/*---------------------------------------------------------------------------*\
 * NAME: DisplayAccess                                                       *
 * --------------------------------------------------------------------------*
 * DESCRIPTION: 
\*---------------------------------------------------------------------------*/
void DisplayAccess(
    DWORD dwAccessMask, 
    DWORD dwSDType, 
    LPCTSTR tszAccessType, 
    LPCTSTR tszUser, 
    LPCTSTR tszDomain
    )
{

    BOOL fLegacy = IsLegacySecurityModel();

    if(!fLegacy)
    {
        WarnIfGlobalPolicySet();
    }

    if(dwSDType & SDTYPE_ACCESS)
    {
        BOOL fLocalAccess = (dwAccessMask & COM_RIGHTS_EXECUTE_LOCAL  ) ||
                             ((dwAccessMask & COM_RIGHTS_EXECUTE) && 
                              !(dwAccessMask & COM_RIGHTS_EXECUTE_REMOTE));

        BOOL fRemoteAccess = (dwAccessMask & COM_RIGHTS_EXECUTE_REMOTE  ) ||
                             ((dwAccessMask & COM_RIGHTS_EXECUTE) && 
                              !(dwAccessMask & COM_RIGHTS_EXECUTE_LOCAL));

        if(fLegacy && dwAccessMask & COM_RIGHTS_EXECUTE)
        {
            _tprintf (_T("Access %s to %s\\%s.\n"), 
                      tszAccessType,
                      tszDomain, tszUser);

        }
        else if(!fLegacy && (fLocalAccess || fRemoteAccess))
        {

            _tprintf (_T("%s access %s to %s\\%s.\n"), 
                      fLocalAccess ? 
                      fRemoteAccess ? 
                      _T("Remote and Local") : _T("Local") : _T("Remote") ,
                      tszAccessType,
                      tszDomain, tszUser);
         }
    }
    else
    {

        BOOL fLocalLaunchAccess = (dwAccessMask & COM_RIGHTS_EXECUTE_LOCAL  ) ||
                             ((dwAccessMask & COM_RIGHTS_EXECUTE) && 
                             !(dwAccessMask & (COM_RIGHTS_EXECUTE_REMOTE  |
                                               COM_RIGHTS_ACTIVATE_REMOTE |
                                               COM_RIGHTS_ACTIVATE_LOCAL)));

        BOOL fRemoteLaunchAccess = (dwAccessMask & COM_RIGHTS_EXECUTE_REMOTE  ) ||
                             ((dwAccessMask & COM_RIGHTS_EXECUTE) && 
                             !(dwAccessMask & (COM_RIGHTS_EXECUTE_LOCAL   |
                                               COM_RIGHTS_ACTIVATE_REMOTE |
                                               COM_RIGHTS_ACTIVATE_LOCAL)));

        BOOL fLocalActivateAccess = (dwAccessMask & COM_RIGHTS_ACTIVATE_LOCAL) ||
                             ((dwAccessMask & COM_RIGHTS_EXECUTE) && 
                             !(dwAccessMask & (COM_RIGHTS_EXECUTE_LOCAL  |
                                               COM_RIGHTS_EXECUTE_REMOTE |
                                               COM_RIGHTS_ACTIVATE_REMOTE)));

        BOOL fRemoteActivateAccess = (dwAccessMask & COM_RIGHTS_ACTIVATE_REMOTE) ||
                             ((dwAccessMask & COM_RIGHTS_EXECUTE) && 
                             !(dwAccessMask & (COM_RIGHTS_EXECUTE_LOCAL  |
                                               COM_RIGHTS_EXECUTE_REMOTE |
                                               COM_RIGHTS_ACTIVATE_LOCAL)));

        if(fLegacy && dwAccessMask & COM_RIGHTS_EXECUTE)
        {
            _tprintf (_T("Launch %s to %s\\%s.\n"), 
                      tszAccessType,
                      tszDomain, tszUser);

        }
        else 
        {
            if(!fLegacy && (fLocalLaunchAccess || fRemoteLaunchAccess))
            {

                _tprintf (_T("%s launch %s to %s\\%s.\n"), 
                          fLocalLaunchAccess ? 
                          fRemoteLaunchAccess ? 
                          _T("Remote and Local") : _T("Local") : _T("Remote") ,
                          tszAccessType,
                          tszDomain, tszUser);
             }
             if(!fLegacy && (fLocalActivateAccess || fRemoteActivateAccess))
             {

