Export (0) Print
Expand All

GetSecurityDescriptor method of the Win32_LogicalFileSecuritySetting class

The GetSecurityDescriptor WMI class method retrieves a Win32_SecurityDescriptor representation of the Win32_LogicalFileSecuritySetting object security descriptor in the form of a Win32_SecurityDescriptor object. A security descriptor contains information about the owner of the object, and the primary group of an object. The security descriptor also contains two access control lists (ACL). The first list is called the discretionary access control lists (DACL), and describes who should have access to an object and what type of access to grant. The second list is called the system access control lists (SACL) and defines what type of auditing to record for an object.

This topic uses Managed Object Format (MOF) syntax. For more information about using this method, see Calling a Method.

Syntax


uint32 GetSecurityDescriptor(
  [out]  Win32_SecurityDescriptor Descriptor
);

Parameters

Descriptor [out]

Expression that resolves to an instance of Win32_SecurityDescriptor.

Return value

Return codeDescription
0

Success

2

Access Denied

8

Unknown Failure

9

Privilege Missing

21

Invalid Parameter

 

Examples

In the following VBScript code example the assumption is that a folder named \testfolder exists on C:\. The example obtains the folder security and dissects it into the security components: ACEs, Trustees, and SIDs. For more information about security entities, see Security Descriptors in the Security section of the Windows SDK.

The script calls the Win32_LogicalFileSecuritySetting GetSecurityDescriptor method to retrieve an instance of the Win32_SecurityDescriptor class for the target object, that is, C:\TestFolder. GetSecurityDescriptor returns the wmiSecurityDescriptor parameter with an instance of the Win32_SecurityDescriptor class that corresponds to the security descriptor for the target object. Properties provided by the Win32_SecurityDescriptor class contain the DACL array of access control entries (ACEs) in the form of Win32_ACE object references. It also contains the trustee information in the form of Win32_Trustee objects.


On Error Resume Next
' The folder named "testfolder" must exist on the C:\ drive.

Set wmiFileSecSetting = GetObject( _
   "winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\testfolder'")

RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)
If Err <> 0 Then
    WScript.Echo "GetSecurityDescriptor failed" _
    & VBCRLF & Err.Number & VBCRLF & Err.Description
    WScript.Quit
Else
    WScript.Echo "GetSecurityDescriptor succeeded"
End If

' Retrieve the DACL array of Win32_ACE objects.
DACL = wmiSecurityDescriptor.DACL

For each wmiAce in DACL

    wscript.echo "Access Mask: "     & wmiAce.AccessMask
    wscript.echo "ACE Type: "        & wmiAce.AceType

' Get Win32_Trustee object from ACE 
       Set Trustee = wmiAce.Trustee
    wscript.echo "Trustee Domain: "  & Trustee.Domain
    wscript.echo "Trustee Name: "    & Trustee.Name

' Get SID as array from Trustee
    SID = Trustee.SID 
    strsid = join(SID, ",") 
    wscript.echo "Trustee SID: {" & strsid & "}"
        
Next

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2003

Namespace

\root\CIMV2

MOF

Secrcw32.mof

DLL

CIMWin32.dll

See also

Operating System Classes
Win32_LogicalFileSecuritySetting
Win32_SecurityDescriptor
Changing Access Security on Securable Objects
WMI Security Descriptor Objects

 

 

Show:
© 2014 Microsoft