Solved

Need a script to change NTFS permissions on a local folder

Posted on 2006-11-03
19
9,080 Views
Last Modified: 2012-08-13
Need a script to change NTFS permissions on a local folder (c:\program files\[the application]) to allow Domain Users full control.  See, I need to give my users full control to an application directory or the application won't run.  

So, I'm thinking that it would be easy to run a login script changing the folder's permissions.  Obviously, I need all child directories and files to get the parent folder permissions too.  

Alternatively, it would be really cool to know how to make a script run as Administrator even though it was executed by a user.  Like, I could have a script.bat and e-mail it to a user.  Then the user could run it, but the script would run as Administrator with full permissions/privileges.

Thanks!
0
Comment
Question by:coolrazor
  • 12
  • 7
19 Comments
 
LVL 9

Accepted Solution

by:
SamuraiCrow earned 50 total points
ID: 17868771
For the letting the user change the permissions with admin rights use AutoIT!

(Download here:)
http://www.autoitscript.com/autoit3/

You can easily create a m3u script file that can be compiled into an executable.  Just specify the account, password, name of the exe or bat file, and path.  Works like a charm. Best of all it's free!  Definately one of the most useful tools I have in my admin arsenal.  Here is the syntax:

Dim $UserName, $DomainName, $Password, $RunProgram, $RunPath

$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"

$RunProgram = "setup.exe"
$RunPath = "\\servername\sharename"


RunAsSet ( $UserName, $DomainName, $Password )

$val = RunWait($RunPath & "\" & $RunProgram, $RunPath, @SW_Maximize)
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868786
download xcacls here to modify file permissions.  I'll have the syntax for you in a moment:
http://support.microsoft.com/kb/318754
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868854
Here is the xcacls syntax that can be used to modify permissions on a directory:
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868897
Allright - We have the pieces, here is the game plan:

Create a file called perms.bat on a network share (users will need read and execute access to this share).

Add the 'xcacls c:\test /t /e /c /g "dec\domain users":F /Y' line where c:\test is the file path you want to update permissions on

in the autoIT script update the following sections with the appropriate info:
$UserName = "Username"
$DomainName = "domainname"
$Password = "Password"
$RunProgram = "perms.bat"
$RunPath = "\\servername\sharename"

Once the script it done right click on the m3u file and select compile to executable

Test out the exe on a few users to make sure it works properly then deploy!
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17868926
Just a couple of notes:

when specifying the path in the xcacls command make sure to put quotes around it if there are spaces (ex "c:\Program Files\...")
the xcacls command can also be pushed through a computer startup script with group policy (no need for auto it in this case)
AutoIT is generally used for software install automation and it probably the coolest free tool I've ever used.  Learn to use it and if you can send a donation        ------their way.

Hope this helps!
Crow
0
 

Author Comment

by:coolrazor
ID: 17870670
Thanks a bunch for showing me AutoIt!  That's a really cool piece of software.

xcacls, however, isn't running right.  It says "You are not using CScript for the scripting engine".  I thought I saw a webpage saying that I needed to put xcacls in the Windows directory and run something to switch engines, but I'm not sure of where that was and can't find the page.  Any hints?  

Also, I'd rather not have to change the scripting engines on my users' desktops if I would have to do it manually.  My goal is to e-mail them saying, "run this attached executable and, presto, our wonderful VoIP app will work".
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17870818
Make the perms.bat syntax look like this:

CScript//H:Cscript //S
'xcacls c:\test /t /e /c /g "dec\domain users":F /Y

That should set the script engine to run properly.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17870820
Oops, small correction:

CScript//H:Cscript //S
xcacls c:\test /t /e /c /g "dec\domain users":F /Y
0
 

Author Comment

by:coolrazor
ID: 17871025
It ran silently and smoothly... but when I checked the folder permissions nothing had changed.
I was a little more explicit in my bat file, could that be the problem?
Here's the bat file:

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\all employees":F /Y

pause
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17871221
Place your domain name where is says dec:

"dec\domain users"

Sorry, missed that on the first run.
0
 

Author Comment

by:coolrazor
ID: 17871297
We're SO close to getting this!

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /c /g "dec\domain users":F /Y

It error's out on the /c part.  What does the /c parameter do?

"Error: Invalid flag /c.
Please check the input and try again."
0
 

Author Comment

by:coolrazor
ID: 17871316
FYI, I'm leaving for the day and will be back on Monday.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17871367
it basically continues on access denied errors.  We can remove it if needed.  Did you replace the domain name? (To be continued Monday)
0
 

Author Comment

by:coolrazor
ID: 17882687
It works!  I had to drop the /c and the /Y parameters, but it runs.  Also, I had to change the user group "all employees" to "allemployees", I guess that's how the system reads the group name internally.

The batch file runs and doesn't get stopped asking for user input, which I thought it would since I took out the /Y.  I prefer it not to ask the user any questions, but I wonder why it didn't.

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\" /t /e /g "[domain]\allemployees":F

0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17882712
The version of xcacls you downloaded might be more recent then the version I have on my machine (not for long!).  I'm glad it worked.
0
 

Author Comment

by:coolrazor
ID: 17891422
A new twist...

The batch file worked  well except... I need all CHILD files and folders to inherit the new added permissions.
(Also, how do I add 30 points for this add-on question?  I don't want to start a new question seeing as how it is wholly related to this one.)
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17891484
No worries on the point add.  Try adding an * after Interactive Intelligence

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\domain users":F

CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\*" /t /e /g "[domain]\allemployees":F
0
 

Author Comment

by:coolrazor
ID: 17892746
Ok, I found out that the parameters for xcacls.vbs (which is what I'm using) and xcacles.exe are different.  That cleared up a few things.  In the end, I just hard coded the child directory that wouldn't propagate the new permissions

I.E.
CScript//H:Cscript //S
\\[server]\[share]\scripts\xcacls "c:\Program Files\Interactive Intelligence\Interaction Client .NET Edition\" /t /e /g "[domain]\allemployees":F

Everything within that directory got the new permissions.  Turns out that the .NET Edition folder didn't have "allow inherit from parent" set.  My guess is that there is a way to brute force inheriting, but I didn't need to since everything within the .NET Edition folder was inheriting from the .NET Edition folder.  

Thanks a lot for your help!
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17892770
No problem.  I'm glad you got it worked out.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now