2 out of 3 rated this helpful - Rate this topic

GetSecurityDescriptor method of the Win32_LogicalFileSecuritySetting class

The GetSecurityDescriptor WMI class method retrieves a Win32_SecurityDescriptor representation of the Win32_LogicalFileSecuritySetting object security descriptor in the form of a Win32_SecurityDescriptor object. A security descriptor contains information about the owner of the object, and the primary group of an object. The security descriptor also contains two access control lists (ACL). The first list is called the discretionary access control lists (DACL), and describes who should have access to an object and what type of access to grant. The second list is called the system access control lists (SACL) and defines what type of auditing to record for an object.

This topic uses Managed Object Format (MOF) syntax. For more information about using this method, see Calling a Method.

Syntax

mof


uint32 GetSecurityDescriptor(
  [out]  Win32_SecurityDescriptor Descriptor
);

Parameters

Descriptor [out]: Expression that resolves to an instance of Win32_SecurityDescriptor.

Return value

Return code	Description
0	Success
2	Access Denied
8	Unknown Failure
9	Privilege Missing
21	Invalid Parameter

Examples

For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.

For C++ code examples, see WMI C++ Application Examples.

In the following VBScript code example the assumption is that a folder named \testfolder exists on C:\. The example obtains the folder security and dissects it into the security components: ACEs, Trustees, and SIDs. For more information about security entities, see Security Descriptors in the Security section of the Windows SDK.

The script calls the Win32_LogicalFileSecuritySetting GetSecurityDescriptor method to retrieve an instance of the Win32_SecurityDescriptor class for the target object, that is, C:\TestFolder. GetSecurityDescriptor returns the wmiSecurityDescriptor parameter with an instance of the Win32_SecurityDescriptor class that corresponds to the security descriptor for the target object. Properties provided by the Win32_SecurityDescriptor class contain the DACL array of access control entries (ACEs) in the form of Win32_ACE object references. It also contains the trustee information in the form of Win32_Trustee objects.


On Error Resume Next
' The folder named "testfolder" must exist on the C:\ drive.

Set wmiFileSecSetting = GetObject( _
   "winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\testfolder'")

RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)
If Err <> 0 Then
    WScript.Echo "GetSecurityDescriptor failed" _
    & VBCRLF & Err.Number & VBCRLF & Err.Description
    WScript.Quit
Else
    WScript.Echo "GetSecurityDescriptor succeeded"
End If

' Retrieve the DACL array of Win32_ACE objects.
DACL = wmiSecurityDescriptor.DACL

For each wmiAce in DACL

    wscript.echo "Access Mask: "     & wmiAce.AccessMask
    wscript.echo "ACE Type: "        & wmiAce.AceType

' Get Win32_Trustee object from ACE 
       Set Trustee = wmiAce.Trustee
    wscript.echo "Trustee Domain: "  & Trustee.Domain
    wscript.echo "Trustee Name: "    & Trustee.Name

' Get SID as array from Trustee
    SID = Trustee.SID 
    strsid = join(SID, ",") 
    wscript.echo "Trustee SID: {" & strsid & "}"
        
Next

Requirements

Minimum supported client	Windows 2000 Professional [desktop apps only]
Minimum supported server	Windows 2000 Server [desktop apps only]
Namespace	\root\CIMV2
MOF	Secrcw32.mof
DLL	Cimwin32.dll

Community Additions

ADD