GetSecurityDescriptor method of the Win32_LogicalFileSecuritySetting class

  • Article

The GetSecurityDescriptor WMI class method retrieves a Win32_SecurityDescriptor representation of the Win32_LogicalFileSecuritySetting object security descriptor in the form of a Win32_SecurityDescriptor object. A security descriptor contains information about the owner of the object, and the primary group of an object. The security descriptor also contains two access control lists (ACL). The first list is called the discretionary access control lists (DACL), and describes who should have access to an object and what type of access to grant. The second list is called the system access control lists (SACL) and defines what type of auditing to record for an object.

This topic uses Managed Object Format (MOF) syntax. For more information about using this method, see Calling a Method.

Syntax

uint32 GetSecurityDescriptor(
  [out] Win32_SecurityDescriptor Descriptor
);

Parameters

Descriptor [out]

Expression that resolves to an instance of Win32_SecurityDescriptor.

Return value

The GetSecurityDescriptor method can return the error codes listed in the following list. For more information about integer values other than those listed, see WMI_Return Codes.

Success (0)

Access denied (2)

Unknown failure (8)

Privilege missing (9)

Invalid parameter (21)

Other (22 4294967295)

Examples

In the following VBScript code example the assumption is that a folder named \testfolder exists on C:\. The example obtains the folder security and dissects it into the security components: ACEs, Trustees, and SIDs. For more information about security entities, see Security Descriptors.

The script calls the Win32_LogicalFileSecuritySetting::GetSecurityDescriptor method to retrieve an instance of the Win32_SecurityDescriptor class for the target object, that is, C:\TestFolder. GetSecurityDescriptor returns the wmiSecurityDescriptor parameter with an instance of the Win32_SecurityDescriptor class that corresponds to the security descriptor for the target object. Properties provided by the Win32_SecurityDescriptor class contain the DACL array of access control entries (ACEs) in the form of Win32_ACE object references. It also contains the trustee information in the form of Win32_Trustee objects.

On Error Resume Next
' The folder named "testfolder" must exist on the C:\ drive.

Set wmiFileSecSetting = GetObject( _
   "winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\testfolder'")

RetVal = wmiFileSecSetting. _
    GetSecurityDescriptor(wmiSecurityDescriptor)
If Err <> 0 Then
    WScript.Echo "GetSecurityDescriptor failed" _
    & VBCRLF & Err.Number & VBCRLF & Err.Description
    WScript.Quit
Else
    WScript.Echo "GetSecurityDescriptor succeeded"
End If

' Retrieve the DACL array of Win32_ACE objects.
DACL = wmiSecurityDescriptor.DACL

For each wmiAce in DACL

    wscript.echo "Access Mask: "     & wmiAce.AccessMask
    wscript.echo "ACE Type: "        & wmiAce.AceType

' Get Win32_Trustee object from ACE 
       Set Trustee = wmiAce.Trustee
    wscript.echo "Trustee Domain: "  & Trustee.Domain
    wscript.echo "Trustee Name: "    & Trustee.Name

' Get SID as array from Trustee
    SID = Trustee.SID 
    strsid = join(SID, ",") 
    wscript.echo "Trustee SID: {" & strsid & "}"
        
Next

Requirements
Minimum supported client
 Windows Vista
Minimum supported server
 Windows Server 2008
Namespace
 Root\CIMv2
MOF
Secrcw32.mof
DLL
CIMWin32.dll

See also

Operating System Classes

Win32_LogicalFileSecuritySetting

Win32_SecurityDescriptor

Changing Access Security on Securable Objects

WMI Security Descriptor Objects