COM Version (SetACL.dll) – Syntax and Description

COM Version (SetACL.dll) – Syntax and Description

Registration and Instantiation

SetACL.dll makes SetACL’s powerful permission management functionality easily available for script writers and programmers. It is a COM server packaged in a DLL. In order to use it, register it first with a call to Regsvr32:

Regsvr32.exe <path to setacl.dll>

SetACL.dll is available both in 32-bit and 64-bit versions. It is possible to register both versions on one computer. That may be necessary if it is to be used from 32-bit and 64-bit processes. Since a 32-bit process can only load 32-bit modules and a 64-bit process only 64-bit modules (more information here), both versions may be required. If you register only one version, make sure it is of the same bitness as your process. The latter may vary on different systems, though. %Windir%\System32\CScript.exe, for example, launches the 32-bit script host on 32-bit Windows and the 64-bit script host on 64-bit Windows.

Once registered, the COM object can be instantiated using its name. In VBScript, for example, the instantiation looks like this:

set objSetACL = WScript.CreateObject("SetACL.SetACL", "SetACL_")

Usage

First and foremost, you need to tell SetACL which object it is to process in a call to SetObject.

SetACL can perform many different actions like setting permissions, setting the owner or listing permissions. Before SetACL can do anything, you need to specify the actions to perform by one or more calls to AddAction. Use SetAction instead if you want to reset previously configured actions.

Some actions work just like this, ACTN_CLEARDACL for example, but most require additional options to be set via dedicated functions. If you want to set the owner, for example, it is not sufficient to call AddAction with parameter ACTN_SETOWNER. You also have to specify who the new owner should be. That is set via the function SetOwner. For a list of available actions along with notes which additional functions to call in order to set options see ACTIONS.

When all is configured, call Run to make SetACL process your commands. It might be a good idea to set a handler for the MessageEvent event which receives all output the command line version prints to the screen (if enabled with SendMessageEvents). If all you need is a log, be sure to set the name of a file with SetLogFile.

Nearly all functions return numeric error codes. These are specific to SetACL, but the last Win32 API error can always be fetched with GetLastAPIErrorMessage (localized error string) and GetLastAPIError (error number). The message string corresponding to a SetACL error code can be looked up with GetResourceString.

Examples can be found here. Be sure to check out the command-line examples, too. They may be very helpful in explaining the way SetACL works.

Methods

AddACE

LONG AddACE (BSTR trustee, BSTR permission, LONG inheritance, 
             VARIANT_BOOL inheritanceSpecified, LONG accessMode, LONG aclType)

Stores the necessary information for adding an access control entry (ACE) to a DACL or SACL. By calling this function multiple times, several ACEs can be processed in one run.

Note that this command is only executed if a call to AddAction with parameter ACTN_ADDACE is made. The actual processing only starts when Run is invoked.

Parameters

trustee
Name or SID of user/group
permission
Permission(s) to set in the ACE. For a list of valid permissions, see the command-line documentation.
inheritance
How to inherit this ACE to child objects. For a list of possible values see: PROPAGATION.
inheritanceSpecified
Only true if inheritance is set. Otherwise, defaults are used.
accessMode
Grant, set, deny or revoke this ACE (DACL) / Set audit success, failure, revoke (SACL). For a list of possible values see: ACCESS_MODE.
aclType
Set the ACE in the DACL or SACL? Valid values are ACL_DACL and ACL_SACL from SDINFO.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

AddAction

LONG AddAction (LONG action)

In SetACL lingo, an action is what actually gets done. Multiple actions can be processed in one run. Just add them one after another. Note that most actions require parameters, set via dedicated functions. When all information has been submitted to SetACL, call Run to make SetACL start working.

AddAction does not remove previously configured actions. You can use SetAction to replace any existing actions with the specified action.

Parameters

action
ID of the action to add. This must be one of the values of the enumeration ACTIONS.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

AddDomain

LONG AddDomain (BSTR domain, BSTR newDomain, LONG action, 
                LONG domainActionAppliesTo)

Stores the necessary information for domain processing. Depending on action, all ACEs from domain are either deleted or alternatively moved or copied to corresponding accounts in newDomain. By calling this function multiple times, several domains can be processed in one run.

