Solved

Need a script to change NTFS permissions on a local folder

Posted on 2006-11-03
19
9,157 Views
Last Modified: 2012-08-13
Need a script to change NTFS permissions on a local folder (c:\program files\[the application]) to allow Domain Users full control.  See, I need to give my users full control to an application directory or the application won't run.  

So, I'm thinking that it would be easy to run a login script changing the folder's permissions.  Obviously, I need all child directories and files to get the parent folder permissions too.  

Alternatively, it would be really cool to know how to make a script run as Administrator even though it was executed by a user.  Like, I could have a script.bat and e-mail it to a user.  Then the user could run it, but the script would run as Administrator with full permissions/privileges.

Thanks!
0
Comment
Question by:coolrazor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 7
19 Comments
 
LVL 9

Accepted Solution

by:
SamuraiCrow earned 50 total points
ID: 17868771
For the letting the user change the permissions with admin rights use AutoIT!

(Download here:)
http://www.autoitscript.com/autoit3/

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm. Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"


RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868786
download xcacls here to modify file permissions.  I'll have the syntax for you in a moment:
http://support.microsoft.com/kb/318754
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868854
Here is the xcacls syntax that can be used to modify permissions on a directory:
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868897
Allright - We have the pieces, here is the game plan:

Create a file called perms.bat on a network share (users will need read and execute access to this share).

Add the 'xcacls c:\test /t /e /c /g "dec\domain users":F /Y' line where c:\test is the file path you want to update permissions on

in the autoIT script update the following sections with the appropriate info:
$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"
$RunProgram = "perms.bat"
$RunPath = "\\servername\sharename"

Once the script it done right click on the m3u file and select compile to executable

Test out the exe on a few users to make sure it works properly then deploy!
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868926
Just a couple of notes:

when specifying the path in the xcacls command make sure to put quotes around it if there are spaces (ex "c:\Program Files\...")
the xcacls command can also be pushed through a computer startup script with group policy (no need for auto it in this case)
AutoIT is generally used for software install automation and it probably the coolest free tool I've ever used.  Learn to use it and if you can send a donation        ------their way.

Hope this helps!
Crow
0
 

Author Comment

by:coolrazor
ID: 17870670
Thanks a bunch for showing me AutoIt!  That's a really cool piece of software.

xcacls, however, isn't running right.  It says "You are not using CScript for the scripting engine".  I thought I saw a webpage saying that I needed to put xcacls in the Windows directory and run something to switch engines, but I'm not sure of where that was and can't find the page.  Any hints?  

Also, I'd rather not have to change the scripting engines on my users' desktops if I would have to do it manually.  My goal is to e-mail them saying, "run this attached executable and, presto, our wonderful VoIP app will work".
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17870818
Make the perms.bat syntax look like this:

CScript//H:Cscript //S
'xcacls c:\test /t /e /c /g "dec\domain users":F /Y

That should set the script engine to run properly.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17870820
Oops, small correction:

CScript//H:Cscript //S
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
 

Author Comment

by:coolrazor
ID: 17871025
It ran silently and smoothly... but when I checked the folder permissions nothing had changed.
I was a little more explicit in my bat file, could that be the problem?
Here's the bat file:

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\all employees":F /Y

pause
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17871221
Place your domain name where is says dec:

"dec\domain users"

Sorry, missed that on the first run.
0
 

Author Comment

by:coolrazor
ID: 17871297
We're SO close to getting this!

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

It error's out on the /c part.  What does the /c parameter do?

"Error: Invalid flag /c.
Please check the input and try again."
0
 

Author Comment

by:coolrazor
ID: 17871316
FYI, I'm leaving for the day and will be back on Monday.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17871367
it basically continues on access denied errors.  We can remove it if needed.  Did you replace the domain name? (To be continued Monday)
0
 

Author Comment

by:coolrazor
ID: 17882687
It works!  I had to drop the /c and the /Y parameters, but it runs.  Also, I had to change the user group "all employees" to "allemployees", I guess that's how the system reads the group name internally.

The batch file runs and doesn't get stopped asking for user input, which I thought it would since I took out the /Y.  I prefer it not to ask the user any questions, but I wonder why it didn't.

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\allemployees":F

0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17882712
The version of xcacls you downloaded might be more recent then the version I have on my machine (not for long!).  I'm glad it worked.
0
 

Author Comment

by:coolrazor
ID: 17891422
A new twist...

The batch file worked  well except... I need all CHILD files and folders to inherit the new added permissions.
(Also, how do I add 30 points for this add-on question?  I don't want to start a new question seeing as how it is wholly related to this one.)
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17891484
No worries on the point add.  Try adding an * after Interactive Intelligence

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\allemployees":F
0
 

Author Comment

by:coolrazor
ID: 17892746
Ok, I found out that the parameters for xcacls.vbs (which is what I'm using) and xcacles.exe are different.  That cleared up a few things.  In the end, I just hard coded the child directory that wouldn't propagate the new permissions

I.E.
CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\Interaction Client .NET Edition\" /t /e /g "[domain]\allemployees":F

Everything within that directory got the new permissions.  Turns out that the .NET Edition folder didn't have "allow inherit from parent" set.  My guess is that there is a way to brute force inheriting, but I didn't need to since everything within the .NET Edition folder was inheriting from the .NET Edition folder.  

Thanks a lot for your help!
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17892770
No problem.  I'm glad you got it worked out.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
User laptop information 6 146
Looking to disable remote computers 6 83
Looking to exFAT Driver for Win XP 11 13,748
How Do I Set Up XP Mode in Windows 7? 8 95
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question