?
Solved

SUBINACL Return Error -> SESECURITYPRIVILIEGE : ACCESS DENIED

Posted on 2005-02-28
3
Medium Priority
?
487 Views
Last Modified: 2010-08-05
Hi everyone

I've created a small script (batch file) using SUBINACL and XCACLS but can´t go on because subinacl returns a error
SESECURITYPRIVILIEGE : ACCESS DENIED

I've a 2003 server with 600 users and made a VERY BIG MISTAKE. Changed permissions on parent folder "USERS"
and replace permissions on the 600 users root folders. Now no user has access to his own folder and work.

So I've created a LOGON SCRIPT to give back permissions to the users. But I'm stucked with this error.

---------------------------------------------------------------------------------------------------------------------------------
LOGON SCRIPT :

\\server\policies$\subinacl /noverbose /subdirectories \\server\users$\%username% /setowner=%username%
\\server\policies$\xcacls \\server\users$\%username% /T /C /G %username%:F;F /Y
----------------------------------------------------------------------------------------------------------------------------------

At this moment the owners of the users folders are "ADMINISTRATOR" and "ADMINISTRATORS"->(group)

the folder structure is :
D:\ - Not shared
D:\users - Shared as "USERS$" with full control to everyone
D:\users\user001
D:\users\user002
.....
D:\users\user600
UNC = \\server\users$\%username%

Can someone help, it is urgent

Thank you
Carlos
0
Comment
Question by:Carlos-jm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 13418959
That's not possible in the logon script. For obvious reasons, users lack the permissions to change the permissions...
This little batch might help; run it on the server in question.
It's currently in test mode, it will only display the xcacls command it would otherwise issue, so that you can test it. You might especially try this on a test directory first.
This will list all folders in the given directory, and then give the users (well, the name of the folders found) full access to their home directories. Note the /e switch, which will edit the ACL instead of replacing it (and removing the administrators from the permissions).
Remove the ECHO in front of the xcacls line to run it for real.
As usual: No warranties included; use it at your own risk.

@echo off
for /d %%a in (D:\Users\*.*) do (
  ECHO xcacls /t /e /c /g %%a:F;F /y
)
0
 

Author Comment

by:Carlos-jm
ID: 13419228
Hi obda

thank you for your quick post.

made 2 changes

for /D %%a in (*.*) do (xcacls %%a /T /C /E /G %%a:F;F /y)

you forgot "%%a" after xcacls
and had to put the batch file inside "d:\users" because "%%a" took the value "D:\USERS\USER001" and it must take
only "USER001" to work on " %%a:F;F "

Thank you for your BIG HELP

Took 4 seconds to this batch file make my work of severall hours

Thanks
Carlos
0
 
LVL 85

Expert Comment

by:oBdA
ID: 13420393
Stupid me; I even had it tested here correctly, but I wa sin a hurry here and messed up with the copy and paste, sorry.
And that shouldn't have been %%a in the user part of the xcacls command, but %%~nxa, then it would have worked with the D:\Users path as well.
Just for future reference:
%%~nxa will return the *n*ame and the e*x*tension of the argument %%*a*; that is, the user's directory name only, without the path (enter "help call" for details).

@echo off
for /d %%a in (D:\Users\*.*) do (
 ECHO xcacls %%a /t /e /c /g %%~nxa:F;F /y
)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question