• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9343
  • Last Modified:

Need a script to change NTFS permissions on a local folder

Need a script to change NTFS permissions on a local folder (c:\program files\[the application]) to allow Domain Users full control.  See, I need to give my users full control to an application directory or the application won't run.  

So, I'm thinking that it would be easy to run a login script changing the folder's permissions.  Obviously, I need all child directories and files to get the parent folder permissions too.  

Alternatively, it would be really cool to know how to make a script run as Administrator even though it was executed by a user.  Like, I could have a script.bat and e-mail it to a user.  Then the user could run it, but the script would run as Administrator with full permissions/privileges.

Thanks!
0
coolrazor
Asked:
coolrazor
  • 12
  • 7
1 Solution
 
SamuraiCrowCommented:
For the letting the user change the permissions with admin rights use AutoIT!

(Download here:)
http://www.autoitscript.com/autoit3/

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm. Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"


RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)
0
 
SamuraiCrowCommented:
download xcacls here to modify file permissions.  I'll have the syntax for you in a moment:
http://support.microsoft.com/kb/318754
0
 
SamuraiCrowCommented:
Here is the xcacls syntax that can be used to modify permissions on a directory:
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
SamuraiCrowCommented:
Allright - We have the pieces, here is the game plan:

Create a file called perms.bat on a network share (users will need read and execute access to this share).

Add the 'xcacls c:\test /t /e /c /g "dec\domain users":F /Y' line where c:\test is the file path you want to update permissions on

in the autoIT script update the following sections with the appropriate info:
$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"
$RunProgram = "perms.bat"
$RunPath = "\\servername\sharename"

Once the script it done right click on the m3u file and select compile to executable

Test out the exe on a few users to make sure it works properly then deploy!
0
 
SamuraiCrowCommented:
Just a couple of notes:

when specifying the path in the xcacls command make sure to put quotes around it if there are spaces (ex "c:\Program Files\...")
the xcacls command can also be pushed through a computer startup script with group policy (no need for auto it in this case)
AutoIT is generally used for software install automation and it probably the coolest free tool I've ever used.  Learn to use it and if you can send a donation        ------their way.

Hope this helps!
Crow
0
 
coolrazorAuthor Commented:
Thanks a bunch for showing me AutoIt!  That's a really cool piece of software.

xcacls, however, isn't running right.  It says "You are not using CScript for the scripting engine".  I thought I saw a webpage saying that I needed to put xcacls in the Windows directory and run something to switch engines, but I'm not sure of where that was and can't find the page.  Any hints?  

Also, I'd rather not have to change the scripting engines on my users' desktops if I would have to do it manually.  My goal is to e-mail them saying, "run this attached executable and, presto, our wonderful VoIP app will work".
0
 
SamuraiCrowCommented:
Make the perms.bat syntax look like this:

CScript//H:Cscript //S
'xcacls c:\test /t /e /c /g "dec\domain users":F /Y

That should set the script engine to run properly.
0
 
SamuraiCrowCommented:
Oops, small correction:

CScript//H:Cscript //S
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
 
coolrazorAuthor Commented:
It ran silently and smoothly... but when I checked the folder permissions nothing had changed.
I was a little more explicit in my bat file, could that be the problem?
Here's the bat file:

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\all employees":F /Y

pause
0
 
SamuraiCrowCommented:
Place your domain name where is says dec:

"dec\domain users"

Sorry, missed that on the first run.
0
 
coolrazorAuthor Commented:
We're SO close to getting this!

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

It error's out on the /c part.  What does the /c parameter do?

"Error: Invalid flag /c.
Please check the input and try again."
0
 
coolrazorAuthor Commented:
FYI, I'm leaving for the day and will be back on Monday.
0
 
SamuraiCrowCommented:
it basically continues on access denied errors.  We can remove it if needed.  Did you replace the domain name? (To be continued Monday)
0
 
coolrazorAuthor Commented:
It works!  I had to drop the /c and the /Y parameters, but it runs.  Also, I had to change the user group "all employees" to "allemployees", I guess that's how the system reads the group name internally.

The batch file runs and doesn't get stopped asking for user input, which I thought it would since I took out the /Y.  I prefer it not to ask the user any questions, but I wonder why it didn't.

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\allemployees":F

0
 
SamuraiCrowCommented:
The version of xcacls you downloaded might be more recent then the version I have on my machine (not for long!).  I'm glad it worked.
0
 
coolrazorAuthor Commented:
A new twist...

The batch file worked  well except... I need all CHILD files and folders to inherit the new added permissions.
(Also, how do I add 30 points for this add-on question?  I don't want to start a new question seeing as how it is wholly related to this one.)
0
 
SamuraiCrowCommented:
No worries on the point add.  Try adding an * after Interactive Intelligence

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\allemployees":F
0
 
coolrazorAuthor Commented:
Ok, I found out that the parameters for xcacls.vbs (which is what I'm using) and xcacles.exe are different.  That cleared up a few things.  In the end, I just hard coded the child directory that wouldn't propagate the new permissions

I.E.
CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\Interaction Client .NET Edition\" /t /e /g "[domain]\allemployees":F

Everything within that directory got the new permissions.  Turns out that the .NET Edition folder didn't have "allow inherit from parent" set.  My guess is that there is a way to brute force inheriting, but I didn't need to since everything within the .NET Edition folder was inheriting from the .NET Edition folder.  

Thanks a lot for your help!
0
 
SamuraiCrowCommented:
No problem.  I'm glad you got it worked out.
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

  • 12
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now