                _tprintf (_T("%s activation %s to %s\\%s.\n"), 
                          fLocalActivateAccess ? 
                          fRemoteActivateAccess ? 
                          _T("Remote and Local") : _T("Local") : _T("Remote"),
                          tszAccessType,
                          tszDomain, tszUser);
             }

         }

    }

}
Esempio n. 2
0
/*---------------------------------------------------------------------------*\
 * NAME: CanonicalizeSD 
 * --------------------------------------------------------------------------*
 * DESCRIPTION: Ensures the entire security descriptor is consistent with the new permission
 * format.
\*---------------------------------------------------------------------------*/
DWORD CanonicalizeSD(PSECURITY_DESCRIPTOR pSD)
{
    BOOL fSuccess = FALSE, fACLPresent = FALSE, fDefaulted = FALSE;
    ACL* pACL = NULL;

    if(IsLegacySecurityModel()) return ERROR_SUCCESS;
 
    fSuccess = GetSecurityDescriptorDacl(pSD, &fACLPresent, &pACL, &fDefaulted);
    if (fSuccess == FALSE)
    {
        return GetLastError();
    }
 
    ACCESS_MASK dwOtherRights = COM_RIGHTS_EXECUTE_LOCAL |
                                COM_RIGHTS_EXECUTE_REMOTE |
                                COM_RIGHTS_ACTIVATE_LOCAL |
                                COM_RIGHTS_ACTIVATE_REMOTE;
 
    DWORD dwSizeOfACL = sizeof(ACL);
    ULONG_PTR ulptrACL = (ULONG_PTR)pACL;
    PACE_HEADER pAceHeader = (PACE_HEADER)(ulptrACL + dwSizeOfACL);
    PACCESS_MASK pAccessMask = (PACCESS_MASK)((ULONG_PTR)pAceHeader+sizeof(ACE_HEADER));
 
    // Iterate through the ACE's in the ACL and canonicalize the representation
    // Each ACE has a header and Mask Field as a minimum.
 
    if ( pACL )
    {
        for ( int i = 0; i < pACL->AceCount ; i++)
        {
            DWORD dwError = NULL;
            void* pNewAcl = NULL;
       
            // Protect against bad ACL structure 
            if (((ULONG_PTR)pAceHeader-(ULONG_PTR)pACL) >= (pACL->AclSize-sizeof(ACCESS_MASK)))
           {
                return ERROR_INVALID_PARAMETER;
            }
      
            DWORD dwAceSize = pAceHeader->AceSize;
 
            // Ensure minimum size ACE
            if (dwAceSize < (sizeof(ACE_HEADER)+sizeof(ACCESS_MASK)))
            {
                return ERROR_INVALID_PARAMETER;
            }
 
            // Canonicalize AccessMask
            if (*pAccessMask & COM_RIGHTS_EXECUTE)
            {
                // When COM_RIGHTS_EXECUTE is set but no other RIGHTS
                // This means grant all other RIGHTS
                if ((*pAccessMask & dwOtherRights) == 0)
                {
                    *pAccessMask |= dwOtherRights;
                }
            }
            else
            {
                // COM_RIGHTS_EXECUTE Not Set so clear all other RIGHTS bits
                *pAccessMask &= ~dwOtherRights;
            }
 
            ulptrACL = (ULONG_PTR)pAceHeader;
            pAceHeader = (PACE_HEADER)(ulptrACL + dwAceSize);
            pAccessMask = (PACCESS_MASK)((ULONG_PTR)pAceHeader+sizeof(ACE_HEADER));
        }
 
    }
 
    return ERROR_SUCCESS;
}
Esempio n. 3
0
DWORD COxtSecurityHelper::SetACLDefaults(PACL *ppDacl, DWORD dwSDType)
{
	DWORD dwReturnValue = ERROR_BAD_ARGUMENTS;

	if (IsLegacySecurityModel())
		return SetLegacyACLDefaults(ppDacl, dwSDType);

	switch (dwSDType)
	{
	case SDTYPE_APPLICATION_LAUNCH:
		{
		dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
												 COM_RIGHTS_ACTIVATE_LOCAL |
												 COM_RIGHTS_EXECUTE_LOCAL |
												 COM_RIGHTS_EXECUTE,
												 g_ptszPrincipals[1]); // SYSTEM

