Hi, welcome back,

You may want to get Password Expiration Date for a given user withSystem.DirectoryServices. You may be temptedto use a code like the following:

DirectoryEntry entry = new DirectoryEntry(path);

object obj = entry.Properties["PasswordExpirationDate"].Value;

DateTime passwordExpirationDate = (DateTime)obj;

But "obj" is always null even if a "net user" command returns a valid password expiration date.

We can check that PasswordExpirationDate is not an available property in DirectoryEntry.Properties.PropertyNames collection.

So we could use a code like the following instead, which works:

DirectoryEntry entry = new DirectoryEntry(path)

ActiveDs.IADsUser native = (ActiveDs.IADsUser)entry.NativeObject;

DateTime passwordExpirationDate = native.PasswordExpirationDate;

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all, welcome back,

When we use CAPICOM, we may get some messages like the following:

Security Alert: This Web site needs to decrypt data using your private key.

Security Alert: This Web site needs to create a digital signature using your private key.

Security Alert: This Web site needs to add digital certificates to this computer.

Security Alert: This Web site needs access to digital certificates on this computer.

Security Alert: This Web site needs to delete digital certificates from this computer.

Some people would like to have them localized to i.e. Spanish, or at least be able to turn them off. Unfortunately there are no localized versions of CAPICOM.dll and those messages can't be turned off.

Additionally, there are no plans to create such localized versions in the future. CAPICOM support is very limited already (will it be available in next version of Windows? Who knows...), and it's pretty much dedicated to fix security bugs if ever found.

As always, my recommendation is to use .NET and System.Security.Cryptography classes whenever possible.

If you need to use .NET assemblies from client side scripting (main use of CAPICOM for many people), for instance, here you can find a sample to create an ActiveX from an assembly, so System.Security.Cryptography classes can be used in Internet Explorer: Writing an ActiveX Control in .NET.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all, welcome back,

You may want to give users or groups access to perform read/modify WMI operations on WMI objects, and for that you need to change the Security Descriptor (SD) for WMI objects. There are several ways to achieve this:

1) Manually with wmimgmt.msc: 325353HOW TO: Set WMI Namespace Security in Windows Server 2003.

2) Using third-party tools like WMI Namespace Security.

3) Programmatically, the easy way:

We could manually set the SD on one box, then save it to a text file with GetSD method of the __SystemSecurity class, read the SD from the text file and reapply it to new boxes with SetSD method.

The following VBScript shows how to use GetSD to obtain the current SD for the Root\Cimv2 namespace and change it to the byte array shown in strDisplaySD.

' Connect to WMI and the root namespace.

'

Set objWMI = GetObject("winmgmts:root\cimv2")

' Get the single __SystemSecurity object in this namespace.

'

Set objSecurity = objWMI.Get("__SystemSecurity=@")
' Get the namespace security.

'

nReturn = objSecurity.GetSD(arrSD)

If Err <> 0 Then

    WScript.Echo "Return value =  " & nReturn

Else

    ' Show it

    '

    strDisplaySD = "SD = {"

    For I = Lbound(arrSD) To Ubound(arrSD)

        strDisplaySD = strDisplaySD & arrSD(I)

        If I <> Ubound(arrSD) Then

            strDisplaySD = DisplaySD & ","

        End If

    Next

    strDisplaySD = strDisplaySD & "}"

    WScript.Echo strDisplaySD

End If

The following script shows how to use SetSD to set the namespace SD for the root namespace and change it to the byte array shown in arrSD.

' Hard-coded security descriptor

'

arrSD = array( 1, 0, 4,129,72, 0, 0, 0, _

    88, 0, 0, 0, 0, 0, 0, 0, _

    20, 0, 0, 0, 2, 0,52, 0, _

    2, 0, 0, 0, 0, 2,24, 0, _

    63, 0, 6, 0, 1, 2, 0, 0, _

    0, 0, 0, 5,32, 0, 0, 0, _

    32, 2, 0, 0, 0, 2,20, 0, _

    63, 0, 6, 0, 1, 1, 0, 0, _

    0, 0, 0, 1, 0, 0, 0, 0, _

    1, 2, 0, 0, 0, 0, 0, 5, _

    32, 0, 0, 0,32, 2, 0, 0, _

    1, 2, 0, 0, 0, 0, 0, 5, _

    32, 0, 0, 0,32, 2, 0, 0)

' Connect to WMI and the root namespace.

