Solved

Using XCACLS to Add Permissions to Profiles or Take Ownership

Posted on 2007-11-30
4
4,602 Views
Last Modified: 2012-06-21
Hello,

I have a roaming profile directory \\servername\profiles where our users are storing their profiles.  The profiles are contained in Directories that are username.domain style.  I am having problems with various files in these directories that I would like to remove.  I do not have access or ownership of these directories.  I have tried to use XCACLS to add servername\administrators group.  I have included the command below.  I do not want to destroy the permissions that are assigned, however, I would like to add administrators to the profiles so that I can remove a few problem files that are replicated back to the user and causing problems.  The account that I am performing this under is a Domain Admin account.

c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S

The result is as follows
D:\DFS\profiles>c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 11/30/2007 4:45:57 PM

Startup directory:
"D:\DFS\profiles"

Arguments Used:
        Filename = "erictest.DOMAIN"
        /F (All Files under current directory)
        /S (All Sub Directories under current directory)
        /T (Traverse Directories)
        /E (Edit ACL leaving other users intact)
        /G (Grant rights)
                servername\administrators:F;F


 - Changing /G user/group: "servername\administrators" to "BUILTIN\Administrators"


**************************************************************************
Directory: D:\DFS\profiles\erictest.MVGAD
Error -2147217406:  occurred setting Win32_LogicalFileSecuritySetting object. (M
sg#501)
Error description: Not found
**************************************************************************
Error 70:  occurred while in the DoTheWorkOnEverythingUnderDirectory routine. (M
sg#204)
Error description: Permission denied


Operation Complete
Elapsed Time: 0.3125 seconds.

Ending Script at 11/30/2007 4:45:57 PM



D:\DFS\profiles>

0
Comment
Question by:mdflannery
4 Comments
 
LVL 12

Accepted Solution

by:
chandru_sol earned 125 total points
ID: 20386849
You can use setacl.exe for setting permission.

Download it from here. http://www.helge.mynetcologne.de/setacl/

regards
Chandru
0
 
LVL 8

Assisted Solution

by:deadite
deadite earned 125 total points
ID: 20392509
The problem is most likely caused from ownership.  Just take ownership of the root folder and all sub folder /files.  Then your script should work.  I do this to set permissions using XCACLS on over 1000 user folders, and here is the BAT script I use.  Just add/remove any additional users or groups you want on their folder
@echo off
 

setlocal

IF {%1}=={} GOTO bad

IF {%2}=={} GOTO bad

IF NOT EXIST %1 GOTO bad

IF {%3}=={} set perm=C&goto ok

if {%3}=={C} set perm=C&goto ok

if {%3}=={F} set perm=F&goto ok

goto bad

:ok

set pf=%1

set dom=%2

set pf=%pf:"=%

set dom=%dom:"=%

for /f "Tokens=*" %%a in ('dir "%pf%" /AD /B') do set user=%%a&call :parse

endlocal

GOTO :EOF

:bad

@echo Usage: SetPermStu "Drive:\Directory of Users Parent Folder" "NetBIOS Domain Name" [C or F]

@echo.

endlocal

goto :EOF

:parse

REM ============================================================================================================

REM Specify Permissions by Manually Adding Users with CACLS Commands and Auto Adds User Account by Folder Name:

REM ***** Edit User/Group Accounts

REM ============================================================================================================

for /f "Tokens=5*" %%c in ('echo Y^| cacls "%pf%\%user%" /T /G Administrators:F "Backup Operators":R "%dom%\%user%":%perm% "%dom%\Enterprise Admins":F "%dom%\Domain Admins":F') do @echo %%d

Open in new window

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now