Note that this command is only executed if a call to AddAction with parameter ACTN_DOMAIN is made. The actual processing only starts when Run is invoked.

This command is especially useful during domain migrations. After users and groups have been copied from source domain domain to target domain newDomain, permissions need to be first duplicated so that users and groups from newDomain have the same permissions as corresponding accounts from domain. A certain period of time after a successful migration ACEs of accounts from source domain are typically deleted because they are not needed any more.

Parameters

domain
Name of the source domain. If the action specified as nAction is ACTN_REMOVEDOMAIN, ACEs from users and groups of this domain are deleted.
newDomain
Name of the target domain. If the action specified as nAction is ACTN_REMOVEDOMAIN, this parameter is ignored. In all other cases SetACL tries to find accounts in the target domain newDomain with the same name as in the source domain sDomain.
action
Specifies whether to delete, move or copy ACEs from sDomain. This must be one of the following three values of the enumeration ACTIONS:

ACTN_REPLACEDOMAIN, ACTN_REMOVEDOMAIN or ACTN_COPYDOMAIN.

If nAction is ACTN_REMOVEDOMAIN, all ACEs from accounts in domain are deleted.

If nAction is ACTN_REPLACEDOMAIN, when SetACL comes across an ACE from an account in domain, it tries to find an account with the same name in newDomain. If it succeeds, it replaces the ACE with an identical copy that pertains to the twin account from newDomain. In other words, SetACL migrates the permissions from domain to newDomain, removing the original permissions.

If nAction is ACTN_COPYDOMAIN, when SetACL comes across an ACE from an account in domain, it tries to find an account with the same name in newDomain. If it succeeds, it creates an identical copy of the ACE that pertains to the twin account from newDomain. In other words, SetACL migrates the permissions from domain to newDomain, leaving the original permissions intact.
domainActionAppliesTo
Which components of the security descriptor to process (DACL, SACL, owner and/or primary group). A value from the enumeration SDINFO.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

AddObjectFilter

void AddObjectFilter (BSTR keyword)

Adds a filter keyword to the internal list of filters. During execution (invoked by a call to Run) each object (file, directory, registry key, etc.) path is checked against the filter list. If any filter keyword is found, the object is ignored and not processed.

Example: To exclude the directory “Temporary Internet Files” add exactly that as a keyword. It might be a good idea to prefix the string with a backslash, but if the string were postfixed with a backslash, the directory itself would not be excluded, only subdirectories and files.

Parameters

keyword
Any path that contains this keyword is ignored by SetACL. The search is case-insensitive.

Return value

None.

AddTrustee

LONG AddTrustee (BSTR trustee, BSTR newTrustee, LONG action, LONG trusteeActionAppliesTo)

Stores the necessary information for trustee processing (a trustee is an account holder, i.e. a user or a group). Depending on action, all ACEs from trustee are either deleted, replaced by a similar ACE from newTrustee or alternatively copied to a new ACE from newTrustee. By calling this function multiple times, several trustees can be processed in one run.

Note that this command is only executed if a call to AddAction with parameter ACTN_TRUSTEE is made. The actual processing only starts when Run is invoked.

This command is useful for situations where the permissions for certain users or groups need to be duplicated or moved to different users/groups. After the permissions have been copied to a new account, the original account’s ACEs can be deleted with another call to AddTrustee with parameter ACTN_REMOVETRUSTEE.

This command is similar in nature to AddDomain with the notable difference that it affects single accounts only whereas AddDomain affects all accounts from the specified domain.

Parameters

trustee
Name of the source trustee (account). If the action specified as action is ACTN_REMOVETRUSTEE, ACEs this account are deleted.
newTrustee
Name of the target trustee (account). If the action specified as action is ACTN_REMOVETRUSTEE, this parameter is ignored. In all other cases SetACL uses this account to build a new ACE that either replaces the original ACE (ACTN_REPLACETRUSTEE) or is added to the ACL next to the original ACE (ACTN_COPYTRUSTEE).
action
Specifies whether to delete, move or copy ACEs from trustee. This must be one of the following three values of the enumeration ACTIONS:

ACTN_REPLACETRUSTEE, ACTN_REMOVETRUSTEE or ACTN_COPYTRUSTEE.