		if (dwReturnValue != ERROR_SUCCESS)
			break;

		dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
												 COM_RIGHTS_ACTIVATE_LOCAL |
												 COM_RIGHTS_EXECUTE_LOCAL |
												 COM_RIGHTS_EXECUTE,
												 g_ptszPrincipals[2]); // Administrators

		if (dwReturnValue != ERROR_SUCCESS)
			break;

		dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
												 COM_RIGHTS_ACTIVATE_LOCAL |
												 COM_RIGHTS_EXECUTE_LOCAL |
												 COM_RIGHTS_EXECUTE,
												 g_ptszPrincipals[0]); // INTERACTIVE
		break;
		}
	case SDTYPE_APPLICATION_ACCESS:
		{
		dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
												 COM_RIGHTS_EXECUTE_LOCAL |
												 COM_RIGHTS_EXECUTE,
												 g_ptszPrincipals[1]); // SYSTEM

		if (dwReturnValue != ERROR_SUCCESS)
			break;

		dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
												 COM_RIGHTS_EXECUTE_LOCAL |
												 COM_RIGHTS_EXECUTE,
												 g_ptszPrincipals[2]); // Administrators

		if (dwReturnValue != ERROR_SUCCESS)
			break;

		dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
												 COM_RIGHTS_EXECUTE_LOCAL |
												 COM_RIGHTS_EXECUTE,
												 g_ptszPrincipals[0]); // INTERACTIVE

		break;
		}
	default:
		break;
	}

	return dwReturnValue;
}
Esempio n. 4
0
bool COxtSecurityHelper::DenyCheckUser(DWORD dwAccessMask,
									   DWORD dwSDType,
									   LPCTSTR tszUser,
									   LPCTSTR tszDomain,
									   BOOL bPermit)
{

	if (IsLegacySecurityModel())
	{
		// We don't really support anything lower than XPSP3 so we will just
		// drop out on the legacy check.
		// NOTE: removed check for WarnIfGlobalPolicySet()
		return true;
	}

	// All local access is fine and this check is not concerned with whether
	// everything has been denied. So the only case that is bad is permitting
	// remote access.

	if (dwSDType & SDTYPE_APPLICATION_ACCESS)
	{
		BOOL bRemoteAccess = (dwAccessMask & COM_RIGHTS_EXECUTE_REMOTE  ) ||
							 ((dwAccessMask & COM_RIGHTS_EXECUTE) &&
							  !(dwAccessMask & COM_RIGHTS_EXECUTE_LOCAL));

		if ((bPermit)&&(bRemoteAccess))
		{
			m_pclOxtSvc->LogEventTypeId(ctxLS(IDS_DENY_REMOTE_CHECK_FOR_zS_DETECTE_OXTSECURITYHELPER_1279),
									 EVENTLOG_ERROR_TYPE, EVMSG_SECURITY_FAILURE,
									 _T("AccessPermission"));
			return false;
		}
	}

	if (dwSDType & SDTYPE_APPLICATION_LAUNCH)
	{
		BOOL bRemoteLaunchAccess = (dwAccessMask & COM_RIGHTS_EXECUTE_REMOTE  ) ||
							 ((dwAccessMask & COM_RIGHTS_EXECUTE) &&
							 !(dwAccessMask & (COM_RIGHTS_EXECUTE_LOCAL   |
											   COM_RIGHTS_ACTIVATE_REMOTE |
											   COM_RIGHTS_ACTIVATE_LOCAL)));

		BOOL bRemoteActivateAccess = (dwAccessMask & COM_RIGHTS_ACTIVATE_REMOTE) ||
							 ((dwAccessMask & COM_RIGHTS_EXECUTE) &&
							 !(dwAccessMask & (COM_RIGHTS_EXECUTE_LOCAL  |
											   COM_RIGHTS_EXECUTE_REMOTE |
											   COM_RIGHTS_ACTIVATE_LOCAL)));
		if ((bPermit)&&(bRemoteLaunchAccess))
		{
			m_pclOxtSvc->LogEventTypeId(ctxLS(IDS_DENY_REMOTE_CHECK_FOR_zS_DETECTE_OXTSECURITYHELPER_1301),
									 EVENTLOG_ERROR_TYPE, EVMSG_SECURITY_FAILURE,
									 _T("LaunchPermission-Launch"));
			return false;
		}

