DESCRIPTION
This script demostrates a network share provision process. During new "Shared folder" publishing in AD, these additional steps are proceed:
- a local folder on designated server will be created
- the folder will be shared in network
- three domain local security groups in designated OU will be created
- the groups get designated owner
- the NFTS & share permission are set on folder for the groups
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
'
' As for preparation create following Virtual Atributes:
'
' - edsvaAdvancedSharedFolderCreation-ShareName, syntax:string, single-valued
' Name of network share
'
' - edsvaAdvancedSharedFolderCreation-ServerName, syntax:string, single-valued
' Name of server on which the folder will be created
'
' - edsvaAdvancedSharedFolderCreation-LocalPath, syntax:string, single-valued
' Local path on the server, where the new folder will be created. Name of new folder has to be added!
'
' - edsvaAdvancedSharedFolderCreation-ContainerDN, syntax:DN, single-valued
' Distinguished name of OU, where the new groups will be created, which will have designated permissions on the new share/folder
'
' - edsvaAdvancedSharedFolderCreation-OwnerDN, syntax:DN, single-valued
' Distinguished name of owner of the designated groups, which have Read/Read-Write/FullControl permission on the new share and folder
'
Option Explicit
'***********************************************************************************
'** EVENT HANDLERS
'***********************************************************************************
Sub onPreCreate(Request)
If (LCase(Request.Class) <> "volume") Then Exit Sub
Dim strName, strServerName, strShareName, strLocalPath, strNetworkPath
'
On Error Resume Next
strName = CStr(Request.Get("cn"))
On Error GoTo 0
On Error Resume Next
strServerName = CStr(Request.Get("edsvaAdvancedSharedFolderCreation-ServerName"))
On Error GoTo 0
If (strServerName = "") Then
Err.Raise 1, "Enter valid value for server name"
Exit Sub
End If
On Error Resume Next
strShareName = CStr(Request.Get("edsvaAdvancedSharedFolderCreation-ShareName"))
On Error GoTo 0
If (strShareName = "") Then
Err.Raise 1, "Enter valid value for share name"
Exit Sub
End If
On Error Resume Next
strLocalPath = CStr(Request.Get("edsvaAdvancedSharedFolderCreation-LocalPath"))
On Error GoTo 0
If (strLocalPath = "") Then
Err.Raise 1, "Enter valid value for local path"
Exit Sub
End If
'-- constuct UNC name for shared folder and put it in request
strNetworkPath = "\\" & strServerName & "\" & strShareName
Request.Put "uNCName", strNetworkPath
Dim strContainerDN, strOwnerDN
On Error Resume Next
strContainerDN = CStr(Request.Get("edsvaAdvancedSharedFolderCreation-ContainerDN"))
On Error GoTo 0
If (strContainerDN = "") Then
Err.Raise 1, "Enter valid value for container where new group will be created"
Exit Sub
End If
On Error Resume Next
strOwnerDN = CStr(Request.Get("edsvaAdvancedSharedFolderCreation-OwnerDN"))
On Error GoTo 0
If (strOwnerDN = "") Then
Err.Raise 1, "Enter valid value for owner for newly created groups"
Exit Sub
End If
Dim objWMIService, nResult
Dim objGroupRead, objGroupReadWrite, objGroupFullControl
Dim objTrusteeRead, objTrusteeReadWrite, objTrusteeFullControl
Dim objSecurityDescriptor
'-- get WMI service
Set objWMIService= GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!" & _
"\\" & strServerName & "\root\cimv2")"
'-- create a local folder
nResult = CreateLocalFolder(objWMIService, strLocalPath)
If (nResult <> 0) Then
Err.Raise 1, "Local folder creation error = " & nResult
Exit Sub
End If
'-- create a share on server
nResult = CreateNetworkShare(objWMIService, strLocalPath, strShareName, "This share is automatically created by ActiveRoles Server")
If (nResult <> 0) Then
Err.Raise 1, "Share creation error = " & nResult
Exit Sub
End If
'--- create 3 groups for the share
Set objGroupRead = CreateDomainLocalGroup(strContainerDN, strName & "-" & "R", strOwnerDN)
Set objGroupReadWrite = CreateDomainLocalGroup(strContainerDN, strName & "-" & "RW", strOwnerDN)
Set objGroupFullControl = CreateDomainLocalGroup(strContainerDN, strName & "-" & "FC", strOwnerDN)
'--- create 3 trustees for these groups
Set objTrusteeRead = CreateTrusteeForObject(objWMIService, objGroupRead)
