is an integer bit mask value. The values of different flag bits may be bit-wise OR'd together if multiple flag bits are to be "set" [e.g. enabled] at the same time. The following flag bits are valid:

 

Flag bit number

Flag bit value when set/enabled

Flag bit meaning

0

1

When this flag bit is enabled, domain names will be prefixed onto the returned account names [e.g. "domain\user" or "domain\group"]. If this flag bit is disabled then only the account names themselves will be returned.

 

1

2

When this flag bit is enabled in conjunction with flag bit #0, it allows all domain names to be returned, including built-in domain names such as "BUILTIN" and "NT AUTHORITY". Under normal circumstances, these built-in domain names do not need to be returned, and enabling flag bit #0 and disabling flag bit #1 will result in only returning real domain names and computer names, but not built-in domain names.

 

2

4

When this flag bit is enabled, SID strings will be returned in place of account [and domain] names. The returned SID values may represent actual accounts that currently exist, as well as deleted accounts that had been assigned permission/audit records on the specified object. Normally, permission/audit records assigned to deleted accounts cannot be retrieved because there are no account names to be mapped to the SID values stored in the permission/audit records for these accounts. Selecting to return SID strings instead of account names allows all of the permission/audit records to be retrieved for any particular object. The SID strings will be in a tab delimited list.

 

3

8

When this flag bit is enabled, only the SID strings for permission/audit records assigned to deleted accounts will be returned. This allows these orphaned permission/audit records to be singled out for removal. If there are no orphaned permission/audit records on the specified object then the use of this flag may result in an empty string being returned.

 

Here are some common flags values:

 

If you want to return just account names, flags = 0.

 

If you want to return account names with their domains, flags = 1.

 

If you want to return account names and all domain names, including built-in domain names, flags = 3.

 

If you want to return SID strings for all permission/audit records on an object, flags = 4.

 

If you want to return SID strings only for orphaned permission/audit records on an object, flags = 8.

 

Note: It is not possible for WinNT v3.51/v4.0 to properly manage the permissions on a remote Win2K [or newer] systems. Attempting to use the wnt[Access|Audit]*() functions on WinNT v3.51/v4.0 to view/modify the permissions on a remote Win2K [or newer] system will result in error 716 [Win2K or newer required] being raised.

 
Example:
; Load Appropriate Extender
AddExtender('wwwnt34i.dll',0,'wwwnt64i.dll')

; This example simply reviews the list of which users have permissions ; assigned to the Windows folder. ; windir = DirWindows(0) users = wntAccessList("",windir , 300, 1) MsgText = StrCat("Permissions for '",windir,"'",@CRLF) MsgText = StrCat(MsgText,@CRLF,StrReplace(users,@TAB,@CRLF)) Message("Assigned Permissions",MsgText) Exit
See Also:

wntAccessAdd, wntAccessDel, wntAccessGet, wntAccessMod, About SID [Security Identifier] values…