使用WMI修改文件文件夾的NTFS權限, 代碼:
strUser = "guests"
strPath = "D://abc.txt"
RetVal = AddPermission(strUser,strPath,"R",True)
'-------------------------------------------------------------------------
'用于給文件和文件夾添加一條權限設置.返回值: 0-成功,1-賬戶不存在,2-路徑不存在
'strUser表示用戶名或組名
'strPath表示文件夾路徑或文件路徑
'strAccess表示允許權限設置的字符串,字符串中帶有相應字母表示允許相應權限: R-讀,C-讀寫,F-完全控制
'blInherit表示是否繼承父目錄權限.True為繼承,False為不繼承
Function AddPermission(strUser,strPath,strAccess,blInherit)
Set objWMIService = GetObject("winmgmts://./root/Cimv2")
Set fso = CreateObject("Scripting.FileSystemObject")
'得到Win32_SID并判斷用戶/組/內置賬戶是否存在
Set colUsers = objWMIService.ExecQuery("SELECT * FROM Win32_Account WHERE Name='"&strUser&"'")
If colUsers.count<>0 Then
For Each objUser In colUsers
strSID = objUser.SID
Next
Else
AddPermission = 1
Exit Function
End If
Set objSID = objWMIService.Get("Win32_SID.SID='"&strSID&"'")
'判斷文件/文件夾是否存在
pathType = ""
If fso.fileExists(strPath) Then pathType = "FILE"
If fso.folderExists(strPath) Then pathType = "FOLDER"
If pathType = "" Then
AddPermission = 2
Exit Function
End If
'設置Trustee
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
objTrustee.Domain = objSID.ReferencedDomainName
objTrustee.Name = objSID.AccountName
objTrustee.SID = objSID.BinaryRepresentation
objTrustee.SidLength = objSID.SidLength
objTrustee.SIDString = objSID.Sid
'設置ACE
Set objNewACE = objWMIService.Get("Win32_ACE").SpawnInstance_()
objNewACE.Trustee = objTrustee
objNewACE.AceType = 0
If InStr(UCase(strAccess),"R") > 0 Then objNewACE.AccessMask = 1179817
If InStr(UCase(strAccess),"C") > 0 Then objNewACE.AccessMask = 1245631
If InStr(UCase(strAccess),"F") > 0 Then objNewACE.AccessMask = 2032127
If pathType = "FILE" And blInherit = True Then objNewACE.AceFlags = 16
If pathType = "FILE" And blInherit = False Then objNewACE.AceFlags = 0
If pathType = "FOLDER" And blInherit = True Then objNewACE.AceFlags = 19
If pathType = "FOLDER" And blInherit = False Then objNewACE.AceFlags = 3
'設置SD
Set objFileSecSetting = objWMIService.Get("Win32_LogicalFileSecuritySetting.Path='"&strPath&"'")
Call objFileSecSetting.GetSecurityDescriptor(objSD)
blSE_DACL_AUTO_INHERITED = True
If (objSD.ControlFlags And &H400) = 0 Then
blSE_DACL_AUTO_INHERITED = False
objSD.ControlFlags = (objSD.ControlFlags Or &H400)
'自動繼承位置位,如果是剛創建的目錄或文件該位是不置位的,需要置位
End If
If blInherit = True Then
objSD.ControlFlags = (objSD.ControlFlags And &HEFFF)
'阻止繼承復位
Else
objSD.ControlFlags = (objSD.ControlFlags Or &H1400)
'阻止繼承位置位,自動繼承位置位
End If
objOldDacl = objSD.Dacl
ReDim objNewDacl(0)
Set objNewDacl(0) = objNewACE
If IsArray(objOldDacl) Then
'權限為空時objOldDacl不是集合不可遍歷
For Each objACE In objOldDacl
If (blSE_DACL_AUTO_INHERITED=False And blInherit=True) Or ((objACE.AceFlags And 16)>0 And (blInherit=True) Or (LCase(objACE.Trustee.Name)=LCase(strUser))) Then
'Do nothing
'當自動繼承位置位為0時即使時繼承的權限也會顯示為非繼承,這時所有權限都不設置
'當自動繼承位置位為0時,在繼承父目錄權限的情況下不設置繼承的權限.賬戶和需要加權限的賬戶一樣時不設置權限
Else
Ubd = UBound(objNewDacl)
ReDim preserve objNewDacl(Ubd+1)
Set objNewDacl(Ubd+1) = objACE
End If
Next
End If
objSD.Dacl = objNewDacl
'提交設置修改
Call objFileSecSetting.SetSecurityDescriptor(objSD)
AddPermission = 0
Set fso = Nothing
End Function
