• Starting today August 7th, 2024, in order to post in the Married Couples, Courting Couples, or Singles forums, you will not be allowed to post if you have your Marital status designated as private. Announcements will be made in the respective forums as well but please note that if yours is currently listed as Private, you will need to submit a ticket in the Support Area to have yours changed.

  • CF has always been a site that welcomes people from different backgrounds and beliefs to participate in discussion and even debate. That is the nature of its ministry. In view of recent events emotions are running very high. We need to remind people of some basic principles in debating on this site. We need to be civil when we express differences in opinion. No personal attacks. Avoid you, your statements. Don't characterize an entire political party with comparisons to Fascism or Communism or other extreme movements that committed atrocities. CF is not the place for broad brush or blanket statements about groups and political parties. Put the broad brushes and blankets away when you come to CF, better yet, put them in the incinerator. Debate had no place for them. We need to remember that people that commit acts of violence represent themselves or a small extreme faction.

  • We hope the site problems here are now solved, however, if you still have any issues, please start a ticket in Contact Us

  • The rule regarding AI content has been updated. The rule now rules as follows:

    Be sure to credit AI when copying and pasting AI sources. Link to the site of the AI search, just like linking to an article.

Help. Advanced Windows Programming. Help needed!!!

Jump to latest Follow Reply
Sort by date Sort by votes
O

Oroppas

Guest
Hey guys,

This is the story. I work for a company with over 7,000 computers that are locked down for security reasons so users have VERY limited rights on their computer. This means that some of their programs they need do NOT work since they do not have access to modify data that the program needs to be able to modify.

One of these areas is the system registry. We are working on a tool that will help us automate setting security permissions on said registry key's of the computers at our location.

We have found out how to do many of the functions we require but there are two areas we are 'stuck' on.

1) We need to find a way, if at all possible, to browse our Active Directory schema and select Containers and OU's to apply the automated security fixes on. I know it is possible since they have these api's available from Microsoft but we cannot get it to work correctly with Visual Basic. (I do not choose the programming language, I just do what I am told)

2) This is the biggest problem. We cannot figure out how to use Active Directory Service Interfaces (ADSI) to properly apply security settings on the registry key.

Well, we HAVE the following code working but it is NOT inheriting the permissions to the sub key's at all. We are not sure what to do about it. We need the permissions to propagate or else we cannot get all our software working correctly.

does anyone have ANY tips or ideas as to what to do?

Here is the code we have that works but does not do inheritance:

Set dacl = sd.DiscretionaryACL
For Each ace In dacl
If (LCase(ace.trustee) = LCase("BUILTIN\Users")) Then
dacl.RemoveAce ace
End If
Next
sd.DiscretionaryACL = dacl
sec.SetSecurityDescriptor sd
Set ace = CreateObject("AccessControlEntry")
ace.trustee = "BUILTIN\Users"
ace.AccessMask = accMask
ace.AceType = 0
ace.AceFlags = &H2
dacl.AddAce ace
sd.DiscretionaryACL = dacl
sec.SetSecurityDescriptor sd
Set ace = Nothing
Set sd = Nothing
Set dacl = Nothing
Set sec = Nothing
Set sec = CreateObject("ADsSecurity")
Set sd = sec.GetSecurityDescriptor("RGY://" & sRegkey)
Set oDACL = sd.DiscretionaryACL
Set oNewDACL = CreateObject("AccessControlList")
Set oInheritedDACL = CreateObject("AccessControlList")
Set oAllowDACL = CreateObject("AccessControlList")
Set oDenyDACL = CreateObject("AccessControlList")
Set oDenyObjDACL = CreateObject("AccessControlList")
Set oAllowObjDACL = CreateObject("AccessControlList")
For Each oACE In oDACL
If ((oACE.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = ADS_ACEFLAG_INHERITED_ACE) Then
oInheritedDACL.AddAce oACE
Else
Select Case oACE.AceType
Case ADS_ACETYPE_ACCESS_ALLOWED
oAllowDACL.AddAce oACE
Case ADS_ACETYPE_ACCESS_DENIED
oDenyDACL.AddAce oACE
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
oAllowObjDACL.AddAce oACE
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
oDenyObjDACL.AddAce oACE
End Select
End If
Next
For Each oACE In oDenyDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oDenyObjDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oAllowDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oAllowObjDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oInheritedDACL
oNewDACL.AddAce oACE
Next
Set oInheritedDACL = Nothing
Set oDenyDACL = Nothing
Set oAllowDACL = Nothing
Set oDenyObjDACL = Nothing
Set oAllowObjDACL = Nothing
oNewDACL.AclRevision = oDACL.AclRevision
Set oDACL = Nothing
Set oDACL = oNewDACL
sd.DiscretionaryACL = oDACL
sec.SetSecurityDescriptor sd
Set sd = Nothing
Set sec = Nothing