		if ((bPermit)&&(bRemoteActivateAccess))
		{
			m_pclOxtSvc->LogEventTypeId(ctxLS(IDS_DENY_REMOTE_CHECK_FOR_zS_DETECTE_OXTSECURITYHELPER_1309),
									 EVENTLOG_ERROR_TYPE, EVMSG_SECURITY_FAILURE,
									 _T("LaunchPermission-Activate"));
			return false;
		}
	}

	return true;
}
void HandleApplicationLaunchAndActivateOption (
    int cArgs,
    TCHAR **pptszArgv
    )
{
    DWORD dwReturnValue                 = ERROR_SUCCESS;
    HKEY  hkeyRegistry                  = NULL;
    TCHAR tszAppID [SIZE_NAME_BUFFER]   = {0};
    TCHAR tszKeyName [SIZE_NAME_BUFFER] = {0};

    DWORD dwAccessMask = COM_RIGHTS_EXECUTE;
    
    if (cArgs < 4) ShowUsage (_T("Invalid number of arguments."));

    if (_tcsicmp (pptszArgv[3], _T("LIST")) == 0)
    {
        if (cArgs < 4) ShowUsage (_T("Invalid number of arguments.\n"));

        _tprintf (_T("Launch permission list for AppID %s:\n\n"), pptszArgv[2]);
        ListAppIDLaunchACL (pptszArgv[2]);
        return;
    }

    if (_tcsicmp (pptszArgv[3], _T("DEFAULT")) == 0)
    {


        _stprintf_s (tszAppID, RTL_NUMBER_OF(tszAppID), pptszArgv [2][0] == '{' ? _T("%s") : _T("{%s}"), pptszArgv [2]);
        _stprintf_s (tszKeyName, RTL_NUMBER_OF(tszKeyName), _T("APPID\\%s"), tszAppID);


        dwReturnValue = RegOpenKeyEx (HKEY_CLASSES_ROOT, tszKeyName, 0, KEY_ALL_ACCESS, &hkeyRegistry);
        if (dwReturnValue != ERROR_SUCCESS && dwReturnValue != ERROR_FILE_NOT_FOUND)
        {
            Error (_T("ERROR: Cannot open AppID registry key."), dwReturnValue);
        }

        dwReturnValue = RegDeleteValue (hkeyRegistry, _T("LaunchPermission"));
        if (dwReturnValue != ERROR_SUCCESS && dwReturnValue != ERROR_FILE_NOT_FOUND)
        {
            Error (_T("ERROR: Cannot delete LaunchPermission value."), dwReturnValue);
        }

        if(hkeyRegistry) RegCloseKey (hkeyRegistry);

        _tprintf (_T("Successfully set the Application Launch to the machine default.\n"));

        return;
    }

    if (cArgs < 5) ShowUsage (_T("Invalid number of arguments."));

    if (_tcsicmp (pptszArgv [3], _T("SET")) == 0)
    {
        if (cArgs < 6) ShowUsage (_T("Invalid number of arguments."));

        if(cArgs == 7) 
        {
            SetAccessMaskFromCommandLine(pptszArgv[6], &dwAccessMask, SDTYPE_APPLICATION_LAUNCH);
        }
        else if(!IsLegacySecurityModel())
        {
            _tprintf (_T("WARNING: Default access flags designated on a system with an enhanced security model.\n"));
        }

        if (_tcsicmp (pptszArgv [5], _T("PERMIT")) == 0)
        {
            dwReturnValue = ChangeAppIDLaunchAndActivateACL (pptszArgv[2], pptszArgv [4], TRUE, TRUE, dwAccessMask);
        }
        else if (_tcsicmp (pptszArgv [5], _T("DENY")) == 0)
        {
            dwReturnValue = ChangeAppIDLaunchAndActivateACL (pptszArgv[2], pptszArgv [4], TRUE, FALSE, dwAccessMask);
        }
        else
        {
            ShowUsage (_T("You can only set a user's permissions to \"permit\" or \"deny\".\n\n"));
        }

        if (dwReturnValue != ERROR_SUCCESS)
            Error (_T("ERROR: Cannot add user to application launch ACL."), dwReturnValue);
    } 
    else if (_tcsicmp (pptszArgv [3], _T("REMOVE")) == 0)
    {
        dwReturnValue = ChangeAppIDLaunchAndActivateACL (pptszArgv[2], pptszArgv[4], FALSE, FALSE, dwAccessMask);

        if (dwReturnValue != ERROR_SUCCESS)
        {
            Error (_T("ERROR: Cannot remove user from application launch ACL."), dwReturnValue);
        }
    } 
    else
    {
        ShowUsage (_T("You can only \"set\" or \"remove\" a user."));
    }

