How to restore permissions in the web folders - script
restore permissions webfolders.vbs
'-------------------------------------------------------------
' Domains Folders Permissions Rebuild Script
' ============================================================
' Re-adds the permissions for the IIS anonymous users to the
' domains folders
' ------------------------------------------------------------
' Copyright © 2004 Andrew Taylor
' ------------------------------------------------------------
' Usage: Save this script as a .vbs file and run:
' cscript.exe "c:\PermissionsRebuild.vbs"
' ------------------------------------------------------------
' Enquiries to andy@4dhosting.com
' I disclaim all responsibility for results of this script
' which is run at your own risk
'-------------------------------------------------------------
'-------------------------------------------------------------
' Configuration variables
'-------------------------------------------------------------
Const strDBServer = "localhost"
Const strDBName = "HelmDb"
Const strDBUser = "sa"
Const strDBPassword = "password"
Const strDomains = "c:\domains\"
Const strLogFile = "c:\PermissionsRebuild.log"
Const strAppPath = "c:\SetACL\SetACL.exe"
'-------------------------------------------------------------
' Do not edit below here
'-------------------------------------------------------------
ERR_NTFS_USER_LOOK_UP_FAILED = 1
ERR_NTFS_CANT_SET_SECURITY_DESCRIPTOR = 2
ERR_CMD_EXECUTION_FAILED = 3
GENERIC_DELETE = &H10000
ADS_RIGHT_READ_CONTROL = &H20000
ADS_RIGHT_WRITE_DAC = &H40000
ADS_RIGHT_WRITE_OWNER = &H80000
ADS_RIGHT_SYNCHRONIZE = &H100000
ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000
GENERIC_READ = &H80000000
GENERIC_WRITE = &H40000000
GENERIC_EXECUTE = &H20000000
GENERIC_ALL = &H10000000
ADS_RIGHT_DS_CREATE_CHILD = &H1
ADS_RIGHT_DS_DELETE_CHILD = &H2
ADS_RIGHT_ACTRL_DS_LIST = &H4
ADS_RIGHT_DS_SELF = &H8
ADS_RIGHT_DS_READ_PROP = &H10
ADS_RIGHT_DS_WRITE_PROP = &H20
ADS_RIGHT_DS_DELETE_TREE = &H40
ADS_RIGHT_DS_LIST_OBJECT = &H80
ADS_RIGHT_DS_CONTROL_ACCESS = &H100
COMMON_ADD = &H1201B6
COMMON_ADD_READ = &H1201BF
COMMON_READ = &H1200A9
COMMON_CHANGE = &H1301BF
COMMON_FULL_CONTROL = GENERIC_ALL
COMMON_ALL = &H1F01FF
NO_INHERITANCE = &H0
ALL_INHERIT_ACE = &H3
OBJECT_INHERIT_ACE = &H1
CONTAINER_INHERIT_ACE = &H2
NO_PROPAGATE_INHERIT_ACE = &H4
INHERIT_ONLY_ACE = &H8
INHERITED_ACE = &H10
VALID_INHERIT_FLAGS = &H1F
SET_ACCESS = 1
SET_DENY = 0
' setup connection to the database
Set db = CreateObject("ADODB.Connection")
strConn = "Provider=SQLOLEDB;Server=" & strDBServer & ";Database=" & strDBName & ";user ID=" & strDBUser & ";password=" & strDBPassword & ";"
db.Open strConn
' setup log file
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oFile = oFSO.CreateTextFile(strLogFile, true)
Set oFolder = oFSO.GetFolder(strDomains)
' go through each object in IIS
For Each oSubFolder in oFolder.SubFolders
' get domain and current anon user details
strDomain = oSubFolder.Name
' log these details
LogEvent "[+] Web Site: " & strDomain
strNewUsername = GetAnonUser(strDomain)
strNewPassword = GetAnonPassword(strDomain)
' if both username and password are present
If strNewUsername <> "" And strNewPassword <> "" Then
' log these details
LogEvent " [-] Username: " & strNewUsername
LogEvent " [-] Password: " & strNewPassword
' if the anon user does not exist, create it
If Not DoesUserExist(strNewUsername) Then
LogEvent " [-] Creating user"
CreateUser strNewUsername, strNewPassword
Else
LogEvent " [-] Resetting user password"
