Solved

Using XCACLS to Add Permissions to Profiles or Take Ownership

Posted on 2007-11-30
4
4,634 Views
Last Modified: 2012-06-21
Hello,

I have a roaming profile directory \\servername\profiles where our users are storing their profiles.  The profiles are contained in Directories that are username.domain style.  I am having problems with various files in these directories that I would like to remove.  I do not have access or ownership of these directories.  I have tried to use XCACLS to add servername\administrators group.  I have included the command below.  I do not want to destroy the permissions that are assigned, however, I would like to add administrators to the profiles so that I can remove a few problem files that are replicated back to the user and causing problems.  The account that I am performing this under is a Domain Admin account.

c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S

The result is as follows
D:\DFS\profiles>c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 11/30/2007 4:45:57 PM

Startup directory:
"D:\DFS\profiles"

Arguments Used:
        Filename = "erictest.DOMAIN"
        /F (All Files under current directory)
        /S (All Sub Directories under current directory)
        /T (Traverse Directories)
        /E (Edit ACL leaving other users intact)
        /G (Grant rights)
                servername\administrators:F;F


 - Changing /G user/group: "servername\administrators" to "BUILTIN\Administrators"


**************************************************************************
Directory: D:\DFS\profiles\erictest.MVGAD
Error -2147217406:  occurred setting Win32_LogicalFileSecuritySetting object. (M
sg#501)
Error description: Not found
**************************************************************************
Error 70:  occurred while in the DoTheWorkOnEverythingUnderDirectory routine. (M
sg#204)
Error description: Permission denied


Operation Complete
Elapsed Time: 0.3125 seconds.

Ending Script at 11/30/2007 4:45:57 PM



D:\DFS\profiles>

0
Comment
Question by:mdflannery
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 12

Accepted Solution

by:
chandru_sol earned 125 total points
ID: 20386849
You can use setacl.exe for setting permission.

Download it from here. http://www.helge.mynetcologne.de/setacl/

regards
Chandru
0
 
LVL 8

Assisted Solution

by:deadite
deadite earned 125 total points
ID: 20392509
The problem is most likely caused from ownership.  Just take ownership of the root folder and all sub folder /files.  Then your script should work.  I do this to set permissions using XCACLS on over 1000 user folders, and here is the BAT script I use.  Just add/remove any additional users or groups you want on their folder
@echo off
 
setlocal
IF {%1}=={} GOTO bad
IF {%2}=={} GOTO bad
IF NOT EXIST %1 GOTO bad
IF {%3}=={} set perm=C&goto ok
if {%3}=={C} set perm=C&goto ok
if {%3}=={F} set perm=F&goto ok
goto bad
:ok
set pf=%1
set dom=%2
set pf=%pf:"=%
set dom=%dom:"=%
for /f "Tokens=*" %%a in ('dir "%pf%" /AD /B') do set user=%%a&call :parse
endlocal
GOTO :EOF
:bad
@echo Usage: SetPermStu "Drive:\Directory of Users Parent Folder" "NetBIOS Domain Name" [C or F]
@echo.
endlocal
goto :EOF
:parse
REM ============================================================================================================
REM Specify Permissions by Manually Adding Users with CACLS Commands and Auto Adds User Account by Folder Name:
REM ***** Edit User/Group Accounts
REM ============================================================================================================
for /f "Tokens=5*" %%c in ('echo Y^| cacls "%pf%\%user%" /T /G Administrators:F "Backup Operators":R "%dom%\%user%":%perm% "%dom%\Enterprise Admins":F "%dom%\Domain Admins":F') do @echo %%d

Open in new window

0

Featured Post

Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question