     _tprintf (_T("Successfully set the Application Launch ACL.\n"));

    ListAppIDLaunchACL(pptszArgv[2]);
}
/*---------------------------------------------------------------------------*\
 * NAME: HandleDefaultLaunchOption                                           *
 * --------------------------------------------------------------------------*
 * DESCRIPTION: 
\*---------------------------------------------------------------------------*/
void HandleDefaultLaunchOption (
    int cArgs,
    TCHAR **pptszArgv
    )
{
    DWORD dwReturnValue = ERROR_SUCCESS;
    DWORD dwAccessMask = COM_RIGHTS_EXECUTE;

    if (cArgs < 3) ShowUsage (_T("Invalid number of arguments."));

    if (_tcsicmp (pptszArgv [2], _T("LIST")) == 0)
    {
        _tprintf (_T("Default launch permission list:\n\n"));
        dwReturnValue = ListDefaultLaunchACL();

        if (dwReturnValue != ERROR_SUCCESS)
        {
            Error (_T("ERROR: Cannot list default launch ACL."), dwReturnValue);
        }

        return;
    }

    if (cArgs < 4) ShowUsage (_T("Invalid number of arguments."));

    if (_tcsicmp (pptszArgv [2], _T("SET")) == 0)
    {
        if (cArgs < 5) ShowUsage (_T("Invalid number of arguments."));

        if(cArgs == 6) 
        {
            SetAccessMaskFromCommandLine(pptszArgv[5], &dwAccessMask, SDTYPE_DEFAULT_LAUNCH);
        }
        else if(!IsLegacySecurityModel())
        {
            _tprintf (_T("WARNING: Default access flags designated on a system with an enhanced security model.\n"));
        }

        if (_tcsicmp (pptszArgv [4], _T("PERMIT")) == 0)
        {
            dwReturnValue = ChangeDefaultLaunchAndActivateACL (pptszArgv [3], TRUE, TRUE, dwAccessMask); 
        }
        else if (_tcsicmp (pptszArgv [4], _T("DENY")) == 0)
        {
            dwReturnValue = ChangeDefaultLaunchAndActivateACL (pptszArgv [3], TRUE, FALSE, dwAccessMask); 
        }
        else
        {
            ShowUsage (_T("You can only set a user's permissions to \"permit\" or \"deny\".\n\n"));
        }

        if (dwReturnValue != ERROR_SUCCESS)
        {
            Error (_T("ERROR: Cannot add user to default launch ACL."), dwReturnValue);
        }

    } 
    else if (_tcsicmp (pptszArgv [2], _T("REMOVE")) == 0)
    {
        dwReturnValue = ChangeDefaultLaunchAndActivateACL (pptszArgv[3], FALSE, FALSE, dwAccessMask);

        if (dwReturnValue != ERROR_SUCCESS)
        {
            Error (_T("ERROR: Cannot remove user from default launch ACL."), dwReturnValue);
        }
    } 
    else
    {
        ShowUsage (_T("You can only \"set\" or \"remove\" a user."));
    }

     _tprintf (_T("Successfully set the Default Launch ACL.\n"));

    ListDefaultLaunchACL();
}
/*---------------------------------------------------------------------------*\
 * NAME: HandleDefaultLaunchOption                                           *
 * --------------------------------------------------------------------------*
 * DESCRIPTION: 
\*---------------------------------------------------------------------------*/
void ShowUsage (
    LPTSTR tszErrorString
    )
{

    BOOL fLegacy = IsLegacySecurityModel();

    _tprintf (_T("%s\n"), tszErrorString);
    _tprintf (_T("Syntax: dcomperm <option> [...]\n\n"));

    _tprintf (_T("Options:\n"));

    if(!fLegacy)
    {
        _tprintf (_T("   -ma <\"set\" or \"remove\"> <Principal Name> [\"permit\" or \"deny\"] [\"level:l,r\"]\n"));
        _tprintf (_T("   -ma list\n"));
        _tprintf (_T("       Modify or list the machine access permission list\n\n"));

