So, it looks like you are trying to mimic this support article...
http://support.microsoft.com/default.aspx?scid=kb;en-us;q301287
Have you tried making the parameters hex values, as such? I'm not sure that
the function will accept decimal numbers, and I have always used Hex values
in the past for my ACL operations.
$aceo->LetProperty('AceFlags',0x0);
$aceo->LetProperty('AceType',0x6);
$aceo->LetProperty('Flags',0x1);
Steven
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, July 22, 2002 9:04 AM
To: Steven Manross; [EMAIL PROTECTED]
Subject: RE: "Invalid class string" when performing SetSecurityDescriptor
The following code needs to place the two ACEs at the beginning of the ACL
collection - other than that, everything else works.
use Win32;
use Win32::OLE;
$NO_CHANGE_PASSWORD = '{ab721a53-1e2f-11d0-9819-00aa0040529b}';
$aceo = Win32::OLE->CreateObject("AccessControlEntry");
$aceo2 = Win32::OLE->CreateObject("AccessControlEntry");
$uo =
Win32::OLE->GetObject("LDAP://CN=blah,CN=Users,DC=cgwindows,DC=cgc,DC=marico
pa,DC=edu");
$security = Win32::OLE->CreateObject("ADsSecurity");
$sdo =
$security->GetSecurityDescriptor("LDAP://CN=blah,CN=Users,DC=cgwindows,DC=cg
c,DC=maricopa,DC=edu");
$daclo = $sdo->{DiscretionaryAcl};
$aceo->LetProperty('Trustee','NT Authority\Self');
$aceo->LetProperty('AccessMask',0x100);
$aceo->LetProperty('AceFlags',0); $aceo->LetProperty('AceType',6);
$aceo->LetProperty('Flags',1);
$aceo->LetProperty('ObjectType',$NO_CHANGE_PASSWORD);
$aceo2->LetProperty('Trustee','Everyone');
$aceo2->LetProperty('AccessMask',0x100);
$aceo2->LetProperty('AceFlags',0);
$aceo2->LetProperty('AceType',6); $aceo2->LetProperty('Flags',1);
$aceo2->LetProperty('ObjectType',$NO_CHANGE_PASSWORD);
$daclo->AddAce($aceo2);
$daclo->AddAce($aceo);
$sdo->LetProperty('DiscretionaryAcl',$daclo);
$security->SetSecurityDescriptor($sdo);
$uo->SetInfo;
exit;
Thanks!
>-- Original Message --
>From: Steven Manross <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'"
> <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
>Subject: RE: "Invalid class string" when performing
>SetSecurityDescriptor
>Date: Mon, 22 Jul 2002 08:32:13 -0700
>
>
>Please send the code in it's current form.
>
>Steven
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]
>Sent: Monday, July 22, 2002 1:09 AM
>To: Steven Manross; [EMAIL PROTECTED]
>Subject: RE: "Invalid class string" when performing SetSecurityDescriptor
>
>
>Figured most of it out... I am now able to put the ACEs in the ACL.
>The problem was that I had to have BOTH the Everyone and NT
>Authority\SELF
being
>added to the ACL to make the change. I am able to see the affected
>changes in ASDI editor, however, I need to add the two new ACEs to the
>BEGINNING of the ACL instead of the end of it.
>
>Mike
>>-- Original Message --
>>From: Steven Manross <[EMAIL PROTECTED]>
>>To: "'[EMAIL PROTECTED]'"
>> <[EMAIL PROTECTED]>,
>> [EMAIL PROTECTED]
>>Subject: RE: "Invalid class string" when performing
>>SetSecurityDescriptor
>>Date: Sun, 21 Jul 2002 16:54:59 -0700
>>
>>
>>I'm still thinking that you have an error earlier on. What version of
>>ActivePerl are you using?
>>
>>The SetSecurityDescriptor will fail with just such an error if
>>something fails, gets set improperly or out of sequence.
>>
>>Strip your code down to your version of the following code (order
>>matters). And then put some error-checking in.
>>
>><code>
>> $ace->LetProperty('Trustee',whatever);
>> $ace->LetProperty('AccessMask',whatever);
>> $ace->LetProperty('AceType', whatever);
>></code>
>>
>>See if that reveals any other errors.
>>
>>Steven
>>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED]]
>>Sent: Sunday, July 21, 2002 8:17 AM
>>To: Steven Manross; [EMAIL PROTECTED]
>>Subject: RE: "Invalid class string" when performing
>>SetSecurityDescriptor
>>
>>
>>I had no such luck with the LetProperty on the $aceo-> calls,
>>however,
>it
>>did change an error to success for the "$sdo->{DiscretionaryAcl} =
>>$daclo;" line.