lSecSetting = getCurrentSec(sRegkey)
.
.
.

Again, if you can help us out you will be my hero! We have alot of programmers who are stummped on this one! Help us out and prove yourself a Computer Guru greater than even most highly skilled programmers!!!

Thank you!
 
Grommit

Grommit

malloc(sizeof(dork));
Sep 8, 2003
345
2
Drowning in a puddle of rain.
✟498.00
Faith
Non-Denom
Oroppas said:
1) We need to find a way, if at all possible, to browse our Active Directory schema and select Containers and OU's to apply the automated security fixes on. I know it is possible since they have these api's available from Microsoft but we cannot get it to work correctly with Visual Basic. (I do not choose the programming language, I just do what I am told)
Click to expand...
Visual Basic? Why VB and who ever decided to do this project in VB should well... nevermind.

You can indeed browse and work with directory services in VB. Here is a quick way of doing it:

Private Declare Function DsBrowseForContainer Lib "dsuiext" Alias_
"DsBrowseForContainerA" (pInfo As DSBROWSEINFO) As Long

Private Const MAX_PATH = 150

Private Type DSBROWSEINFO
cbStruct As Long
hwndOwner As Long
pszCaption As String
pszTitle As String
pszRoot As String
pszPath As Long
cchPath As Long
dwFlags As Long
pfnCallback As Long
lParam As Long
dwReturnFormat As Long
pUserName As String
pPassword As String
pszObjectClass As String
cchObjectClass As Long
End Type

...
'Put the following in a sub or function:

Dim dsBrowse As DSBROWSEINFO
Dim sResult As String

'initialize the DSBROWSEINFO structure
szResult = Space(MAX_PATH)
dsBrowse.cbStruct = Len(dsBrowse)
dsBrowse.pszCaption = "Caption for the browser here"
dsBrowse.pszTitle = "Title for the broswer here"
dsBrowse.pszPath = StrPtr(szResult)
dsBrowse.cchPath = Len(szResult)
dsBrowse.dwFlags = &H0 '4 + &H3 ' DSBI_ENTIREDIRECTORY &_ 'DSBI_EXPANDONOPEN
'More options exist. Read up on DsBrowseForContainer on MSDN.

temp = DsBrowseForContainer(dsBrowse)
sTarget = szResult

'sTarget has the distinguished name of an OU or Container'
'I did not add error checking nor checking to ensure only an_
'OU or Container is selected

Set oContainer = GetObject(sTarget)

'Filter out only the computer objects. I trim the first 3 characters
'of the object's name to get only the name of the object.

oContainer.Filter = Array("computer")

For Each oComputer In oContainer
Size = Len(oComputer.Name)
compName = Right(oComputer.Name, (Size - 3))

'Here is where you would call a sub or function to do to the computer what
'you want to do. In your case, connect to that computer and then set what
'ever security stuff you wanted to do on that computer.

Next

'end code sample


Oroppas said:
2) This is the biggest problem. We cannot figure out how to use Active Directory Service Interfaces (ADSI) to properly apply security settings on the registry key.
Click to expand...
... *LOTS OF CODE DELETED*

Hmm... intresting code. Atleast you reorder the ACE's which most people never seem to do. ;)

ADSI is a powerful LOW LEVEL API. It cannot ever set the inheritance bit thus it will never inherit the security to the sub key's. Taken from microsoft's KB article 266466. "The reason that you cannot use ADSI to set ACEs to propagate down to existing files and folders is because ADSSecurity.dll uses the low-level SetFileSecurity function to set the security descriptor on a folder." <-- Applies to the windows registry too. Read that article. It goes on to explain how to do it useing ADSI but it's not pretty.

