World: r3wp
[Parse] Discussion of PARSE dialect
older newer | first last |
Pekr 5-Jun-2009 [3832] | So I start from right, making longer rule as [rights-section | doman-section user-section rights-section] |
Ladislav 5-Jun-2009 [3833] | ...makes no sense to define a rule, if you don't actually know where the path ends, as I see it |
Pekr 5-Jun-2009 [3834] | There is one exception - "NT AUTHORITY" ... I would break both hands of the designer, which allowed this one exception - space in domain name is not normally allowed :-) |
BrianH 5-Jun-2009 [3835] | parse/all/case line [[to "WALMARK" | to "BUILTIN"] a: (do something)] |
Ladislav 5-Jun-2009 [3836] | aha, so, you actually know, where the path ends?, you didn't tell |
BrianH 5-Jun-2009 [3837] | Or to "NT AUTHORITY" |
Pekr 5-Jun-2009 [3838x2] | But you can define following rule: domain-chars: charset [#"A" - #"Z" "-"] domain-rule: [ "NT AUTHORITY\" (domain: "NT AUTHORITY") | copy domain some domain-chars "\" ] domain-user-rights: [rights-rule | domain-rule user-rule rights-rule] |
So except the NT AUTHORITY, there can't be any space. So I filtered out the when there is only rights on the first line (OI)(CI) etc. and the second case - DOMAIN\USER-GROUP:(RIGHTS) | |
BrianH 5-Jun-2009 [3840] | If you know the names of all the domains in your network, you can treat them as keywords. Just add "BUILTIN" and "NT AUTHORITY" to the list of keywords and you are set. No need to deal with character sets. |
Pekr 5-Jun-2009 [3841] | The rest should/Could be spaces or PATH |
Paul 5-Jun-2009 [3842] | copy/part path find/reverse find/reverse find path "(" " " " " |
Pekr 5-Jun-2009 [3843] | BrianH: yes, but that would hardly be a challenge then :-) I wanted to have it flexible, hence being able to identify any domain ... |
BrianH 5-Jun-2009 [3844] | Flexibility is overrated :) |
Pekr 5-Jun-2009 [3845] | Paul - good one - I thought about reversing the string from reaching the newline too ... |
BrianH 5-Jun-2009 [3846] | Also, seriously, consider switching utilities to one that gives you better output. |
Pekr 5-Jun-2009 [3847x3] | there's none other utility in default console :-) |
but - I could also not do it all with one ICACLS call, but instead to REBOL level recursion and using separate CALL to ICACLS for each dir separately ... | |
But that ICACLS output run for > 3 hours, so I don't want to repeat it :-) | |
BrianH 5-Jun-2009 [3850x2] | Since this is a one-off for a known network, flexibility is *really* overrated here. Go with the known domains method this time, then you'll have time to come up with a general solution for the next run. |
You first asked this question > 3 hours ago, anyways :) | |
Pekr 5-Jun-2009 [3852] | NO :-) |
BrianH 5-Jun-2009 [3853] | Well, I don't have an NT server running locally here, so I can't generate test data or even check its command line options. |
Pekr 5-Jun-2009 [3854] | don't worry. I am mostly done. It can be "almost" done, but nevertheless we will switch to VBScript .... |
Ladislav 5-Jun-2009 [3855] | do I understand correctly, that it can be done in VBScript? |
BrianH 5-Jun-2009 [3856x2] | You would use VBScript as a replacement for the command line tool. |
It's either that or powershell. | |
Pekr 5-Jun-2009 [3858] | Well, I saw some examples and although I don't fully understand them, there might not be the place for REBOL. You can do everything in VB script, and that is what I don't like :-) |
BrianH 5-Jun-2009 [3859] | Or other languages with ActiveX support, and there are many. |
Pekr 5-Jun-2009 [3860x2] | But - the easiest way probably was to use mixture of REBOL and ICACLS CALLS - traversing recursively directories and querying ICACLS. That way I would always know the path, so it would be easy to strip it from output. Now as CALL is fixed and no more opens black console windows, REBOL is good tool. |
R3 with ActiveX support, yes, can't wait for it :-) | |
BrianH 5-Jun-2009 [3862] | What question does icacls ask about the access control lists? I don't have the tool locally. |
Pekr 5-Jun-2009 [3863] | http://www.mydigitallife.info/2007/04/30/icacls-vista-command-prompt-tool-to-manage-acls/ |
BrianH 5-Jun-2009 [3864] | Looks like AccessChk: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx |
Pekr 5-Jun-2009 [3865x2] | It does not even have parameter to distinguish directory and file - what a lame tool. You have to use trick - icacls c:\some-dir\sub-dir-or-file*. , which is relict of 8.3 naming, so actually it will match and dir and file, not having suffix .... |
What would lame MS do without buying Sysinternals guys escapes my mind ... | |
BrianH 5-Jun-2009 [3867] | This is how they get their tech. |
Pekr 5-Jun-2009 [3868] | WTF :-) No I am upset about myself, as I use other SysInternal tools often, but dunno why I haven't looked for that tool mysel :-) |
BrianH 5-Jun-2009 [3869x2] | Haven't used it yet either. |
ICACLS has a /save option - what does that output? It's supposed to be machine readable, unlike its stdout output. | |
Pekr 5-Jun-2009 [3871] | it outputs complete mess. It almost looks like binary, but it is not - but no newlines, etc. It is kind of despaced output, which can be later used to set right back .... |
BrianH 5-Jun-2009 [3872] | Might be more parseable though. |
Pekr 5-Jun-2009 [3873x6] | there are no names though ... just SIDs ... |
Following does what I need, and the output is nicer accesschk.exe -s -d L:\Sprava\* > ble.txt | |
-s recursion, -d dir-only | |
L:\My-dir\My-sub-dir Medium Mandatory Level (Default) [No-Write-Up] RW BUILTIN\Administrators RW WALMARK\AJMV | |
This is parseable ... maybe I can even use read/lines and skip the second line ... | |
It is just "not standard", e.g. If I would be planning (which I am not :-) to write simple Identity management, I would be probably better with "standard". This is already converted to R, W, etc. | |
BrianH 5-Jun-2009 [3879x2] | If you don't need it, sure :) |
All Vista shop then? The nearest person I know that runs Vista is more than 60 miles from me. | |
Pekr 5-Jun-2009 [3881] | Windows console is so lame, that I have to use iconv to convert to win1250 first. It looks like they still live in DOS age :-) |
older newer | first last |