If action is ACTN_REMOVETRUSTEE, all ACEs from trustee are deleted.

If action is ACTN_REPLACETRUSTEE, when SetACL comes across an ACE from trustee, it replaces the ACE with an identical copy that pertains to newTrustee. In other words, SetACL migrates the permissions from trustee to newTrustee, removing the original permissions.

If action is ACTN_COPYTRUSTEE, when SetACL comes across an ACE from trustee, it creates an identical copy of the ACE that pertains to newTrustee. In other words, SetACL migrates the permissions from trustee to newTrustee, leaving the original permissions intact.
trusteeActionAppliesTo
Which components of the security descriptor to process (DACL, SACL, owner and/or primary group). A value from the enumeration SDINFO.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

AddTrusteesFromFile

LONG AddTrusteesFromFile (BSTR csvFile, LONG action, LONG trusteeActionAppliesTo)

This command is similar in nature to AddTrustee, but trustee pairs are not specified individually but read from a CSV file (format: old,new).

Parameters

csvFile
Name of the file with the trustee pairs.
action
Specifies whether to delete, move or copy ACEs from trustee. This must be one of the following three values of the enumeration ACTIONS:

ACTN_REPLACETRUSTEE, ACTN_REMOVETRUSTEE or ACTN_COPYTRUSTEE.

If action is ACTN_REMOVETRUSTEE, all ACEs from trustee are deleted.

If action is ACTN_REPLACETRUSTEE, when SetACL comes across an ACE from trustee, it replaces the ACE with an identical copy that pertains to newTrustee. In other words, SetACL migrates the permissions from trustee to newTrustee, removing the original permissions.

If action is ACTN_COPYTRUSTEE, when SetACL comes across an ACE from trustee, it creates an identical copy of the ACE that pertains to newTrustee. In other words, SetACL migrates the permissions from trustee to newTrustee, leaving the original permissions intact.
trusteeActionAppliesTo
Which components of the security descriptor to process (DACL, SACL, owner and/or primary group). A value from the enumeration SDINFO.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

GetLastAPIError

LONG GetLastAPIError ()

Returns the last Win32 API error code from any API call in SetACL. The error code is returned as an error number.

Parameters

none

Return value

Win32 error number.

GetLastAPIErrorMessage

BSTR GetLastAPIErrorMessage ()

Returns the last Win32 API error from any API call in SetACL. The error code is returned as a localized error message string.

Parameters

none

Return value

Localized error message string.

GetLastListOutput

BSTR GetLastListOutput ()

Returns the output from last list action without additional information/warning/error messages.

Parameters

none

Return value

Permission listing string.

GetResourceString

BSTR GetResourceString (LONG id)

Returns a string identified by numerical ID from SetACL’s built-in resources. Can be used to look up the error message to a SetACL error number.

Parameters

id
The ID of the resource string to return.

Return value

SetACL resource string, typically an error message.

Reset

void Reset ()

Resets the object to its initial state clearing any properties.

Parameters

none

Return value

None.

Run

LONG Run ()

Starts the actual processing. Only when Run is called does SetACL process the stored commands.

Parameters

None

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SendMessageEvents

LONG SendMessageEvents (VARIANT_BOOL sendEvents)

Configures whether COM messages are sent by SetACL. By default, no messages are sent. If an application wants to receive the output that the command-line version writes to the screen, it needs to enable sending messages by calling this function.

Parameters

sendEvents
True if SetACL’s output should be sent to the caller via COM events.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetAction

LONG SetAction (LONG action)

In SetACL lingo, an action is what actually gets done. Multiple actions can be processed in one run. Just add them one after another. Note that most actions require parameters, set via dedicated functions. When all information has been submitted to SetACL, call Run to make SetACL start working.

