Поделиться через


Win32_LogicalShareSecuritySetting class

The Win32_LogicalShareSecuritySetting WMI class represents security settings for a logical file.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

[Dynamic, Provider("SECRCW32"), UUID("{8502C591-5FBB-11D2-AAC1-006008C78BC7}"), AMENDMENT]
class Win32_LogicalShareSecuritySetting : Win32_SecuritySetting
{
  string Caption;
  string Description;
  string SettingID;
  uint32 ControlFlags;
  string Name;
};

Members

The Win32_LogicalShareSecuritySetting class has these types of members:

Methods

The Win32_LogicalShareSecuritySetting class has these methods.

Method Description
GetSecurityDescriptor Class method that retrieves a structural representation of the object security descriptor (SD).
SetSecurityDescriptor Class method that sets an SD to the specified structure.

Properties

The Win32_LogicalShareSecuritySetting class has these properties.

Caption

Data type: string

Access type: Read-only

Qualifiers: MaxLen (64)

Short textual description of the CIM_Setting object.

This property is inherited from CIM_Setting.

ControlFlags

Data type: uint32

Access type: Read-only

Control bits that qualify the meaning of an SD or its individual members. For more information about how to set the ControlFlags value, see the Remarks section. The following list lists the flags in ControlFlags. For more information, see SECURITY_DESCRIPTOR_CONTROL.

This property is inherited from Win32_SecuritySetting.

SE_OWNER_DEFAULTED (1 (0x1))

Indicates an SD with a default owner security identifier (SID). You can use this bit to find all of the objects that have default owner permissions set.

SE_GROUP_DEFAULTED (2 (0x2))

Indicates an SD with a default group SID. You can use this bit to find all of the objects that have default group permissions set.

SE_DACL_PRESENT (4 (0x4))

Indicates an SD that has a discretionary access control list (DACL). If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.

SE_DACL_DEFAULTED (8 (0x8))

Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.

SE_SACL_PRESENT (16 (0x10))

Indicates an SD that has a system access control list (SACL).

SE_SACL_DEFAULTED (32 (0x20))

Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.

SE_DACL_AUTO_INHERIT_REQ (256 (0x100))

Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, it propagates the DACL to any existing child objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.

SE_SACL_AUTO_INHERIT_REQ (512 (0x200))

Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, it propagates the SACL to any existing child objects, and sets the SE_SACL_AUTO_INHERITED bit in the SDs of the object and its child objects.

SE_DACL_AUTO_INHERITED (1024 (0x400))

Windows 2000 only. Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

SE_SACL_AUTO_INHERITED (2048 (0x800))

Windows 2000: Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.

SE_DACL_PROTECTED (4096 (0x1000))

Windows 2000: Prevents the DACL of the SD from being modified by inheritable ACEs.

SE_SACL_PROTECTED (8192 (0x2000))

Windows 2000: Prevents the SACL of the SD from being modified by inheritable ACEs.

SE_SELF_RELATIVE (32768 (0x8000))

Indicates an SD in self-relative format with all of the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.

Description

Data type: string

Access type: Read-only

Textual description of the CIM_Setting object.

This property is inherited from CIM_Setting.

Name

Data type: string

Access type: Read-only

Qualifiers: key

Name of the share.

SettingID

Data type: string

Access type: Read-only

Qualifiers: MaxLen (256)

Identifier by which the CIM_Setting object is known.

This property is inherited from CIM_Setting.

Remarks

The Win32_LogicalShareSecuritySetting class is derived from Win32_SecuritySetting. The procedure for using Win32_LogicalShareSecuritySetting to get and set a security descriptor on a share is the same as for Win32_LogicalFileSecuritySetting.

The values in ControlFlags indicate the elements of the descriptor that WMI writes in the SetSecurityDescriptor method. The DACL value is only changed in the share security descriptor to the DACL in the Win32_SecurityDescriptor parameter if the SE_DACL_PRESENT bit is set. However, if this bit is set and no DACL is supplied in the call to SetSecurityDescriptor, then a NULL DACL is written out.

Note

A NULL DACL creates a security risk because it gives full access to everyone. For more information, see Creating a DACL.

The ControlFlags property contains individual bit positions that indicate the specific flags that are set. To combine these flags, add the associated values. For example, to specify both SE_DACL_PRESENT and SE_DACL_AUTO_INHERITED you can add the associated values 4 and 1024 to make the value of the ControlFlags property 1028.

Examples

The following PowerShell code sample describes how update the security on a specified share.

$ShareName = "Test"
$objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$ShareName'" 
$SD = $objShareSec.GetSecurityDescriptor().Descriptor
            
foreach($ace in $SD.DACL)
{
  $UserName = $ace.Trustee.Name  
  If ($ace.Trustee.Domain -ne $Null) {$UserName = "$($ace.Trustee.Domain)\$UserName"}
  If ($ace.Trustee.Name -eq $Null) {$UserName = $ace.Trustee.SIDString }
  
  [Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ace.AccessMask, $ace.AceType)
}            


$ACL

Requirements

Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
Namespace
Root\CIMV2
MOF
Secrcw32.mof
DLL
CIMWin32.dll

See also

Win32_SecuritySetting

Operating System Classes