Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 498
  • Last Modified:

SUBINACL Return Error -> SESECURITYPRIVILIEGE : ACCESS DENIED

Hi everyone

I've created a small script (batch file) using SUBINACL and XCACLS but can´t go on because subinacl returns a error
SESECURITYPRIVILIEGE : ACCESS DENIED

I've a 2003 server with 600 users and made a VERY BIG MISTAKE. Changed permissions on parent folder "USERS"
and replace permissions on the 600 users root folders. Now no user has access to his own folder and work.

So I've created a LOGON SCRIPT to give back permissions to the users. But I'm stucked with this error.

---------------------------------------------------------------------------------------------------------------------------------
LOGON SCRIPT :

\\server\policies$\subinacl /noverbose /subdirectories \\server\users$\%username% /setowner=%username%
\\server\policies$\xcacls \\server\users$\%username% /T /C /G %username%:F;F /Y
----------------------------------------------------------------------------------------------------------------------------------

At this moment the owners of the users folders are "ADMINISTRATOR" and "ADMINISTRATORS"->(group)

the folder structure is :
D:\ - Not shared
D:\users - Shared as "USERS$" with full control to everyone
D:\users\user001
D:\users\user002
.....
D:\users\user600
UNC = \\server\users$\%username%

Can someone help, it is urgent

Thank you
Carlos
0
Carlos-jm
Asked:
Carlos-jm
  • 2
1 Solution
 
oBdACommented:
That's not possible in the logon script. For obvious reasons, users lack the permissions to change the permissions...
This little batch might help; run it on the server in question.
It's currently in test mode, it will only display the xcacls command it would otherwise issue, so that you can test it. You might especially try this on a test directory first.
This will list all folders in the given directory, and then give the users (well, the name of the folders found) full access to their home directories. Note the /e switch, which will edit the ACL instead of replacing it (and removing the administrators from the permissions).
Remove the ECHO in front of the xcacls line to run it for real.
As usual: No warranties included; use it at your own risk.

@echo off
for /d %%a in (D:\Users\*.*) do (
  ECHO xcacls /t /e /c /g %%a:F;F /y
)
0
 
Carlos-jmAuthor Commented:
Hi obda

thank you for your quick post.

made 2 changes

for /D %%a in (*.*) do (xcacls %%a /T /C /E /G %%a:F;F /y)

you forgot "%%a" after xcacls
and had to put the batch file inside "d:\users" because "%%a" took the value "D:\USERS\USER001" and it must take
only "USER001" to work on " %%a:F;F "

Thank you for your BIG HELP

Took 4 seconds to this batch file make my work of severall hours

Thanks
Carlos
0
 
oBdACommented:
Stupid me; I even had it tested here correctly, but I wa sin a hurry here and messed up with the copy and paste, sorry.
And that shouldn't have been %%a in the user part of the xcacls command, but %%~nxa, then it would have worked with the D:\Users path as well.
Just for future reference:
%%~nxa will return the *n*ame and the e*x*tension of the argument %%*a*; that is, the user's directory name only, without the path (enter "help call" for details).

@echo off
for /d %%a in (D:\Users\*.*) do (
 ECHO xcacls %%a /t /e /c /g %%~nxa:F;F /y
)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now