itc-lab/create_sddl_from_list.php

## create_sddl_from_list.php
<?php
    if ($argc < 2) {
        echo_exit("Usage: php -f {$argv[0]} SddlFilePath ListPath\n");
    }
    define("NAMETOSID_COMMAND", "nametosid.exe");
    define("ADMINISTRATOR", "administrator");
    define("DOMAIN", "AD");
    define("SDDL_HEAD", 'D:PAI');                                  // SE_DACL_PROTECTED | SE_DACL_AUTO_INHERITED
    define("ACL_STRING_READ", '(A;OICI;0x1200a9;;;$$USER_SID$$)'); // (RX) : 0x1200a9
                                                                   //     FILE_GENERIC_READ |
                                                                   //     FILE_GENERIC_EXECUTE
    define("ACL_STRING_WRITE", '(A;OICI;0x1301bf;;;$$USER_SID$$)');// (RX,W,D) : 0x1301bf
                                                                   //     FILE_GENERIC_READ |
                                                                   //     FILE_GENERIC_EXECUTE |
                                                                   //     FILE_GENERIC_WRITE |
                                                                   //     DELETE
    define("ACL_STRING_ADMIN", '(A;OICI;FA;;;$$USER_SID$$)');      // (FA)

    set_time_limit(0);
    set_error_handler("error_handler");

    $sddl_file = $argv[1];
    $list = $argv[2];
    $fp = @fopen($list, "r");
    if (!$fp) {
        echo_exit("Failed to open $list");
    }
    $sddl_fp = @fopen($sddl_file, "w");
    if (!$sddl_fp) {
        echo_exit("Failed to open $sddl_file");
    }

    $sid = nametosid(ADMINISTRATOR . "@" . DOMAIN, "", "");
    $acl_admins[] = str_replace('$$USER_SID$$', $sid, ACL_STRING_ADMIN);

    $exclude_entries = array();//optional
    //$exclude_entries[] = "exclude_entry1";
    //$exclude_entries[] = "exclude_entry2";

    $folder_prev = null;
    while (!feof($fp)) {
        $line = fgets($fp);
        if (preg_match("/^\s*#/", $line) || trim($line) == "" || $line == "\n" || $line == "\r\n") {
            continue;
        }
        $line = preg_replace("/\r*\n/", "", $line);
        @list($folder, $acl_type, $sAMAccountName) = explode("\t", $line);
        if (empty($folder) || !($acl_type == "read" || $acl_type == "write" || $acl_type == "admin")) {
            continue;
        }
        $sddl = "";
        if (!empty($sAMAccountName)) {
            $exclude = false;
            foreach ($exclude_entries as $exclude_entry) {
                if (strcasecmp($sAMAccountName, $exclude_entry) == 0) {
                    $exclude = true;
                    break;
                }
            }
            if ($exclude) {
                continue;
            }
            $result = "success";
            $sid = nametosid($sAMAccountName . "@" . DOMAIN);
            if ($sid !== false) {
                if ($acl_type == "read") {
                    $acl_str = ACL_STRING_READ;
                } elseif ($acl_type == "write") {
                    $acl_str = ACL_STRING_WRITE;
                } else {
                    $acl_str = ACL_STRING_ADMIN;
                }
                $sddl .= str_replace('$$USER_SID$$', $sid, $acl_str);
            } else {
                $result = "fail";
            }
        } else {//ACL is empty
            $result = "success";
        }
        if ($folder_prev !== $folder) {
            if (!is_null($folder_prev)) {
                fputs($sddl_fp, mb_convert_encoding("\r\n", "UTF-16LE", "UTF-8"));
            }
            $folder_win = str_replace("/", "\\", trim($folder, "/"));
            fputs($sddl_fp, mb_convert_encoding($folder_win . "\r\n", "UTF-16LE", "UTF-8"));
            fputs($sddl_fp, mb_convert_encoding(SDDL_HEAD, "UTF-16LE", "UTF-8"));
            foreach ($acl_admins as $acl_admin) {
                fputs($sddl_fp, mb_convert_encoding($acl_admin, "UTF-16LE", "UTF-8"));
            }
        }
        fputs($sddl_fp, mb_convert_encoding($sddl, "UTF-16LE", "UTF-8"));
        $folder_prev = $folder;
    }
    fputs($sddl_fp, mb_convert_encoding("\r\n", "UTF-16LE", "UTF-8"));
    fclose($fp);
    fclose($sddl_fp);
    exit;

    function nametosid($sAMAccountName)
    {
        static $cache = array();
        if (!isset($cache[$sAMAccountName])) {
            $cmd = NAMETOSID_COMMAND . " \"{$sAMAccountName}\"";
            $so = "";
            exec($cmd, $so, $rt);
            if ($rt != 0) {
                return false;
            }
            $cache[$sAMAccountName] = $so[0];
        }
        return $cache[$sAMAccountName];
    }

    function error_handler($errno, $errstr, $errfile, $errline, $errcontext)
    {
        if (!(error_reporting() & $errno)) {
            return false;
        }
        error_reporting(0);
        $msg = "{$errfile}({$errline}):{$errstr}";
        echo_exit($msg);
    }