>>
>>End result still the same. Invalid class string.
>>Thanks,
>>Mike
>>
>>>-- Original Message --
>>>From: Steven Manross <[EMAIL PROTECTED]>
>>>To: "'[EMAIL PROTECTED]'"
>>> <[EMAIL PROTECTED]>,
>>> [EMAIL PROTECTED]
>>>Subject: RE: "Invalid class string" when performing
>>>SetSecurityDescriptor
>>>Date: Sat, 20 Jul 2002 16:54:45 -0700
>>>
>>>
>>>If you were to have error-checking at all of your:
>>>
>>>$aceo->{Whatever}=something;
>>>
>>>Calls, you'd probably find that one or all of them were giving you an
>
>>>error of "Member Not Found".
>>>
>>>The documented solution to this problem is to change these type of
>>>calls to LetProperty calls.
>>>
>>>Namely:
>>>
>>>$aceo->LetProperty('Whatever',something);
>>>
>>>Search the Archives for LetProperty and you'll see what I mean.
>>>
>>>Steven
>>>
>>>-----Original Message-----
>>>From: [EMAIL PROTECTED]
>>>[mailto:[EMAIL PROTECTED]]
>>>Sent: Friday, July 19, 2002 4:40 PM
>>>To: [EMAIL PROTECTED]
>>>Subject: "Invalid class string" when performing SetSecurityDescriptor
>>>
>>>
>>>I am trying to write a program to add an ace to the acl for several
>>>thousand users in AD. I have been successful at creating users but I
am
>>
>>>stuck at
>>the
>>>asterisk"ed" line near the end of the provided code. I have the
>>>adssecurity.dll file registered. I have been able, with some other
>>>code, to retrieve an entire ACL and all of its contents to dump to
>>>the
>
>>>screen.
>>>
>>>Could anyone shed some light for me. I have tried LetProperty also to
>
>>>assign the reference to the Discretionary Acl - still works and the
>>>error continues with the setsecuritydiscriptor - any help is greatly
>>>appreciated!!!
>>>
>>>Error message:
>>>Win32::OLE(0.1403) error 0x800401f3: "Invalid class string"
>>> in METHOD/PROPERTYGET "SetSecurityDescriptor"
>>>
>>>Code:
>>>
>>>use Win32;
>>>use Win32::OLE;
>>>
>>>$NO_CHANGE_PASSWORD = '{ab721a53-1e2f-11d0-9819-00aa0040529b}';
>>>
>>>$aceo = Win32::OLE->CreateObject("AccessControlEntry");
>>>$uo =
>>>Win32::OLE->GetObject("LDAP://CN=blah,CN=Users,DC=cgwindows,DC=cgc,DC
>>>=m
>>>arico
>>>pa,DC=edu");
>>>$security = Win32::OLE->CreateObject("ADsSecurity");
>>>$sdo =
>>>$security->GetSecurityDescriptor("LDAP://CN=blah,CN=Users,DC=cgwindows,DC
=
>c
>>g
>>>c,DC=maricopa,DC=edu");
>>>$daclo = $sdo->{DiscretionaryAcl};
>>>
>>>$aceo->{AceFlags}=0x0;
>>>$aceo->{AceType}=0x06;
>>>$aceo->{Flags}=0x01;
>>>$aceo->{InheritedObjectType}='';
>>>$aceo->{ObjectType}=$NO_CHANGE_PASSWORD;
>>>$aceo->{Trustee}='Everyone';
>>>
>>>$daclo->AddAce($aceo);
>>>$sdo->{DiscretionaryAcl} = $daclo;
>>>
>>>$security->SetSecurityDescriptor($sdo); #*****************this line
>>>gives the error $error = Win32::OLE->LastError(); print $error;
>>>
>>>$uo->SetInfo;
>>>
>>>exit;
>>>
>>>
>>>Systems Programmer
>>>
>>>Only those who have the patience to do simple things perfectly ever
>>>acquire the skill to do difficult things easily.
>>>
>>>Author Unknown
>>>
>>>_______________________________________________
>>>Perl-Win32-Admin mailing list
>>>[EMAIL PROTECTED]
>>>To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
>>
>>Systems Programmer
>>
>>Only those who have the patience to do simple things perfectly ever
>>acquire the skill to do difficult things easily.
>>
>>Author Unknown
>
>Systems Programmer
>
>Only those who have the patience to do simple things perfectly ever
>acquire the skill to do difficult things easily.
>
>Author Unknown
Systems Programmer
Only those who have the patience to do simple things perfectly ever acquire
the skill to do difficult things easily.
Author Unknown
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
