1

I am using VbScript for retrieving the securitydescriptor of a Win32_Service. I am using the following code:

SE_DACL_PRESENT = &h4
 ACCESS_ALLOWED_ACE_TYPE = &h0
 ACCESS_DENIED_ACE_TYPE  = &h1

 strComputer = "."
 Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")

 Set colInstalledPrinters =  objWMIService.ExecQuery _
  ("Select * from Win32_Service")

 For Each objPrinter in colInstalledPrinters
    Wscript.Echo "Name: " & objPrinter.Name 
 ' Get security descriptor for printer
  Return = objPrinter.GetSecurityDescriptor( objSD )
  If ( return <> 0 ) Then
  WScript.Echo "Could not get security descriptor: " & Return
  wscript.Quit Return
  End If
 ' Extract the security descriptor flags
  intControlFlags = objSD.ControlFlags
  If intControlFlags AND SE_DACL_PRESENT Then
 ' Get the ACE entries from security descriptor
   colACEs = objSD.DACL
  For Each objACE in colACEs
 ' Get all the trustees and determine which have access to printer
   WScript.Echo objACE.Trustee.Domain & "\" & objACE.Trustee.Name
   If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
    WScript.Echo vbTab & "User has access to printer"
   ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
    WScript.Echo vbTab & "User does not have access to the printer"
   End If
  Next
  Else
  WScript.Echo "No DACL found in security descriptor"
 End If
 Next

However, every time I run it I get the message saying the resulting code is -2147023582 something, rather than the error codes defined in the manual.

Anyone got any ideas? I am using Windows 7 professional 64-bit.

Update: The number is -2147023582. Could it be some sort of 64-bit issue? doesn't that look like a unsigned integer stored as a signed integer?

invictus
  • 135
  • 1
  • 10

2 Answers2

1

-2147023582 is error 0x80070522, or "A required privilege is not held by the client".

I suspect that your script is being run with a limited user token rather than with an Adminsitrator token. You might try the script from an "Administrator" token (i.e. "Run as Administrator", from an Administrator CMD session, etc) and see how it goes. I think you'll find that you have more success.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
0

i have an idea...for some reason, the 'impersonationlevel=impersonate, (Security)' privilage clause does not work with Windows 7.

Try using the script with server 2003 or XP and see what happens!!

I have had a similar issue with backing up the server windows security logs and found that, on paper at least, everything is configured as required. But when used with Win7, it doesn't work and doesn't suggest a reason why.

To my knowledge, there is no way of getting round this.

The only thing that might work is to call the script by opening a CMD prompt/Batch file using an Admin level user account to call the vbs script.

I have looked for hours online about this and have not managed to find anything to suggest how to get round it. Put it down to M$haft over 'user-ifying' Windows.

Hope this helps!

user78433
  • 1