Set objTrusteeReadWrite = CreateTrusteeForObject(objWMIService, objGroupReadWrite)
Set objTrusteeFullControl = CreateTrusteeForObject(objWMIService, objGroupFullControl)
'--- create and apply security to share
Set objSecurityDescriptor = CreateSecurityDescriptorForNetworkShare(objWMIService, objTrusteeRead, objTrusteeReadWrite, objTrusteeFullControl)
nResult = SetPermissionsToNetworkShare(objWMIService, strShareName, objSecurityDescriptor)
'--- create and apply security to local folder
Set objSecurityDescriptor = CreateSecurityDescriptorForLocalFolder(objWMIService, objTrusteeRead, objTrusteeReadWrite, objTrusteeFullControl)
nResult = SetPermissionsToLocalFolder(objWMIService, strLocalPath, objSecurityDescriptor)
End Sub
'******************************************************************
' CreateLocalFolder - creates a new local folder
' ----------
' objWMIService - WMI serice instance
' strLocalPath - path to local folder, for ex.: "C:\MyFolder"
' ----------
' return value - Error code. O for OK
Function CreateLocalFolder(ByRef objWMIService, ByVal strLocalPath)
Dim objProcess, nProcessId, nResult
Set objProcess = objWMIService.Get("Win32_Process")
' --- try to start a process for a folder creation
nResult = objProcess.Create("cmd.exe /c md " & strLocalPath, Null, Null, nProcessId)
If (nResult <> 0) Then
CreateLocalFolder = nResult
Exit Function
End If
Dim arrItems, objItem, boolFound
' --- wait for folder creation completion
Do While (True)
Set arrItems = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId=" & nProcessId)
boolFound = False
For Each objItem In arrItems
boolFound = True
Exit For
Next
If (boolFound = False) Then Exit Do
Loop
CreateLocalFolder = 0
End Function
'******************************************************************
' CreateNetworkShare - creates a new network share
' ----------
' objWMIService - WMI serice instance
' strLocalPath - path to local folder, for ex.: "C:\MyFolder"
' strShareName - name of network share
' strShareDescription - description of network share
' ----------
' return value - Error code. O for OK
Function CreateNetworkShare(ByRef objWMIService, _
ByVal strLocalPath, ByVal strShareName, ByVal strShareDescription)
Dim objNewShare
Set objNewShare = objWMIService.Get("Win32_Share")
CreateNetworkShare = objNewShare.Create(strLocalPath, _
strShareName, 0, , strShareDescription)
End Function
'******************************************************************
' SetPermissionsToLocalFolder - set a permission to local folder
' ----------
' objWMIService - WMI serice instance
' strLocalFolderPath - path to local folder, for ex.: "C:\MyFolder"
' objPermissions - Win32_SecurityDescriptor WMI object with permissions
' ----------
' return value - Error code. O for OK
Function SetPermissionsToLocalFolder(ByRef objWMIService, _
ByVal strLocalPath, ByRef objSecurityDescriptor)
Dim objLocalFolder
Set objLocalFolder = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strLocalPath & "'")
SetPermissionsToLocalFolder = objLocalFolder.SetSecurityDescriptor(objSecurityDescriptor)
End Function
'******************************************************************
' SetPermissionsToNetworkShare - set a permission to network share
' ----------
' objWMIService - WMI serice instance
' strShareName - name of network share
' objPermissions - Win32_SecurityDescriptor WMI object with permissions
' ----------
' return value - Error code. O for OK
Function SetPermissionsToNetworkShare(ByRef objWMIService, _
ByVal strShareName, ByRef objSecurityDescriptor)
Dim objNetworkShare
Set objNetworkShare = objWMIService.Get("Win32_Share='" & strShareName & "'")
SetPermissionsToNetworkShare = objNetworkShare.SetShareInfo(,,objSecurityDescriptor)
End Function
'******************************************************************
' CreateSecurityDescriptorForNetworkShare - creates a security descriptor
' for network share and 3 trustees
' ----------
' objWMIService - WMI serice instance
' objTrusteeRead, objTrusteeReadWrite, objTrusteeFullControl - 1st, 2nd & 3rd trustees
' ----------
' return value - created security descriptor
Function CreateSecurityDescriptorForNetworkShare (ByRef objWMIService, _
ByRef objTrusteeRead, ByRef objTrusteeReadWrite, ByRef objTrusteeFullControl)
Dim objSecDescriptor, arrDACL