You should instead use SetSecurityInfo, or in this case since you want to apply changes on remote computers, use SetNamedSecurityInfo. (And yes, eventually everyone and their mother will point out that there is also RegSetKeySecurity as well, but, it no workey over the network)

Read about it here. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/setnamedsecurityinfo.asp

Just keep in mind that even though it doesn't state you can modify values in HKCC, remember that HKCC can be accessed through HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current

Everything else is self explanatory. Read through that link and the KB article detailing the ADSI issue you are having. It will tell/give you all you need to know.

Good luck. VB is not the language of choice for these types of tools. Remember: C++ is always there for you.

Again, if you can help us out you will be my hero! We have alot of programmers who are stummped on this one! Help us out and prove yourself a Computer Guru greater than even most highly skilled programmers!!!
Click to expand...
Well, if you or anyone else who reads this wants to hire a smart computer guy, let me know. I'll be out of a job soon as we are being outsourced to another country. Anyways, I'm looking for a System/Network Administrative position... I want to leave programming as a hobby and only to write tools to aid me in my job.

Anyone work at a company that is hiring??? PM me if you want to offer me a job!!! :p
 
Upvote 0
O

Oroppas

Guest
Grommit said:
Visual Basic? Why VB and who ever decided to do this project in VB should well... nevermind.
Click to expand...
Yeah, it wasn't my choice but I just do what I am told to do by our project leader.

You can indeed browse and work with directory services in VB. Here is a quick way of doing it:
Click to expand...
Thanks for the code sample. We are pretty much using your code as is! ;)
I hope we don't have to pay some sort of fee for your code.


Hmm... intresting code. Atleast you reorder the ACE's which most people never seem to do. ;)
Click to expand...
Well, to be honest I am not all that sure what is going on in the code. I don't know what DACLS, ACE's, and SACLS are... Do you know of a website that can help a person get up to speed on these terms?

You should instead use SetSecurityInfo, or in this case since you want to apply changes on remote computers, use SetNamedSecurityInfo. (And yes, eventually everyone and their mother will point out that there is also RegSetKeySecurity as well, but, it no workey over the network)

Read about it here. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/setnamedsecurityinfo.asp
Click to expand...
We are greatful for your help. I guess we were using the wrong methods. I have looked into SetNamedSecurityInfo and it does indeed look to be the API of choice for our task. It's just that we cannot figure out how to use it in VB.
I know you have gone through alot of effort to help me out but can you help me one more time???

Could you show me how that function works?

Thank you so much, Grommit!!


Well, if you or anyone else who reads this wants to hire a smart computer guy, let me know. I'll be out of a job soon as we are being outsourced to another country. Anyways, I'm looking for a System/Network Administrative position... I want to leave programming as a hobby and only to write tools to aid me in my job.
Click to expand...
Well, I cannot hire you but I wish I could. :( If I hear of anything I'll be sure to pass it onto you.

Some company is going to be well blessed to hire someone like you. God bless and thanks once more. You have saved our hides!

In debt to Grommit,
Oroppas.
 
Upvote 0

Similar threads

Christsfreeservant
Only What is Helpful
Replies
0
Views
206
Daily Devotionals
Christsfreeservant
Christsfreeservant
Christsfreeservant
The Church Working Properly
Replies
0
Views
665
Deeper Fellowship
Christsfreeservant
Christsfreeservant
Christsfreeservant
Do Not Believe Everyone
Replies
0
Views
180
Daily Devotionals
Christsfreeservant
Christsfreeservant
Christsfreeservant
Abundant in Lovingkindness
Replies
0
Views
321
Deeper Fellowship
Christsfreeservant
Christsfreeservant
H
Pause Before You Serve
Replies
0
Views
179
Daily Devotionals
hldude
H
Top Bottom
Jump to latest Follow Reply
Jump to latest Follow Reply