SetAction removes previously configured actions. You can use AddAction to add additional actions.

Parameters

action
ID of the action to set. This must be one of the values of the enumeration ACTIONS.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetBackupRestoreFile

LONG SetBackupRestoreFile (BSTR backupRestoreFile)

Sets name and path of a file used for listing and restoring information from security descriptors. If a file name is specified, list operations write to this file in addition to printing output to the console (respectively firing messages). In case of restore operations this file is the source that is restored from.

Parameters

backupRestoreFile
Absolute or relative path of the file to write a listing to or read restore information from.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetDelOrphanedSIDOptions

LONG SetDelOrphanedSIDOptions (LONG where)

Configures whether to delete orphaned SIDs in the DACL, the SACL or both.

Parameters

where
Delete orphaned SIDs in the DACL or SACL? Valid values are ACL_DACL and ACL_SACL from SDINFO.

Return value

True if setting the new error mode succeeded.

SetIgnoreErrors

LONG SetIgnoreErrors (VARIANT_BOOL ignoreErrors)

Configures whether SetACL continues or stops execution if an error occurs.

Parameters

ignoreErrors
If set to true, errors during execution are logged, but otherwise ignored. If set to false, SetACL stops when an error occurs.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetListOptions

LONG SetListOptions (LONG listFormat, LONG listWhat, 
                     VARIANT_BOOL listInherited, LONG listNameSID)

Sets options for listings generated by action ACTN_LIST.

Parameters

listFormat
List format (CSV, tabular, SDDL). A value from the enumeration LISTFORMATS.
listWhat
What to list (DACL, SACL, owner and/or primary group). A value from the enumeration SDINFO.
listInherited
If true, inherited permissions are listed. If false (default), inherited permissions are omitted.
listNameSID
List names, SIDs, or both? A value from the enumeration LISTNAMES.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetListOptions2

LONG SetListOptions2 (LONG listFormat, LONG listWhat, 
                     VARIANT_BOOL listInherited, LONG listNameSID,
                     VARIANT_BOOL cleanListOutput, VARIANT_BOOL orphanedOnly)

Sets options for listings generated by action ACTN_LIST. SetListOptions2 can set more options than SetListOptions.

Parameters

listFormat
List format (CSV, tabular, SDDL). A value from the enumeration LISTFORMATS.
listWhat
What to list (DACL, SACL, owner and/or primary group). A value from the enumeration SDINFO.
listInherited
If true, inherited permissions are listed. If false (default), inherited permissions are omitted.
listNameSID
List names, SIDs, or both? A value from the enumeration LISTNAMES.
cleanListOutput
In list output remove unnecessary qualifiers, e.g. replace NT-AUTHORITY\System with System and PREDEFINED\Administrators with Administrators
orphanedOnly
List ACEs with orphaned SIDs only.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetLogFile

LONG SetLogFile (BSTR logFile)

Sets the name and path of a log file. If specified, all messages printed on the console (respectively fired) are written to the log file, too.

Parameters

logFile
Absolute or relative path of the log file.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetObject

LONG SetObject (BSTR objectPath, LONG objectType)

Sets the object to process. In case of recursion, this is the root object. This parameter is mandatory, even if only a restore action has been specified. In that case, a bogus object path may be given.

Parameters

objectPath
Absolute or relative path to the object to process. For help on the syntax, the command-line reference and the examples.
objectType
The type of object (file, registry, share, printer, service, WMI). A value from the enumeration SE_OBJECT_TYPE.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetObjectFlags

LONG SetObjectFlags (LONG daclProtected, LONG saclProtected, 
                     VARIANT_BOOL daclResetChildObjects, VARIANT_BOOL saclResetChildObjects)

This function is used for two different purposes: set protection from inheritance (requires ACTN_SETINHFROMPAR), and configure permission reset of child objects (requires ACTN_RESETCHILDPERMS), both of which can be combined in a single run.