Set objSecDescriptor = objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 '** SE_DACL_PRESENT
arrDACL = Array()
If (IsObject(objTrusteeRead)) Then
Call AddToArray(arrDACL, CreateACE(objWMIService, objTrusteeRead, 1179817, 3, 0)) '** read
End If
If (IsObject(objTrusteeReadWrite)) Then
Call AddToArray(arrDACL, CreateACE(objWMIService, objTrusteeReadWrite, 1245631, 3, 0)) '** read/write
End If
If (IsObject(objTrusteeFullControl)) Then
Call AddToArray(arrDACL, CreateACE(objWMIService, objTrusteeFullControl, 2032127, 3, 0)) '** full control
End If
objSecDescriptor.Properties_.Item("DACL") = arrDACL
Set CreateSecurityDescriptorForNetworkShare = objSecDescriptor
End Function
'******************************************************************
' CreateSecurityDescriptorForLocalFolder - creates a security descriptor
' for local NTFS folder and 3 trustees
' ----------
' objWMIService - WMI serice instance
' objTrusteeRead, objTrusteeReadWrite, objTrusteeFullControl - 1st, 2nd & 3rd trustees
' ----------
' return value - created security descriptor
Function CreateSecurityDescriptorForLocalFolder (ByRef objWMIService, _
ByRef objTrusteeRead, ByRef objTrusteeReadWrite, ByRef objTrusteeFullControl)
Dim objSecDescriptor, arrDACL
Set objSecDescriptor = objWMIService.Get("Win32_SecurityDescriptor").SpawnInstance_()
objSecDescriptor.Properties_.Item("ControlFlags") = 4 + 1024 '** SE_DACL_PRESENT | SE_DACL_AUTO_INHERITED
arrDACL = Array()
If (IsObject(objTrusteeRead)) Then
Call AddToArray(arrDACL, CreateACE(objWMIService, objTrusteeRead, 131241, 3, 0)) '** read
End If
If (IsObject(objTrusteeReadWrite)) Then
Call AddToArray(arrDACL, CreateACE(objWMIService, objTrusteeReadWrite, 197055, 3, 0)) '** read/write
End If
If (IsObject(objTrusteeFullControl)) Then
Call AddToArray(arrDACL, CreateACE(objWMIService, objTrusteeFullControl, 2032127, 3, 0)) '** full control
End If
objSecDescriptor.Properties_.Item("DACL") = arrDACL
Set CreateSecurityDescriptorForLocalFolder = objSecDescriptor
End Function
'******************************************************************
' CreateACE - creates a Win32_Ace instance with desired access
' ----------
Function CreateACE (ByRef objWMIService, ByRef objTrustee, _
ByVal nAccessMask, ByVal nAceFlags, ByVal nAceType)
If (Not IsObject(objTrustee)) Then Exit Function
Dim objAce
Set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.Properties_.Item("AccessMask") = nAccessMask
objAce.Properties_.Item("AceFlags") = nAceFlags
objAce.Properties_.Item("AceType") = nAceType
objAce.Properties_.Item("Trustee") = objTrustee
Set CreateACE = objAce
End Function
'******************************************************************
' CreateTrusteeForObject - creates a Win32_Trustee instance from AD object
' ----------
Function CreateTrusteeForObject (ByRef objWMIService, ByRef objObject)
If (Not IsObject(objObject)) Then Exit Function
Dim objTrustee
Call objObject.GetInfoEx(Array("edsaDomainNetbiosName", "sAMAccountName", "objectSid"), 0)
Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
objTrustee.Domain = objObject.Get("edsaDomainNetbiosName")
objTrustee.Name = objObject.Get("sAMAccountName")
objTrustee.Properties_.Item("SID") = objObject.Get("objectSid")
Set CreateTrusteeForObject = objTrustee
End Function
'******************************************************************
' CreateDomainLocalGroup - creates a domain local security group
' ----------
Function CreateDomainLocalGroup(strOUDN, strGroupName, strOwnerDN)
Dim objOU, objGroup
Set objOU = GetObject("EDMS://" & strOUDN)
Set objGroup = objOU.Create("group", "CN=" & strGroupName)
Call objGroup.Put("sAMAccountName", strGroupName)
Call objGroup.Put("managedBy", strOwnerDN)
Call objGroup.Put("groupType", -2147483644) 'domain local security group
Call objGroup.SetInfo()
Set CreateDomainLocalGroup = objGroup
End Function
'===========================================================================
' AddToArray
'===========================================================================
Sub AddToArray(ByRef Arr, ByVal Val)
ReDim Preserve Arr (UBound(Arr)+1)
If (IsObject(Val)) Then
Set Arr(UBound(Arr)) = Val
Else
Arr(UBound(Arr)) = Val
End If
End Sub ' AddToArray
'****** end of code ***********************************************