vbscriptactive-directorydacl

How does one get the DACL of a server's printer in Windows?

Context: Windows7 64bit, ActiveDirectory, Windows Server 2003

I'm trying to get the code given by Microsoft on their page GetSecurityDescriptor method of the Win32_Printer Class (Windows) to work. I'm a bit curious to know how the double instantiation of winmgmts works out, viz (from their code)

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")

Set objWMIService = GetObject("winmgmts:")

I would have thought that the second instance would clobber the first. This would seem to be borne out by the fact that no matter what server name I put in strComputer, I still get a list of the printers on my computer.

Has anyone had any joy getting the DACL of a server-connected printer using VBScript?

Solution

  • you are right and there is more than one thing wrong with that script, here is a working version

    SE_DACL_PRESENT = &h4
ACCESS_ALLOWED_ACE_TYPE = &h0
ACCESS_DENIED_ACE_TYPE  = &h1

strComputer = "xxxxxxxxxx"
strUser = "xxxxxxxxxxxx"
strPassword = "xxxxxxx"
strDomain = "xxx"

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer(strComputer, _
    "root\cimv2", _
     strUser, _
     strPassword, _
     "MS_409", _
     "ntlmdomain:" + strDomain)

Set colInstalledPrinters =  objSWbemServices.ExecQuery ("Select * from Win32_Printer")

On error resume next

For Each objPrinter in colInstalledPrinters
  Wscript.Echo "Name: " & objPrinter.Name 
  Return = objPrinter.GetSecurityDescriptor( objSD )
  If ( return = 2 ) Then
    WScript.Echo "Could not get security descriptor: " & Return
  Elseif ( return = 8 ) Then
    WScript.Echo "Unknown failure: " & Return
  Elseif ( return = 9 ) Then
    WScript.Echo "The user does not have adequate privileges to execute the method: " & Return
  Elseif ( return = 21) Then
    WScript.Echo "A parameter specified in the method call is not valid: " & Return
  Elseif ( return = 0 ) Then
    intControlFlags = objSD.ControlFlags
    If intControlFlags AND SE_DACL_PRESENT Then
      arrACEs = objSD.DACL
      For Each objACE in arrACEs
        WScript.Echo objACE.Trustee.Domain & "\" & objACE.Trustee.Name
        If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
          WScript.Echo vbTab & "User has access to printer"
        ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
          WScript.Echo vbTab & "User does not have access to the printer"
        End If
      Next
    Else
      WScript.Echo "No DACL found in security descriptor"
    end if
  Else
    WScript.Echo "Could not get security descriptor: " & Return
  End If
Next

    =>> on my domain this gives the ACL twice per user, could be caused by the way security is given

    Name: printer1
\CREATOR OWNER
  User has access to printer
\CREATOR OWNER
  User has access to printer
MCM\DomainUsers
  User has access to printer
MCM\DomainUsers
  User has access to printer
MCM\DomainUsers
  User has access to printer
MCM\admin
  User has access to printer
MCM\admin
  User has access to printer
BUILTIN\Administrators
  User has access to printer
BUILTIN\Administrators
  User has access to printer