Solved

Need a script to change NTFS permissions on a local folder

Posted on 2006-11-03
19
9,099 Views
Last Modified: 2012-08-13
Need a script to change NTFS permissions on a local folder (c:\program files\[the application]) to allow Domain Users full control.  See, I need to give my users full control to an application directory or the application won't run.  

So, I'm thinking that it would be easy to run a login script changing the folder's permissions.  Obviously, I need all child directories and files to get the parent folder permissions too.  

Alternatively, it would be really cool to know how to make a script run as Administrator even though it was executed by a user.  Like, I could have a script.bat and e-mail it to a user.  Then the user could run it, but the script would run as Administrator with full permissions/privileges.

Thanks!
0
Comment
Question by:coolrazor
  • 12
  • 7
19 Comments
 
LVL 9

Accepted Solution

by:
SamuraiCrow earned 50 total points
ID: 17868771
For the letting the user change the permissions with admin rights use AutoIT!

(Download here:)
http://www.autoitscript.com/autoit3/

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm. Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"


RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868786
download xcacls here to modify file permissions.  I'll have the syntax for you in a moment:
http://support.microsoft.com/kb/318754
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868854
Here is the xcacls syntax that can be used to modify permissions on a directory:
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868897
Allright - We have the pieces, here is the game plan:

Create a file called perms.bat on a network share (users will need read and execute access to this share).

Add the 'xcacls c:\test /t /e /c /g "dec\domain users":F /Y' line where c:\test is the file path you want to update permissions on

in the autoIT script update the following sections with the appropriate info:
$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"
$RunProgram = "perms.bat"
$RunPath = "\\servername\sharename"

Once the script it done right click on the m3u file and select compile to executable

Test out the exe on a few users to make sure it works properly then deploy!
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868926
Just a couple of notes:

when specifying the path in the xcacls command make sure to put quotes around it if there are spaces (ex "c:\Program Files\...")
the xcacls command can also be pushed through a computer startup script with group policy (no need for auto it in this case)
AutoIT is generally used for software install automation and it probably the coolest free tool I've ever used.  Learn to use it and if you can send a donation        ------their way.

Hope this helps!
Crow
0
 

Author Comment

by:coolrazor
ID: 17870670
Thanks a bunch for showing me AutoIt!  That's a really cool piece of software.

xcacls, however, isn't running right.  It says "You are not using CScript for the scripting engine".  I thought I saw a webpage saying that I needed to put xcacls in the Windows directory and run something to switch engines, but I'm not sure of where that was and can't find the page.  Any hints?  

Also, I'd rather not have to change the scripting engines on my users' desktops if I would have to do it manually.  My goal is to e-mail them saying, "run this attached executable and, presto, our wonderful VoIP app will work".
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17870818
Make the perms.bat syntax look like this:

CScript//H:Cscript //S
'xcacls c:\test /t /e /c /g "dec\domain users":F /Y

That should set the script engine to run properly.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17870820
Oops, small correction:

CScript//H:Cscript //S
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
 

Author Comment

by:coolrazor
ID: 17871025
It ran silently and smoothly... but when I checked the folder permissions nothing had changed.
I was a little more explicit in my bat file, could that be the problem?
Here's the bat file:

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\all employees":F /Y

pause
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17871221
Place your domain name where is says dec:

"dec\domain users"

Sorry, missed that on the first run.
0
 

Author Comment

by:coolrazor
ID: 17871297
We're SO close to getting this!

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

It error's out on the /c part.  What does the /c parameter do?

"Error: Invalid flag /c.
Please check the input and try again."
0
 

Author Comment

by:coolrazor
ID: 17871316
FYI, I'm leaving for the day and will be back on Monday.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17871367
it basically continues on access denied errors.  We can remove it if needed.  Did you replace the domain name? (To be continued Monday)
0
 

Author Comment

by:coolrazor
ID: 17882687
It works!  I had to drop the /c and the /Y parameters, but it runs.  Also, I had to change the user group "all employees" to "allemployees", I guess that's how the system reads the group name internally.

The batch file runs and doesn't get stopped asking for user input, which I thought it would since I took out the /Y.  I prefer it not to ask the user any questions, but I wonder why it didn't.

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\allemployees":F

0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17882712
The version of xcacls you downloaded might be more recent then the version I have on my machine (not for long!).  I'm glad it worked.
0
 

Author Comment

by:coolrazor
ID: 17891422
A new twist...

The batch file worked  well except... I need all CHILD files and folders to inherit the new added permissions.
(Also, how do I add 30 points for this add-on question?  I don't want to start a new question seeing as how it is wholly related to this one.)
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17891484
No worries on the point add.  Try adding an * after Interactive Intelligence

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\allemployees":F
0
 

Author Comment

by:coolrazor
ID: 17892746
Ok, I found out that the parameters for xcacls.vbs (which is what I'm using) and xcacles.exe are different.  That cleared up a few things.  In the end, I just hard coded the child directory that wouldn't propagate the new permissions

I.E.
CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\Interaction Client .NET Edition\" /t /e /g "[domain]\allemployees":F

Everything within that directory got the new permissions.  Turns out that the .NET Edition folder didn't have "allow inherit from parent" set.  My guess is that there is a way to brute force inheriting, but I didn't need to since everything within the .NET Edition folder was inheriting from the .NET Edition folder.  

Thanks a lot for your help!
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17892770
No problem.  I'm glad you got it worked out.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Memory (kernel) dump BSOD's 2X per week: Why? 40 150
window s 8 to 10 err 9 118
XP machine unable to logon 13 58
Transfer configuration between Windows XP installations 4 55
Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question