Parameters

daclProtected
Protect the DACL? If yes, copy permissions from parent or start with empty ACL? A value from the enumeration INHERITANCE.
saclProtected
Protect the SACL? If yes, copy permissions from parent or start with empty ACL? A value from the enumeration INHERITANCE.
daclResetChildObjects
If true, the DACL of child objects is reset by enabling inheritance (disabling protection) and removing non-inherited ACEs.
saclResetChildObjects
If true, the SACL of child objects is reset by enabling inheritance (disabling protection) and removing non-inherited ACEs.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetOwner

LONG SetOwner (BSTR trustee)

Sets the owner of an object. Requires the privilege SeTakeOwnershipPrivilege.

Note that this command is only executed if a call to AddAction with parameter ACTN_SETOWNER is made. The actual processing only starts when Run is invoked.

Parameters

trustee
Name or SID of the user or group to set as owner.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetPrimaryGroup

LONG SetPrimaryGroup (BSTR trustee)

Sets the primary group of an object. This is a rather esoteric setting that may be required by some Posix subsystem applications.

Note that this command is only executed if a call to AddAction with parameter ACTN_SETGROUP is made. The actual processing only starts when Run is invoked.

Parameters

trustee
Name or SID of the user or group to set as primary group.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

SetRecursion

LONG SetRecursion (LONG recursionType)

Configures recursion. For file and registry object types, SetACL can recursively process each object below a given root path. This function controls whether that happens and if so, whether objects (files) and/or containers (directories/registry key) are processed while walking down the tree.

Parameters

recursionType
A value from the enumeration RECURSION.

Return value

SetACL return code (see: RETCODES). The corresponding string message can be retrieved with GetResourceString.

Constants/Enumerations

ACCESS_MODE

The values in this enumeration indicate how new ACEs are merged into existing ACLs. Values typically cannot be combined.

Values

GRANT_ACCESS = 1
Adds an access allowed ACE for the specified user/group.
SET_ACCESS = 2
Replaces all existing access allowed ACEs for the specified user/group with a new ACE.
DENY_ACCESS = 3
Adds an access denied ACE for the specified user/group.
REVOKE_ACCESS = 4
All existing access allowed ACEs or system audit ACEs for the specified user/group are removed.
SET_AUDIT_SUCCESS = 5
Adds an audit success ACE for the specified user/group.
SET_AUDIT_FAILURE = 6
Adds an audit failure ACE for the specified user/group.

ACTIONS

The values in this enumeration list the actions the program can perform. Values typically can be combined.

Values

ACTN_ADDACE = 1
Add an ACE. Requires additional parameters set via AddACE.
ACTN_LIST = 2
List the entries in the security descriptor. Requires additional parameters set via SetListOptions.
ACTN_SETOWNER = 4
Set the owner. Requires additional parameters set via SetOwner.
ACTN_SETGROUP = 8
Set the primary group. Requires additional parameters set via SetPrimaryGroup.
ACTN_CLEARDACL = 16
Clear the DACL of any non-inherited ACEs. Does not require additional parameters.
ACTN_CLEARSACL = 32
Clear the SACL of any non-inherited ACEs. Does not require additional parameters.
ACTN_SETINHFROMPAR = 64
Set the flag ‘allow inheritable permissions from the parent object to propagate to this object’. Requires additional parameters set via SetObjectFlags.
ACTN_RESETCHILDPERMS = 128
Reset permissions on all sub-objects and enable propagation of inherited permissions. Requires additional parameters set via SetObjectFlags.
ACTN_REPLACETRUSTEE = 256
Replace one trustee by another in all ACEs. To be used only in calls to AddTrustee.
ACTN_REMOVETRUSTEE = 512
Remove all ACEs belonging to a certain trustee. To be used only in calls to AddTrustee.
ACTN_COPYTRUSTEE = 1024
Copy the permissions for one trustee to another. To be used only in calls to AddTrustee.
ACTN_REPLACEDOMAIN = 256
Replace one domain by another in all ACEs. To be used only in calls to AddDomain.
ACTN_REMOVEDOMAIN = 512
Remove all ACEs belonging to a certain domain. To be used only in calls to AddDomain.
ACTN_COPYDOMAIN = 1024
Copy the permissions for one domain to another. To be used only in calls to AddDomain.
ACTN_RESTORE = 2048
Restore entire security descriptors backup up with the list function. Requires additional parameters set via SetBackupRestoreFile.
ACTN_TRUSTEE = 4096
Process all trustee actions. Requires additional parameters set via AddTrustee.
ACTN_DOMAIN = 8192
Process all domain actions. Requires additional parameters set via AddDomain.

