Carlos-jm
asked on
SUBINACL Return Error -> SESECURITYPRIVILIEGE : ACCESS DENIED
Hi everyone
I've created a small script (batch file) using SUBINACL and XCACLS but can´t go on because subinacl returns a error
SESECURITYPRIVILIEGE : ACCESS DENIED
I've a 2003 server with 600 users and made a VERY BIG MISTAKE. Changed permissions on parent folder "USERS"
and replace permissions on the 600 users root folders. Now no user has access to his own folder and work.
So I've created a LOGON SCRIPT to give back permissions to the users. But I'm stucked with this error.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---
LOGON SCRIPT :
\\server\policies$\subinac l /noverbose /subdirectories \\server\users$\%username% /setowner=%username%
\\server\policies$\xcacls \\server\users$\%username% /T /C /G %username%:F;F /Y
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----
At this moment the owners of the users folders are "ADMINISTRATOR" and "ADMINISTRATORS"->(group)
the folder structure is :
D:\ - Not shared
D:\users - Shared as "USERS$" with full control to everyone
D:\users\user001
D:\users\user002
.....
D:\users\user600
UNC = \\server\users$\%username%
Can someone help, it is urgent
Thank you
Carlos
I've created a small script (batch file) using SUBINACL and XCACLS but can´t go on because subinacl returns a error
SESECURITYPRIVILIEGE : ACCESS DENIED
I've a 2003 server with 600 users and made a VERY BIG MISTAKE. Changed permissions on parent folder "USERS"
and replace permissions on the 600 users root folders. Now no user has access to his own folder and work.
So I've created a LOGON SCRIPT to give back permissions to the users. But I'm stucked with this error.
--------------------------
LOGON SCRIPT :
\\server\policies$\subinac
\\server\policies$\xcacls \\server\users$\%username%
--------------------------
At this moment the owners of the users folders are "ADMINISTRATOR" and "ADMINISTRATORS"->(group)
the folder structure is :
D:\ - Not shared
D:\users - Shared as "USERS$" with full control to everyone
D:\users\user001
D:\users\user002
.....
D:\users\user600
UNC = \\server\users$\%username%
Can someone help, it is urgent
Thank you
Carlos
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Stupid me; I even had it tested here correctly, but I wa sin a hurry here and messed up with the copy and paste, sorry.
And that shouldn't have been %%a in the user part of the xcacls command, but %%~nxa, then it would have worked with the D:\Users path as well.
Just for future reference:
%%~nxa will return the *n*ame and the e*x*tension of the argument %%*a*; that is, the user's directory name only, without the path (enter "help call" for details).
@echo off
for /d %%a in (D:\Users\*.*) do (
ECHO xcacls %%a /t /e /c /g %%~nxa:F;F /y
)
And that shouldn't have been %%a in the user part of the xcacls command, but %%~nxa, then it would have worked with the D:\Users path as well.
Just for future reference:
%%~nxa will return the *n*ame and the e*x*tension of the argument %%*a*; that is, the user's directory name only, without the path (enter "help call" for details).
@echo off
for /d %%a in (D:\Users\*.*) do (
ECHO xcacls %%a /t /e /c /g %%~nxa:F;F /y
)
ASKER
thank you for your quick post.
made 2 changes
for /D %%a in (*.*) do (xcacls %%a /T /C /E /G %%a:F;F /y)
you forgot "%%a" after xcacls
and had to put the batch file inside "d:\users" because "%%a" took the value "D:\USERS\USER001" and it must take
only "USER001" to work on " %%a:F;F "
Thank you for your BIG HELP
Took 4 seconds to this batch file make my work of severall hours
Thanks
Carlos