On Mon, Aug 27, 2018 at 6:23 AM, Goku Balu <tfa.signup.te...@gmail.com> wrote: > > My use case is this. Folder1 is created by Admin1 and ACL is set by Admin1. > Now Admin2 wants to change the ACL. I think we have two options here > 1) Take folder ownership and the do the changes > 2) Take elevated privileges for Admin2 account and add/remove ACL entries
If the current DACL doesn't grant Admin2 the right to change the owner or change the DACL (i.e. to acquire said right), then you'll need to either enable SeTakeOwnershipPrivilege or enable SeRestorePrivilege with backup semantics. Under UAC restriction, an administrator only has these privileges when elevated, so option (2) is your only choice. SeRestorePrivilege also allows setting the owner to an arbitrary user or group. Otherwise you can only set the owner to either the current user or any of the user's groups that have the group-owner flag (e.g. the administrators group). > win32security.AdjustTokenPrivileges(handle, 0, new_privs) This call will succeed even if one or more of the privileges wasn't modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED (1300). This will be the case if you try to enable the take-ownership and restore privileges for a UAC restricted token. > fs = win32security.GetFileSecurity( > path, win32security.OWNER_SECURITY_INFORMATION) > fs.SetSecurityDescriptorOwner(owner_sid, True) > > win32security.SetFileSecurity( > path, win32security.OWNER_SECURITY_INFORMATION, fs) Use GetNamedSecurityInfo and SetNamedSecurityInfo instead. These newer functions handle inheritance correctly. They also open the file with backup semantics. The I/O manager grants all requested modify access (including write-owner) if backup semantics is combined with SeRestorePrivilege. In this case you don't need SeTakeOwnershipPrivilege. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
