Solved

Using XCACLS to Add Permissions to Profiles or Take Ownership

Posted on 2007-11-30
4
4,612 Views
Last Modified: 2012-06-21
Hello,

I have a roaming profile directory \\servername\profiles where our users are storing their profiles.  The profiles are contained in Directories that are username.domain style.  I am having problems with various files in these directories that I would like to remove.  I do not have access or ownership of these directories.  I have tried to use XCACLS to add servername\administrators group.  I have included the command below.  I do not want to destroy the permissions that are assigned, however, I would like to add administrators to the profiles so that I can remove a few problem files that are replicated back to the user and causing problems.  The account that I am performing this under is a Domain Admin account.

c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S

The result is as follows
D:\DFS\profiles>c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 11/30/2007 4:45:57 PM

Startup directory:
"D:\DFS\profiles"

Arguments Used:
        Filename = "erictest.DOMAIN"
        /F (All Files under current directory)
        /S (All Sub Directories under current directory)
        /T (Traverse Directories)
        /E (Edit ACL leaving other users intact)
        /G (Grant rights)
                servername\administrators:F;F


 - Changing /G user/group: "servername\administrators" to "BUILTIN\Administrators"


**************************************************************************
Directory: D:\DFS\profiles\erictest.MVGAD
Error -2147217406:  occurred setting Win32_LogicalFileSecuritySetting object. (M
sg#501)
Error description: Not found
**************************************************************************
Error 70:  occurred while in the DoTheWorkOnEverythingUnderDirectory routine. (M
sg#204)
Error description: Permission denied


Operation Complete
Elapsed Time: 0.3125 seconds.

Ending Script at 11/30/2007 4:45:57 PM



D:\DFS\profiles>

0
Comment
Question by:mdflannery
4 Comments
 
LVL 12

Accepted Solution

by:
chandru_sol earned 125 total points
ID: 20386849
You can use setacl.exe for setting permission.

Download it from here. http://www.helge.mynetcologne.de/setacl/

regards
Chandru
0
 
LVL 8

Assisted Solution

by:deadite
deadite earned 125 total points
ID: 20392509
The problem is most likely caused from ownership.  Just take ownership of the root folder and all sub folder /files.  Then your script should work.  I do this to set permissions using XCACLS on over 1000 user folders, and here is the BAT script I use.  Just add/remove any additional users or groups you want on their folder
@echo off
 

setlocal

IF {%1}=={} GOTO bad

IF {%2}=={} GOTO bad

IF NOT EXIST %1 GOTO bad

IF {%3}=={} set perm=C&goto ok

if {%3}=={C} set perm=C&goto ok

if {%3}=={F} set perm=F&goto ok

goto bad

:ok

set pf=%1

set dom=%2

set pf=%pf:"=%

set dom=%dom:"=%

for /f "Tokens=*" %%a in ('dir "%pf%" /AD /B') do set user=%%a&call :parse

endlocal

GOTO :EOF

:bad

@echo Usage: SetPermStu "Drive:\Directory of Users Parent Folder" "NetBIOS Domain Name" [C or F]

@echo.

endlocal

goto :EOF

:parse

REM ============================================================================================================

REM Specify Permissions by Manually Adding Users with CACLS Commands and Auto Adds User Account by Folder Name:

REM ***** Edit User/Group Accounts

REM ============================================================================================================

for /f "Tokens=5*" %%c in ('echo Y^| cacls "%pf%\%user%" /T /G Administrators:F "Backup Operators":R "%dom%\%user%":%perm% "%dom%\Enterprise Admins":F "%dom%\Domain Admins":F') do @echo %%d

Open in new window

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Data Leak protection 7 81
Security risks of IM, RM & messaging systems 2 90
Unknown security group 2 59
inplace upgrade from Windows 2003 R2 to 2012 8 49
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now