0

I have a script that enables sharing on a folder an sets the sharing permissions. The script works fine with one exception which is the most important one if you wanna generate a HomeUse-Directory. I can't set the sharing permissions for the group "Everyone" with the error message:

The account "Everyone" couldn't be mapped to a SID

So I did some research and found this very interesting article which says that the group "Everyone" didn't have a SID until Windows Vista/Server 2008.

After some more reading I found another article called "Well-known SIDs". Now I had the SID for the World/Everyone group as those groups are not listed in the AD. So I changed my script to search for the SID directly instead of using the pre-Windows 2000 parameter. Sadly this didn't work either.

And there I am now, pretty clueless. I guess there are some work-arounds but I actually like to do it with the group "Everyone".

As far as I know "Everyone" is a non-AD-based group like the "local Admin" and "System". Strangly I can set the sharing permissions for "System", but not for "Everyone/World/SELF"

Do I miss something?

I'm glad to hear any experience you guys had with this matter.

Edit:

As requested - here the code which gives me the error: 

            Dim SetEntriesResult As UInteger = SetEntriesInAcl(1, ExplicitAccessRule(i), AclPtr, AclPtr)
            'Check the result of the SetEntriesInAcl API call
            If SetEntriesResult = ERROR_NONE_MAPPED Then
                Throw New ApplicationException("The account " & FullAccountName & " could not be mapped to a security identifier (SID).")
            ElseIf SetEntriesResult <> 0 Then
                Throw New ApplicationException("The account " & FullAccountName & " could not be added to the ACL as the follow error was encountered: " & SetEntriesResult & ".")
            End If

So its the ERROR_NONE_MAPPED - API Error

Relevant code used above: 

       <DllImportAttribute("advapi32.dll", EntryPoint:="SetEntriesInAclW")> _
        Private Shared Function SetEntriesInAcl(ByVal cCountOfExplicitEntries As Integer, <InAttribute()> ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, <InAttribute()> ByVal OldAcl As System.IntPtr, ByRef NewAcl As System.IntPtr) As UInteger
        End Function



Public Shared Function ShareExistingFolder(ByVal ShareName As String, ByVal ShareComment As String, ByVal LocalPath As String, ByVal SharePermissions As List(Of SharePermissionEntry), Optional ByVal ComputerName As String = Nothing) As NET_API_STATUS
            'Argument validation
            If String.IsNullOrEmpty(ShareName) OrElse String.IsNullOrEmpty(LocalPath) OrElse SharePermissions Is Nothing OrElse SharePermissions.Count = 0 Then
                Throw New ArgumentException("Invalid argument specified - ShareName, LocalPath and SharePermissions arguments must not be empty")
            End If

            'Create array of explicit access rules, one for each user specified in the SharePermissions argument
            Dim ExplicitAccessRule(SharePermissions.Count - 1) As EXPLICIT_ACCESS
            'This pointer will hold the full ACL (access control list) once the loop below has completed
            Dim AclPtr As IntPtr

        'Loop through each entry in our list of explicit access rules, build each one and add it to the ACL
        For i As Integer = 0 To ExplicitAccessRule.Length - 1
            'Build the user or group name
            Dim FullAccountName As String = String.Empty
            If Not String.IsNullOrEmpty(SharePermissions(i).DomainName) Then
                FullAccountName = SharePermissions(i).DomainName & "\"
            End If
            FullAccountName &= SharePermissions(i).UserOrGroupName
            'Create a TRUSTEE structure and populate it with the user account details
            Dim Account As New TRUSTEE
            With Account
                .MultipleTrusteeOperation = MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE
                .pMultipleTrustee = 0
                .TrusteeForm = TRUSTEE_FORM.TRUSTEE_IS_NAME
                .ptstrName = FullAccountName
                .TrusteeType = TRUSTEE_TYPE.TRUSTEE_IS_UNKNOWN
            End With
            'Populate the explicit access rule for this user/permission
            With ExplicitAccessRule(i)
                'Set this to an Allow or Deny entry based on what was specified in the AllowOrDeny property
                If SharePermissions(i).AllowOrDeny Then
                    .grfAccessMode = ACCESS_MODE.GRANT_ACCESS
                Else
                    .grfAccessMode = ACCESS_MODE.DENY_ACCESS
                End If
                'Build the access mask for the share permission specified for this user
                If SharePermissions(i).Permission = SharedFolder.SharePermissions.Read Then
                    .grfAccessPermissions = ACCESS_MASK.GENERIC_READ Or ACCESS_MASK.STANDARD_RIGHTS_READ Or ACCESS_MASK.GENERIC_EXECUTE
                ElseIf SharePermissions(i).Permission = SharedFolder.SharePermissions.FullControl Then
                    .grfAccessPermissions = ACCESS_MASK.GENERIC_ALL
                End If
                'Not relevant for share permissions so just set to NO_INHERITANCE
                .grfInheritance = NO_INHERITANCE
                'Set the Trustee to the TRUSTEE structure we created earlier in the loop
                .Trustee = Account
            End With
GrindelOh
  • 165
  • 1
  • 1
  • 7
  • That article does not say the SID does not exist. It explains how certain OS versions do not grant Anonymous connections access to items secured with the Everyone ACL. What is the code in your script throwing the error? – Clayton Mar 08 '16 at 14:49
  • @Craig620 Thanks for your comment. Yes I understand that too, but as I want to share folders on my Win Server 2012R2, "Everyone" should have an SID. I added the code and the explicit error message. – GrindelOh Mar 09 '16 at 08:00
  • Ugh, you could do it that way. As your scope is Server 2012, it would be easier an take a lot less lines code if you used the powershell cmdlets for those tasks: Get-Acl, Set-Acl, New-SmbShare. Simple ACL example https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/ Full ACL details https://technet.microsoft.com/en-us/library/ff730951.aspx – Clayton Mar 09 '16 at 15:32
  • @Craig620 That's true! I'm just not the biggest fan of remote controlling a PS. Thanks for the hint with New-SmbShare. As I have a problem with my remote script I pulled the discussion over to SO if you wanna have a look. http://stackoverflow.com/questions/35918645/remote-powershell-connection-script-works-for-exchange-ps-but-not-for-windows-ps – GrindelOh Mar 10 '16 at 14:20

0 Answers0