'

Set objWMI = GetObject("winmgmts:root\cimv2")
' Get the single __SystemSecurity object in this namespace.

'

Set objSecurity = objWMI.Get("__SystemSecurity=@")
' Change the namespace security.

'

nReturn = objSecurity.SetSD(arrSD)

WScript.Echo "Return value = " & nReturn

4) Programmatically, the hard way:

We can write our own WMI script using the following sample found at http://www.lissware.net/:

vol 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf, using a series of subfunctions:

Sample 4.02 to 4.13 - WMIManageSD.Wsf
Sample 4.14 to 4.24 - GetSDFunction.vbs
Sample 4.25 - CreateDefaultSDFunction.vbs
Sample 4.26 to 4.27 - ADSIHelper.exp
Sample 4.28 - DecipherWMISDFunction.vbs
Sample 4.29 - DecipherADSISDFunction.vbs
Sample 4.30 - DecipherSDControlFlagsFunction.vbs
Sample 4.31 - CalculateSDControlFlagsFunction.vbs
Sample 4.32 to 4.40 - ActiveDirectory.CMD
Sample 4.41 - SetSDOwnerFunction.vbs
Sample 4.42 - CreateTrusteeFunction.vbs
Sample 4.43 - SetSDGroupFunction.vbs
Sample 4.44 - SetSDControlFlagsFunction.vbs
Sample 4.45 to 4.46 - AddACEFunction.vbs
Sample 4.47 to 4.48 - DelACEFunction.vbs
Sample 4.49 to 4.50 - ReOrderACEFunction.vbs
Sample 4.51 to 4.61 - SetSDFunction.vbs

The script actually reads the binary SD with __SystemSecurity class and converts it with Sample 4.14 to 4.24 - GetSDFunction.vbs at line 283.
The object used to convert the SD is defined at line 189 in Sample 4.02 to 4.13 - WMIManageSD.Wsf.
Under XP and 2003, it uses the IADsSecurityUtility::ConvertSecurityDescriptor.
Before XP, it uses a COM component especially written for the purpose of the bin array conversion to an ADSI SD representation (located in the resources folder coming with the ZIP that must be REGSVR32).

The sample given there manages the security not only on WMI namespaces, but also on Files, Folders, Shares, AD objects, Exchange Mailboxes and Registry keys.

Everything is explained in greater details in the book related to this sample asthe full coverage of the details for the management of all SD supported above required 220 pages of texts and tables.
This is not a trivial task even if it is fairly achievable.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

Hi all, welcome back,

Today I'll show how we can set the following permissions on a registry key with RegIni.exe and a VBScript:

- Creator Owner Full Control
- Users Full Control
- Power Users Full Control
- Administrators Full Control
- System Full Control

I will set the permissions here for testing purposes:

- HKEY_CLASSES_ROOT\AlejaCMaTypelib
- HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp

And for that I will need to create a special regini.exe script which will have the following contents:

HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]

HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]

Notes:
- With regini.exe I won't be able to set Users Full Control, but Everyone Full Control.
- HKEY_CLASSES_ROOT = HKEY_LOCAL_MACHINE\Software\Classes

See the following articles for details on the values used in the regini script:
- How to Use Regini.exe to Set Permissions on Registry Keys
- How to: Use a Script to Change Registry Permissions from the Command Line

And here you have the VBScript that will use regini.exe and its script:

' Create temp file with the script that regini.exe will use

'

set oFSO = CreateObject("Scripting.FileSystemObject")

strFileName = oFSO.GetTempName

set oFile = oFSO.CreateTextFile(strFileName)

oFile.WriteLine "HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]"

oFile.WriteLine "HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]"

oFile.Close

' Change registry permissions with regini.exe

'

set oShell = CreateObject("WScript.Shell")

oShell.Run "regini " & strFileName, 8, true
' Delete temp file

'

oFSO.DeleteFile strFileName
WScript.Echo "Done!"

I hope it helps.

Cheers,

Alex (Alejandro Campos Magencio)

Hi all, welcome back,

It's very easy to find out the user name andthe domain name of the user running a VBScript, and the computername where it's running:

Set objNet = CreateObject("WScript.NetWork") 

strInfo = "User Name is     " & objNet.UserName & vbCRLF & _

          "Computer Name is " & objNet.ComputerName & vbCRLF & _

          "Domain Name is   " & objNet.UserDomain
MsgBox strInfo

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)