vbs通过WMI修改文件文件夹的NTFS权限

'-------------------------------------------------------------------------

'用于给文件和文件夹添加一条权限设置.返回值: 0-成功,1-账户不存在,2-路径不存在
'struser表示用户名或组名
'strpath表示文件夹路径或文件路径
'straccess表示允许权限设置的字符串,字符串中带有相应字母表示允许相应权限: r-读,c-读写,f-完全控制
'blinherit表示是否继承父目录权限.true为继承,false为不继承

function addpermission(struser,strpath,straccess,blinherit)
        set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
        set fso = createobject("scripting.filesystemobject")
        '得到win32_sid并判断用户/组/内置账户是否存在
        set colusers = objwmiservice.execquery("select * from win32_account where name='"&struser&"'")
        if colusers.count<>0 then
                for each objuser in colusers
                        strsid = objuser.sid
                next
        else
                addpermission = 1
                exit function
        end if
        set objsid = objwmiservice.get("win32_sid.sid='"&strsid&"'")
        '判断文件/文件夹是否存在
        pathtype = ""
        if fso.fileexists(strpath) then pathtype = "file"
        if fso.folderexists(strpath) then pathtype = "folder"
        if pathtype = "" then
                addpermission = 2
                exit function
        end if
        '设置trustee
        set objtrustee = objwmiservice.get("win32_trustee").spawninstance_()
        objtrustee.domain = objsid.referenceddomainname
        objtrustee.name = objsid.accountname
        objtrustee.sid = objsid.binaryrepresentation
        objtrustee.sidlength = objsid.sidlength
        objtrustee.sidstring = objsid.sid
        '设置ace
        set objnewace = objwmiservice.get("win32_ace").spawninstance_()
        objnewace.trustee = objtrustee
        objnewace.acetype = 0
        if instr(ucase(straccess),"r") > 0 then objnewace.accessmask = 1179817
        if instr(ucase(straccess),"c") > 0 then objnewace.accessmask = 1245631
        if instr(ucase(straccess),"f") > 0 then objnewace.accessmask = 2032127
        if pathtype = "file" and blinherit = true then objnewace.aceflags = 16
        if pathtype = "file" and blinherit = false then objnewace.aceflags = 0
        if pathtype = "folder" and blinherit = true then objnewace.aceflags = 19
        if pathtype = "folder" and blinherit = false then objnewace.aceflags = 3
        '设置sd
        set objfilesecsetting = objwmiservice.get("win32_logicalfilesecuritysetting.path='"&strpath&"'")
        call objfilesecsetting.getsecuritydescriptor(objsd)
        blse_dacl_auto_inherited = true
        if (objsd.controlflags and &h400) = 0 then
                blse_dacl_auto_inherited = false
                objsd.controlflags = (objsd.controlflags or &h400)               
    '自动继承位置位,如果是刚创建的目录或文件该位是不置位的,需要置位
        end if
        if blinherit = true then
                objsd.controlflags = (objsd.controlflags and &hefff)       
    '阻止继承复位
        else
                objsd.controlflags = (objsd.controlflags or &h1400)               
    '阻止继承位置位,自动继承位置位
        end if
        objolddacl = objsd.dacl
        redim objnewdacl(0)
        set objnewdacl(0) = objnewace
        if isarray(objolddacl) then               
  '权限为空时objolddacl不是集合不可遍历
                for each objace in objolddacl
                        if (blse_dacl_auto_inherited=false and blinherit=true) or ((objace.aceflags and 16)>0 and (blinherit=true) or (lcase(objace.trustee.name)=lcase(struser))) then
                                'do nothing
                                '当自动继承位置位为0时即使时继承的权限也会显示为非继承,这时所有权限都不设置
                                '当自动继承位置位为0时,在继承父目录权限的情况下不设置继承的权限.账户和需要加权限的账户一样时不设置权限
                        else
                                ubd = ubound(objnewdacl)
                                redim preserve objnewdacl(ubd+1)
                                set objnewdacl(ubd+1) = objace
                        end if
                next
        end if

        objsd.dacl = objnewdacl
        '提交设置修改
        call objfilesecsetting.setsecuritydescriptor(objsd)
        addpermission = 0
        set fso = nothing
end function