SetPassword strNewUsername, strNewPassword
End If
LogEvent " [-] Setting anonymous user details"
strResult = SetFolderPermissions(SET_ACCESS, strServerName, strNewUsername, oSubFolder.Path, COMMON_CHANGE, ALL_INHERIT_ACE)
If strResult <> "" Then
' log error
LogEvent " [!] Error updating permissions"
Else
' log completion
LogEvent " [=] Details updated"
End If
Else
LogEvent " [=] Non-Helm site"
End If
Next
' clear objects
Set oFolder = Nothing
Set rsDomains = Nothing
' close database
db.Close
Set db = Nothing
' get computer name
Function GetComputer()
Set objNet = WScript.CreateObject("WScript.Network")
GetComputer = objNet.ComputerName
Set objNet = Nothing
End Function
' create new user with correct parameters
Sub CreateUser(strUserName, strPassword)
strGroupName = "HELMWEBUSERS"
On Error Resume Next
Set oDomain = GetObject("WinNT://" & GetComputer())
Set oUser = oDomain.Create("user", strUserName)
oUser.SetPassword strPassword
oUser.FullName = strUserName
oUser.SetInfo
strFlags = oUser.Get("UserFlags")
oUser.Put "UserFlags", strFlags OR &H00040
oUser.Put "UserFlags", strFlags OR &H10000
oUser.SetInfo
Set oGroup = oDomain.GetObject("Group", strGroupName)
oGroup.Add "WinNT://" & GetComputer() & "/" & strUserName
Set oGroup=Nothing
If Err.Number = 0 Then
CreateUser = True
Else
CreateUser = False
End If
Set oUser = Nothing
Set oDomain = Nothing
Err.Clear
End Sub
' determine if the user already exists
Function DoesUserExist(strUserName)
On Error Resume Next
Set oUser = GetObject("WinNT://" & GetComputer() & "/" & strUserName)
If Err.Number = 0 Then
DoesUserExist = True
Else
DoesUserExist = False
End If
Err.Clear
End Function
' resets the user's password
Function SetPassword(strUserName, strPassword)
Set oUser = GetObject("WinNT://" & GetComputer() & "/" & strUserName)
oUser.SetPassword strPassword
oUser.SetInfo
If Err.Number = 0 Then
SetPassword = True
Else
SetPassword = False
End If
Err.Clear
End Function
' log events to screen and file
Sub LogEvent(strLog)
oFile.WriteLine strLog
WScript.Echo strLog
End Sub
' gets the domains anon username
Function GetAnonUser(strDomain)
intDomainId = GetDomainId(strDomain)
Set rsUsername = CreateObject("ADODB.Recordset")
strSQL = "SELECT HostDomainProperty.PropertyValue FROM HostDomainProperty INNER JOIN HostDomain ON HostDomain.DomainId = HostDomainProperty.DomainId WHERE HostDomainProperty.PropertyName = 'AnonUser' AND HostDomain.DomainId=" & intDomainId & ";"
rsUsername.Open strSQL, db
If Not rsUsername.EOF Then
GetAnonUser = rsUsername("PropertyValue")
Else
GetAnonUser = ""
End If
rsUsername.Close
Set rsUsername = Nothing
End Function
' gets the domains anon password
Function GetAnonPassword(strDomain)
intDomainId = GetDomainId(strDomain)
Set rsPassword = CreateObject("ADODB.Recordset")
strSQL = "SELECT HostDomainProperty.PropertyValue FROM HostDomainProperty INNER JOIN HostDomain ON HostDomain.DomainId = HostDomainProperty.DomainId WHERE HostDomainProperty.PropertyName = 'AnonPassword' AND HostDomain.DomainId=" & intDomainId & ";"
rsPassword.Open strSQL, db
If Not rsPassword.EOF Then
GetAnonPassword = rsPassword("PropertyValue")
Else
GetAnonPassword = ""
End If
rsPassword.Close
Set rsPassword = Nothing
End Function
' gets the domain ID from the name
Function GetDomainId(strDomain)
Set rsDomain = CreateObject("ADODB.Recordset")
strSQL = "SELECT * FROM HostDomain WHERE DomainName='" & strDomain & "';"
'LogEvent strSQL
rsDomain.Open strSQL, db
If Not rsDomain.EOF Then
intDomainId = CLng(rsDomain("DomainId"))
Else
intPtr = InStr(strDomain, ".")
