Inheritance ACE自动继承
我想向注册表项添加ACE,但它不是通过childs继承的。以下是VBScript代码:Inheritance ACE自动继承,inheritance,vbscript,acl,Inheritance,Vbscript,Acl,我想向注册表项添加ACE,但它不是通过childs继承的。以下是VBScript代码: Set sdUtil = CreateObject("ADsSecurityUtility") S = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XXXX" Set sd = sdUtil.GetSecurityDescriptor(S, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID) Set oldDacl = sd.Discretionary
Set sdUtil = CreateObject("ADsSecurityUtility")
S = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XXXX"
Set sd = sdUtil.GetSecurityDescriptor(S, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)
Set oldDacl = sd.DiscretionaryAcl
Set dacl = CreateObject("AccessControlList")
dacl.AclRevision = ADS_REVISION_DS
dacl.AceCount = 0
'remove network service ace if it exists
For Each ace In oldDacl
If UCase(ace.trustee) <> "NT AUTHORITY\NETWORK SERVICE" And UCase(ace.trustee) <> "S-1-5-20" Then
ace.AceFlags = ace.AceFlags Or OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE
dacl.AddAce ace
End If
Next
'add the new network service ace
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\NETWORK SERVICE"
ace.AccessMask = KEY_ALL_ACCESS
ace.AceFlags = OBJECT_INHERIT_ACE Or CONTAINER_INHERIT_ACE
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
dacl.AddAce ace
If (sd.Control And SE_DACL_AUTO_INHERITED) <> 0 Then
sd.Control = sd.Control Or SE_DACL_AUTO_INHERIT_REQ
End If
If (sd.Control And SE_SACL_AUTO_INHERITED) <> 0 Then
sd.Control = sd.Control Or SE_SACL_AUTO_INHERIT_REQ
End If
If (sd.Control And SE_DACL_PROTECTED) <> 0 Then
sd.Control = sd.Control Xor SE_DACL_PROTECTED
End If
ReorderDacl dacl 'This subroutine reorder dacl using w2k rules
sd.DiscretionaryAcl = dacl
ret = sdUtil.SetSecurityDescriptor(S, ADS_PATH_REGISTRY, sd, ADS_SD_FORMAT_IID)
代码执行后,我发现HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XXXX的孩子只继承系统、管理员、所有人和受限访问。它们在父密钥上设置,但网络服务访问在HKEY\U LOCAL\U MACHINE\SOFTWARE\Microsoft\XXXX上,但未传播到子密钥。最后,我发现已经存在的子密钥不会自动获取继承的ace,因此我不得不手动和递归地,将ace添加到所有带有ADS_ACEFLAG_heritared_ace或'ed的孩子 尽管文档中说ADS_ACEFLAG_Inheritable_ACE是由系统设置的,但也可以手动设置