        _tprintf (_T("   -ml <\"set\" or \"remove\"> <Principal Name> [\"permit\" or \"deny\"] [\"level:l,r,ll,la,rl,ra\"]\n"));
        _tprintf (_T("   -ml list\n"));
        _tprintf (_T("       Modify or list the machine launch permission list\n\n"));
    }

    _tprintf (_T("   -da <\"set\" or \"remove\"> <Principal Name> [\"permit\" or \"deny\"] "));
    if(!fLegacy) _tprintf (_T("[\"level:l,r\"]\n")); else _tprintf (_T("\n"));
    
    _tprintf (_T("   -da list\n"));
    _tprintf (_T("       Modify or list the default access permission list\n\n"));

    _tprintf (_T("   -dl <\"set\" or \"remove\"> <Principal Name> [\"permit\" or \"deny\"] "));
    if(!fLegacy) _tprintf (_T("[\"level:l,r,ll,la,rl,ra\"]\n")); else _tprintf (_T("\n"));
    _tprintf (_T("   -dl list\n"));
    _tprintf (_T("       Modify or list the default launch permission list\n\n"));

    _tprintf (_T("   -aa <AppID> <\"set\" or \"remove\"> <Principal Name> [\"permit\" or \"deny\"] "));
    if(!fLegacy) _tprintf (_T("[\"level:l,r\"]\n")); else _tprintf (_T("\n"));
    _tprintf (_T("   -aa <AppID> default\n"));
    _tprintf (_T("   -aa <AppID> list\n"));
    _tprintf (_T("       Modify or list the access permission list for a specific AppID\n\n"));

    _tprintf (_T("   -al <AppID> <\"set\" or \"remove\"> <Principal Name> [\"permit\" or \"deny\"] "));
    if(!fLegacy) _tprintf (_T("[\"level:l,r,ll,la,rl,ra\"]\n")); else _tprintf (_T("\n"));
    _tprintf (_T("   -al <AppID> default\n"));
    _tprintf (_T("   -al <AppID> list\n"));
    _tprintf (_T("       Modify or list the launch permission list for a specific AppID\n\n"));

    if(!fLegacy)
    {
        _tprintf (_T("level: \n"));
        _tprintf (_T("\tll - local launch (only applies to {ml, dl, al} options)  \n"));
        _tprintf (_T("\trl - remote launch (only applies to {ml, dl, al} options)  \n"));
        _tprintf (_T("\tla - local activate (only applies to {ml, dl, al} options)  \n"));
        _tprintf (_T("\tra - remote activate (only applies to {ml, dl, al} options)  \n"));
        _tprintf (_T("\tl  - local (local access - means launch and activate when used with {ml, dl, al} options)  \n"));
        _tprintf (_T("\tr  - remote (remote access - means launch and activate when used with {ml, dl, al} options)  \n\n"));
    }

    _tprintf (_T("Press any key to continue. . ."));
    _getch();
    _tprintf (_T("\r                               \r"));

    _tprintf (_T("   -runas <AppID> <Principal Name> <Password>\n"));
    _tprintf (_T("   -runas <AppID> \"Interactive User\"\n"));
    _tprintf (_T("   -runas <AppID> \"Launching User\"\n"));
    _tprintf (_T("       Set the RunAs information for a specific AppID\n\n"));

    _tprintf (_T("Examples:\n"));
    _tprintf (_T("   dcomperm -da set redmond\\t-miken permit"));
    if(!fLegacy) _tprintf (_T(" level:r\n")); else _tprintf (_T("\n"));
    _tprintf (_T("   dcomperm -dl set redmond\\jdoe deny"));
    if(!fLegacy) _tprintf (_T(" level:rl,ra\n")); else _tprintf (_T("\n"));
    _tprintf (_T("   dcomperm -aa {12345678-1234-1234-1234-00aa00bbf7c7} list\n"));
    _tprintf (_T("   dcomperm -al {12345678-1234-1234-1234-00aa00bbf7c7} remove redmond\\t-miken\n"));
    _tprintf (_T("   dcomperm -runas {12345678-1234-1234-1234-00aa00bbf7c7} redmond\\jdoe password\n"));

    exit (0);
}