If intPtr > 0 Then
strDomain = Mid(strDomain, intPtr + 1)
intDomainId = GetDomainId(strDomain)
Else
intDomainId = 0
End If
End If
rsDomain.Close
Set rsDomain = Nothing
GetDomainId = intDomainId
End Function
Function SetFolderPermissions(strAccessType, strTrusteeDomain, strTrusteeUsername, strFileName, strFileMask, strFileInheritance)
On Error Resume Next
Dim strCMD
Dim cmdErrorCode
If Right(strFileName, 1) = "\" Then strFileName = Left(strFileName, Len(strFileName) - 1)
strCMD = """" & strAppPath & """ -on """ & strFileName & """ -ot file -actn ace -ace """
strCMD = strCMD & "n:" & strTrusteeDomain & "\" & strTrusteeUsername
Select Case strFileMask
Case COMMON_ADD, COMMON_ADD_READ
strCMD = strCMD & ";p:add_file"
Case COMMON_READ, GENERIC_READ
strCMD = strCMD & ";p:read"
Case COMMON_CHANGE
strCMD = strCMD & ";p:change"
Case COMMON_FULL_CONTROL, COMMON_ALL, GENERIC_ALL
strCMD = strCMD & ";p:full"
Case GENERIC_DELETE
strCMD = strCMD & ";p:delete"
Case ADS_RIGHT_READ_CONTROL
strCMD = strCMD & ";p:read_dacl"
Case ADS_RIGHT_WRITE_DAC
strCMD = strCMD & ";p:write_dacl"
Case ADS_RIGHT_WRITE_OWNER
strCMD = strCMD & ";p:write_owner"
Case GENERIC_WRITE
strCMD = strCMD & ";p:write"
Case GENERIC_EXECUTE
strCMD = strCMD & ";p:read_ex"
Case Else
strCMD = strCMD & ";p:change"
End Select
Select Case strFileInheritance
Case NO_INHERITANCE
strCMD = strCMD & ";i:np"
Case ALL_INHERIT_ACE
strCMD = strCMD
Case OBJECT_INHERIT_ACE
strCMD = strCMD & ";i:so"
Case CONTAINER_INHERIT_ACE
strCMD = strCMD & ";i:sc"
Case NO_PROPAGATE_INHERIT_ACE
strCMD = strCMD & ";i:np"
Case INHERIT_ONLY_ACE
strCMD = strCMD & ";i:io"
Case INHERITED_ACE
strCMD = strCMD & ";i:io"
End Select
Select Case strAccessType
Case SET_ACCESS
strCMD = strCMD & ";m:set"
Case SET_DENY
strCMD = strCMD & ";m:deny"
End Select
strCMD = strCMD & ";w:dacl"" -silent"
cmdErrorCode = ExecCmd(strCMD)
If cmdErrorCode <> 0 Then Err.Raise ERR_NTFS_USER_LOOK_UP_FAILED
If Len(cmdOutput) > 0 Then Err.Raise ERR_NTFS_CANT_SET_SECURITY_DESCRIPTOR
If Err.Number <> 0 Then
Select Case Err.Number
Case ERR_NTFS_USER_LOOK_UP_FAILED
SetFolderPermissions = "Could not set permissions for " & strTrusteeUsername
Case ERR_NTFS_CANT_SET_SECURITY_DESCRIPTOR
SetFolderPermissions = "Could not set permissions on " & strFileName
End Select
Err.Clear
End If
End Function
Function ExecCmd(strCMD)
On Error Resume Next
Set objWshShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
strTempFile = objFSO.GetTempName
strPath = objFSO.GetSpecialFolder(TemporaryFolder)
strTempFile = strPath & "\" & strTempFile
ExecCmd = objWshShell.Run(strCMD, 0, True)
cmdOutput = objFSO.OpenTextFile(strTempFile).ReadAll
objFSO.DeleteFile strTempFile
Err.Clear
End Function
Comments
Post a Comment