[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Using XCACLS to Add Permissions to Profiles or Take Ownership

Posted on 2007-11-30
4
Medium Priority
?
4,643 Views
Last Modified: 2012-06-21
Hello,

I have a roaming profile directory \\servername\profiles where our users are storing their profiles.  The profiles are contained in Directories that are username.domain style.  I am having problems with various files in these directories that I would like to remove.  I do not have access or ownership of these directories.  I have tried to use XCACLS to add servername\administrators group.  I have included the command below.  I do not want to destroy the permissions that are assigned, however, I would like to add administrators to the profiles so that I can remove a few problem files that are replicated back to the user and causing problems.  The account that I am performing this under is a Domain Admin account.

c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S

The result is as follows
D:\DFS\profiles>c:\windows\system32\cscript.exe c:\tools\xcacls.vbs "erictest.DOMAIN" /E /G servername\administrators:F;F /F /T /S
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 11/30/2007 4:45:57 PM

Startup directory:
"D:\DFS\profiles"

Arguments Used:
        Filename = "erictest.DOMAIN"
        /F (All Files under current directory)
        /S (All Sub Directories under current directory)
        /T (Traverse Directories)
        /E (Edit ACL leaving other users intact)
        /G (Grant rights)
                servername\administrators:F;F


 - Changing /G user/group: "servername\administrators" to "BUILTIN\Administrators"


**************************************************************************
Directory: D:\DFS\profiles\erictest.MVGAD
Error -2147217406:  occurred setting Win32_LogicalFileSecuritySetting object. (M
sg#501)
Error description: Not found
**************************************************************************
Error 70:  occurred while in the DoTheWorkOnEverythingUnderDirectory routine. (M
sg#204)
Error description: Permission denied


Operation Complete
Elapsed Time: 0.3125 seconds.

Ending Script at 11/30/2007 4:45:57 PM



D:\DFS\profiles>

0
Comment
Question by:mdflannery
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 12

Accepted Solution

by:
chandru_sol earned 500 total points
ID: 20386849
You can use setacl.exe for setting permission.

Download it from here. http://www.helge.mynetcologne.de/setacl/

regards
Chandru
0
 
LVL 8

Assisted Solution

by:deadite
deadite earned 500 total points
ID: 20392509
The problem is most likely caused from ownership.  Just take ownership of the root folder and all sub folder /files.  Then your script should work.  I do this to set permissions using XCACLS on over 1000 user folders, and here is the BAT script I use.  Just add/remove any additional users or groups you want on their folder
@echo off
 
setlocal
IF {%1}=={} GOTO bad
IF {%2}=={} GOTO bad
IF NOT EXIST %1 GOTO bad
IF {%3}=={} set perm=C&goto ok
if {%3}=={C} set perm=C&goto ok
if {%3}=={F} set perm=F&goto ok
goto bad
:ok
set pf=%1
set dom=%2
set pf=%pf:"=%
set dom=%dom:"=%
for /f "Tokens=*" %%a in ('dir "%pf%" /AD /B') do set user=%%a&call :parse
endlocal
GOTO :EOF
:bad
@echo Usage: SetPermStu "Drive:\Directory of Users Parent Folder" "NetBIOS Domain Name" [C or F]
@echo.
endlocal
goto :EOF
:parse
REM ============================================================================================================
REM Specify Permissions by Manually Adding Users with CACLS Commands and Auto Adds User Account by Folder Name:
REM ***** Edit User/Group Accounts
REM ============================================================================================================
for /f "Tokens=5*" %%c in ('echo Y^| cacls "%pf%\%user%" /T /G Administrators:F "Backup Operators":R "%dom%\%user%":%perm% "%dom%\Enterprise Admins":F "%dom%\Domain Admins":F') do @echo %%d

Open in new window

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Check out what's been happening in the Experts Exchange community.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question