VBScript WindowsSecurity Method

last modified April 9, 2025

The WindowsSecurity method in VBScript is part of the FileSystemObject security features. It provides access to Windows file system security settings and permissions. This method allows scripts to manage file and folder security programmatically. It’s essential for administrative scripts that need to control access rights.

WindowsSecurity enables checking and modifying ACLs (Access Control Lists) through VBScript. It works with both NTFS and share permissions. This tutorial covers WindowsSecurity with practical examples to demonstrate its usage in real-world scenarios.

WindowsSecurity Method Overview

The WindowsSecurity method provides access to security descriptors for files and folders. It returns a SecurityDescriptor object that contains security information. This object can be used to examine or modify permissions.

Key features include reading existing permissions and setting new ones. It works with users, groups, and their respective access rights. Understanding this method helps create secure file management scripts. Proper permissions are crucial for system security and data protection.

Checking File Permissions

This example demonstrates how to check permissions for a specific file. It shows how to retrieve the security descriptor and examine its properties. The script displays whether the current user has read access to the file.

check_permissions.vbs

Set fso = CreateObject(“Scripting.FileSystemObject”) Set file = fso.GetFile(“C:\secure\data.txt”) Set sd = file.WindowsSecurity

WScript.Echo “Owner: " & sd.Owner WScript.Echo “Group: " & sd.Group WScript.Echo “DACL present: " & sd.DACLPresent

Set sd = Nothing Set file = Nothing Set fso = Nothing

The script creates a FileSystemObject and gets a file object. It then retrieves the security descriptor using WindowsSecurity. The script displays the owner, group, and whether a DACL (Discretionary ACL) exists. This information helps assess file security.

Modifying File Permissions

This example shows how to modify permissions for a file. It demonstrates adding a new access control entry to the file’s DACL. The script grants read access to a specific user.

modify_permissions.vbs

Set fso = CreateObject(“Scripting.FileSystemObject”) Set file = fso.GetFile(“C:\secure\data.txt”) Set sd = file.WindowsSecurity

’ Create a new trustee object for the user Set trustee = CreateObject(“AccessControl.Trustee”) trustee.Name = “DOMAIN\username” trustee.TrusteeType = 1 ’ USER

’ Create a new ACE (Access Control Entry) Set ace = CreateObject(“AccessControl.Ace”) ace.AccessMask = 1 ’ FILE_READ_DATA ace.AceType = 0 ’ ACCESS_ALLOWED_ACE_TYPE ace.Trustee = trustee

’ Add the ACE to the DACL sd.DACL.AddAce ace sd.WriteDACL

Set ace = Nothing Set trustee = Nothing Set sd = Nothing Set file = Nothing Set fso = Nothing

The script creates a trustee object representing the user. It then creates an ACE with read permissions. The ACE is added to the file’s DACL, and WriteDACL saves the changes. This demonstrates programmatic permission management.

Inheriting Parent Folder Permissions

This example shows how to configure permission inheritance from a parent folder. It demonstrates disabling inheritance and copying existing permissions. This is useful for creating secure subfolders with controlled access.

inheritance.vbs

Set fso = CreateObject(“Scripting.FileSystemObject”) Set folder = fso.GetFolder(“C:\secure\newfolder”) Set sd = folder.WindowsSecurity

’ Disable inheritance and copy existing permissions sd.ControlFlags = sd.ControlFlags Or 16 ’ SE_DACL_PROTECTED sd.WriteControlFlags

WScript.Echo “Inheritance disabled and permissions preserved”

Set sd = Nothing Set folder = Nothing Set fso = Nothing

The script gets a folder object and its security descriptor. It sets the SE_DACL_PROTECTED flag to disable inheritance. The existing permissions are preserved but won’t update from the parent. This provides granular control over folder security.

Checking Effective Permissions

This example demonstrates checking effective permissions for a user. It shows how to verify what access a specific user actually has to a file. This considers all group memberships and permission inheritance.

effective_permissions.vbs

Set fso = CreateObject(“Scripting.FileSystemObject”) Set file = fso.GetFile(“C:\secure\data.txt”) Set sd = file.WindowsSecurity

Set trustee = CreateObject(“AccessControl.Trustee”) trustee.Name = “DOMAIN\username” trustee.TrusteeType = 1 ’ USER

’ Check for specific permissions hasRead = sd.CheckAccess(trustee, 1) ’ FILE_READ_DATA hasWrite = sd.CheckAccess(trustee, 2) ’ FILE_WRITE_DATA

WScript.Echo “Read access: " & hasRead WScript.Echo “Write access: " & hasWrite

Set trustee = Nothing Set sd = Nothing Set file = Nothing Set fso = Nothing

The script creates a trustee object for the target user. It then checks for specific permissions using CheckAccess. The results show the user’s effective permissions, considering all security factors. This is valuable for troubleshooting access issues.

Setting Folder Ownership

This example demonstrates changing ownership of a folder. It shows how to transfer ownership to another user or group. Ownership changes require appropriate privileges to complete.

set_ownership.vbs

Set fso = CreateObject(“Scripting.FileSystemObject”) Set folder = fso.GetFolder(“C:\secure\important”) Set sd = folder.WindowsSecurity

Set newOwner = CreateObject(“AccessControl.Trustee”) newOwner.Name = “DOMAIN\adminuser” newOwner.TrusteeType = 1 ’ USER

sd.Owner = newOwner sd.WriteOwner

WScript.Echo “Ownership changed successfully”

Set newOwner = Nothing Set sd = Nothing Set folder = Nothing Set fso = Nothing

The script creates a trustee object for the new owner. It assigns this trustee to the security descriptor’s Owner property. WriteOwner applies the change. Ownership control is crucial for proper security management.

Source

FileSystemObject Documentation

In this article, we have explored the WindowsSecurity method in VBScript, covering its usage and practical applications. From checking permissions to modifying security settings, these examples demonstrate powerful security management capabilities. With this knowledge, you can create robust security administration scripts.

Author

My name is Jan Bodnar and I am a passionate programmer with many years of programming experience. I have been writing programming articles since 2007. So far, I have written over 1400 articles and 8 e-books. I have over eight years of experience in teaching programming.

List all VBScript tutorials.