INHERITANCE

The values in this enumeration indicate how permissions from parent objects are inherited by this object. Put differently, they configure object protection from inheritance. Values typically cannot be combined.

Values

INHPARNOCHANGE = 0
Do not change settings
INHPARYES = 1
Inherit from parent
INHPARCOPY = 2
Do not inherit, copy inheritable permissions
INHPARNOCOPY = 4
Do not inherit, do not copy inheritable permissions

LISTFORMATS

The values in this enumeration set the list format used by SetACL for listing security descriptor information. Values typically cannot be combined.

Values

LIST_SDDL = 0
SDDL format
LIST_CSV = 1
CSV format
LIST_TAB = 2
Tabular format

LISTNAMES

The values in this enumeration indicate whether to list names, SIDs or both when listing security descriptor information. Values typically can be combined.

Values

LIST_NAME = 1
List names
LIST_SID = 2
List SIDs
LIST_NAME_SID = 3
List names and SIDs

PROPAGATION

The values in this enumeration indicate how to propagate permissions (ACEs) to child objects. Values typically can be combined.

Values

NO_INHERITANCE = 0
The specific access permissions will only be applied to the container, and will not be inherited by objects created within the container.
SUB_OBJECTS_ONLY_INHERIT = 1
The specific access permissions will only be inherited by objects created within the specific container. The access permissions will not be applied to the container itself.
SUB_CONTAINERS_ONLY_INHERIT = 2
The specific access permissions will be inherited by containers created within the specific container, will be applied to objects created within the container, but will not be applied to the container itself.
SUB_CONTAINERS_AND_OBJECTS_INHERIT = 3
Combination of SUB_OBJECTS_ONLY_INHERIT and SUB_CONTAINERS_ONLY_INHERIT.
INHERIT_NO_PROPAGATE = 4
Do not propagate permissions, only the direct descendent gets permissions.
INHERIT_ONLY = 8
The specific access permissions will not affect the object they are set on but its children only (depending on other propagation flags).

RECURSION

The values in this enumeration indicate which kinds of objects are processed during recursion: containers (e.g. directories), leaf objects (e.g. files) or both. Values typically cannot be combined.

Values

RECURSE_NO = 1
Do not recurse
RECURSE_CONT = 2
Recurse, processing containers only
RECURSE_OBJ = 4
Recurse, processing objects only
RECURSE_CONT_OBJ = 6
Recurse, processing containers and objects

RETCODES

This enumeration contains the return codes used by SetACL. The string message corresponding to a specific return code can be retrieved with GetResourceString.