    function echo_exit($msg)
    {
        echo $msg . "\n";
        exit(-1);
    }
	<?php
	if ($argc < 2) {
	echo_exit("Usage: php -f {$argv[0]} SddlFilePath ListPath\n");
	}
	define("NAMETOSID_COMMAND", "nametosid.exe");
	define("ADMINISTRATOR", "administrator");
	define("DOMAIN", "AD");
	define("SDDL_HEAD", 'D:PAI'); // SE_DACL_PROTECTED \| SE_DACL_AUTO_INHERITED
	define("ACL_STRING_READ", '(A;OICI;0x1200a9;;;$$USER_SID$$)'); // (RX) : 0x1200a9
	// FILE_GENERIC_READ \|
	// FILE_GENERIC_EXECUTE
	define("ACL_STRING_WRITE", '(A;OICI;0x1301bf;;;$$USER_SID$$)');// (RX,W,D) : 0x1301bf
	// FILE_GENERIC_READ \|
	// FILE_GENERIC_EXECUTE \|
	// FILE_GENERIC_WRITE \|
	// DELETE
	define("ACL_STRING_ADMIN", '(A;OICI;FA;;;$$USER_SID$$)'); // (FA)

	set_time_limit(0);
	set_error_handler("error_handler");

	$sddl_file = $argv[1];
	$list = $argv[2];
	$fp = @fopen($list, "r");
	if (!$fp) {
	echo_exit("Failed to open $list");
	}
	$sddl_fp = @fopen($sddl_file, "w");
	if (!$sddl_fp) {
	echo_exit("Failed to open $sddl_file");
	}

	$sid = nametosid(ADMINISTRATOR . "@" . DOMAIN, "", "");
	$acl_admins[] = str_replace('$$USER_SID$$', $sid, ACL_STRING_ADMIN);

	$exclude_entries = array();//optional
	//$exclude_entries[] = "exclude_entry1";
	//$exclude_entries[] = "exclude_entry2";

	$folder_prev = null;
	while (!feof($fp)) {
	$line = fgets($fp);
	if (preg_match("/^\s*#/", $line) \|\| trim($line) == "" \|\| $line == "\n" \|\| $line == "\r\n") {
	continue;
	}
	$line = preg_replace("/\r*\n/", "", $line);
	@list($folder, $acl_type, $sAMAccountName) = explode("\t", $line);
	if (empty($folder) \|\| !($acl_type == "read" \|\| $acl_type == "write" \|\| $acl_type == "admin")) {
	continue;
	}
	$sddl = "";
	if (!empty($sAMAccountName)) {
	$exclude = false;
	foreach ($exclude_entries as $exclude_entry) {
	if (strcasecmp($sAMAccountName, $exclude_entry) == 0) {
	$exclude = true;
	break;
	}
	}
	if ($exclude) {
	continue;
	}
	$result = "success";
	$sid = nametosid($sAMAccountName . "@" . DOMAIN);
	if ($sid !== false) {
	if ($acl_type == "read") {
	$acl_str = ACL_STRING_READ;
	} elseif ($acl_type == "write") {
	$acl_str = ACL_STRING_WRITE;
	} else {
	$acl_str = ACL_STRING_ADMIN;
	}
	$sddl .= str_replace('$$USER_SID$$', $sid, $acl_str);
	} else {
	$result = "fail";
	}
	} else {//ACL is empty
	$result = "success";
	}
	if ($folder_prev !== $folder) {
	if (!is_null($folder_prev)) {
	fputs($sddl_fp, mb_convert_encoding("\r\n", "UTF-16LE", "UTF-8"));
	}
	$folder_win = str_replace("/", "\\", trim($folder, "/"));
	fputs($sddl_fp, mb_convert_encoding($folder_win . "\r\n", "UTF-16LE", "UTF-8"));
	fputs($sddl_fp, mb_convert_encoding(SDDL_HEAD, "UTF-16LE", "UTF-8"));
	foreach ($acl_admins as $acl_admin) {
	fputs($sddl_fp, mb_convert_encoding($acl_admin, "UTF-16LE", "UTF-8"));
	}
	}
	fputs($sddl_fp, mb_convert_encoding($sddl, "UTF-16LE", "UTF-8"));
	$folder_prev = $folder;
	}
	fputs($sddl_fp, mb_convert_encoding("\r\n", "UTF-16LE", "UTF-8"));
	fclose($fp);
	fclose($sddl_fp);
	exit;

	function nametosid($sAMAccountName)
	{
	static $cache = array();
	if (!isset($cache[$sAMAccountName])) {
	$cmd = NAMETOSID_COMMAND . " \"{$sAMAccountName}\"";
	$so = "";
	exec($cmd, $so, $rt);
	if ($rt != 0) {
	return false;
	}
	$cache[$sAMAccountName] = $so[0];
	}
	return $cache[$sAMAccountName];
	}

	function error_handler($errno, $errstr, $errfile, $errline, $errcontext)
	{
	if (!(error_reporting() & $errno)) {
	return false;
	}
	error_reporting(0);
	$msg = "{$errfile}({$errline}):{$errstr}";
	echo_exit($msg);
	}

	function echo_exit($msg)
	{
	echo $msg . "\n";
	exit(-1);
	}