Values

RTN_OK = 0
OK
RTN_USAGE = 1
Usage instructions were printed
RTN_ERR_GENERAL = 2
General error
RTN_ERR_PARAMS = 3
Parameter(s) incorrect
RTN_ERR_OBJECT_NOT_SET = 4
The object was not set
RTN_ERR_GETSECINFO = 5
The call to GetNamedSecurityInfo () failed
RTN_ERR_LOOKUP_SID = 6
The SID for a trustee could not be found
RTN_ERR_INV_DIR_PERMS = 7
Directory permissions specified are invalid
RTN_ERR_INV_PRN_PERMS = 8
Printer permissions specified are invalid
RTN_ERR_INV_REG_PERMS = 9
Registry permissions specified are invalid
RTN_ERR_INV_SVC_PERMS = 10
Service permissions specified are invalid
RTN_ERR_INV_SHR_PERMS = 11
Share permissions specified are invalid
RTN_ERR_EN_PRIV = 12
A privilege could not be enabled
RTN_ERR_DIS_PRIV = 13
A privilege could not be disabled
RTN_ERR_NO_NOTIFY = 14
No notification function was given
RTN_ERR_LIST_FAIL = 15
An error occurred in the list function
RTN_ERR_FINDFILE = 16
FindFile reported an error
RTN_ERR_GET_SD_CONTROL = 17
GetSecurityDescriptorControl () failed
RTN_ERR_INTERNAL = 18
An internal program error occurred
RTN_ERR_SETENTRIESINACL = 19
SetEntriesInAcl () failed
RTN_ERR_REG_PATH = 20
A registry path is incorrect
RTN_ERR_REG_CONNECT = 21
Connect to a remote registry failed
RTN_ERR_REG_OPEN = 22
Opening a registry key failed
RTN_ERR_REG_ENUM = 23
Enumeration of registry keys failed
RTN_ERR_PREPARE = 24
Preparation failed
RTN_ERR_SETSECINFO = 25
The call to SetNamedSecurityInfo () failed
RTN_ERR_LIST_OPTIONS = 26
Incorrect list options specified
RTN_ERR_CONVERT_SD = 27
A SD could not be converted to/from string format
RTN_ERR_LIST_ACL = 28
ACL listing failed
RTN_ERR_LOOP_ACL = 29
Looping through an ACL failed
RTN_ERR_DEL_ACE = 30
Deleting an ACE failed
RTN_ERR_COPY_ACL = 31
Copying an ACL failed
RTN_ERR_ADD_ACE = 32
Adding an ACE failed
RTN_ERR_NO_LOGFILE = 33
No backup/restore file was specified
RTN_ERR_OPEN_LOGFILE = 34
The backup/restore file could not be opened
RTN_ERR_READ_LOGFILE = 35
A read operation from the backup/restore file failed
RTN_ERR_WRITE_LOGFILE = 36
A write operation from the backup/restore file failed
RTN_ERR_OS_NOT_SUPPORTED = 37
The operating system is not supported
RTN_ERR_INVALID_SD = 38
The security descriptor is invalid
RTN_ERR_SET_SD_DACL = 39
The call to SetSecurityDescriptorDacl () failed
RTN_ERR_SET_SD_SACL = 40
The call to SetSecurityDescriptorSacl () failed
RTN_ERR_SET_SD_OWNER = 41
The call to SetSecurityDescriptorOwner () failed
RTN_ERR_SET_SD_GROUP = 42
The call to SetSecurityDescriptorGroup () failed
RTN_ERR_INV_DOMAIN = 43
The domain specified is invalid
RTN_ERR_IGNORED = 44
An error occurred, but it was ignored
RTN_ERR_CREATE_SD = 45
The creation of an SD failed
RTN_ERR_OUT_OF_MEMORY = 46
Memory allocation failed
RTN_ERR_NO_ACTN_SPECIFIED = 47
No action specified – nothing to do
RTN_ERR_INV_WMI_PERMS = 48
WMI permissions specified are invalid
RTN_WRN_RECURSION_IMPOSSIBLE = 49
Recursion is not possible

SDINFO

The values in this enumeration indicate which parts of the security descriptor to process: owner, primary group, DACL and/or SACL. Values typically can be combined.

Values

ACL_DACL = 1
Process the DACL (permission information)
ACL_SACL = 2
Process the SACL (auditing information)
SD_OWNER = 4
Owner information
SD_GROUP = 8
Primary group information

SE_OBJECT_TYPE

The values in this enumeration list the object types SetACL can process. Values typically cannot be combined.

Values

SE_FILE_OBJECT = 1
Files/directories
SE_SERVICE = 2
Services
SE_PRINTER = 3
Printers
SE_REGISTRY_KEY = 4
Registry keys
SE_LMSHARE = 5
Network shares
SE_WMIGUID_OBJECT = 11
WMI Namespace

Events

MessageEvent

MessageEvent (BSTR sMessage)

Passes a string message from SetACL to the caller (from COM server to client). These are the same messages the command-line version prints to the console screen.

Parameters

sMessage
The string message