• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3681
  • Last Modified:

XCACLS switch syntax to remove user and uncheck inherit

The final step to my script is to set the proper permissions on the user's home folder. The following VBScript syntax unchecks the box "inherit permissions from parent folder" after copying the users. According to documentation with the free Microsoft script XCACLS.VBS, removing a user/group from the ACL should require the /R switch. I can't get it to remove the "Authenticated Users" group.

This syntax works at the command line:
C:\WINNT>cscript c:\winnt\xcacls.vbs \\oak\users$\TEST /I COPY /r "authenticated users"
(the command line will change "authenticated users: to "NT AUTHORITY\Authenticated Users" automatically)

This VBScript syntax does everything except remove "Authenticated Users" from the ACL:

If objFSO.FolderExists(strHomeFolder) Then
                set objWsh = CreateObject("Wscript.Shell")
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r "NT    AUTHORITY\Authenticated Users"
                End If

All of this code is executed from a Windows 2000 Domain Controller.

I noticed that the /I part of the command has to complete before the /r part will work and it appears that XCACLS.vbs "removes" before it "Unchecks" the Inherit permissions box.

Brad
0
bstillion
Asked:
bstillion
  • 7
  • 6
1 Solution
 
RobSampsonCommented:
Hi Brad,

Using /R "authenticated users" worked for me (on a local folder at least, I didn't test on a remote folder).

To effect the /I before /R, just run two commands:

Set objWsh = CreateObject("Wscript.Shell")
If objFSO.FolderExists(strHomeFolder) Then
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r ""NT    AUTHORITY\Authenticated Users""", 1, True
End If


Also, note that I have added quotes around NT AUTHORITY\Authenticated Users, because it contains a space, so if that makes a difference.

Regards,

Rob.
0
 
RobSampsonCommented:
Ooops, in the second statement you can remove the /I copy bit.

Rob.
Set objWsh = CreateObject("Wscript.Shell")
If objFSO.FolderExists(strHomeFolder) Then
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
End If

Open in new window

0
 
bstillionAuthor Commented:
Rob,
That has put me on the right track. This works perfectly for everything except for the SYSTEM account that I want to add to the ACL. I used this syntax:

objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Do you notice any reason why that wouldn't work?

Brad
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
RobSampsonCommented:
Hi, No, I don't see any immediate reason why that wouldn't work....

Try this, and see if you can see the output....

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Regards,

Rob.
0
 
RobSampsonCommented:
Oh wait! You need the /E switch to edit the rights, otherwise it will remove everything else!

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Rob.
0
 
bstillionAuthor Commented:
Rob,
The command window opens and it shows that the permissions were applied successfully. I looked in the properties of the folder and "SYSTEM" was there and granted FULL CONTROL. I then exited the command window and the script continued.
Once completed, I checked the properties again and the SYSTEM account was no longer listed but the Administrators group and the home folder owner was.
I might have to change the order of execution or maybe combine some statements.

Brad
0
 
bstillionAuthor Commented:
Rob,
I'm using this code (that was native to this Createusers.vbs script) to add the home folder owner's access which may be what is causing the problem:

If objFSO.FolderExists(strHomeFolder) Then
                     ' Assign user permission to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If
0
 
RobSampsonCommented:
Hmmm, considering that bit you just posted performs an Edit with the /E switch, it should not change any existing permissions, so it doesn't seem that the order of things should change anything....

But you *could* try putting the line that adds the SYSTEM underneath the bit you just posted, and see what happens....who knows?!?

Rob.
0
 
bstillionAuthor Commented:
Rob,
The /E switch occured to me in the car on the way home from work last night also!
I believe you are exactly right but have not tried it yet. I will try first thing tomorrow and let you know but I'm pretty confident that will fix the problem.
I get a waring screen before each of the lines executes so I checked the properties before clicking each OK and noticed that the users were being added and then taken away (which led to the /E switch.) Is there a way to supress the warning? It states that something like "You are using Cscript and warning will not be echoed to the screen".

Brad
0
 
RobSampsonCommented:
Yes, you can suppress that warning.  Where you have
objWsh.run "c:\WINNT\xcacls.vbs .....

just add cscript to the front
objWsh.run "cscript c:\WINNT\xcacls.vbs .....

See how it goes.

Regards,

Rob.
0
 
bstillionAuthor Commented:
Rob,
Below is the syntax that works for me:
'set permissions on new home folder  
                    Set objWsh = CreateObject("Wscript.Shell")
                    If objFSO.FolderExists(strHomeFolder) Then
                    ' Uncheck inherit permissions on home folder.
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                    'remove Authenticated Users from ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
                    'Add SYSTEM account to ACL
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
                    'Add Administrators group to ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G administrators:F", 1, True
                    End If
I tried to insert cscript before each C:\WINNT\xcacls.vbs... but the script stopped after the first line. I will work on that in another interation of this script-I can live with it for now.

I did have to include the following syntax to add permissions for the user to his own folder:
(this syntax is part of the original Createusers.vbs script from Microsoft)
If objFSO.FolderExists(strHomeFolder) Then
                     ' Add the user permissions to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If        

This script is finally ready for use. I will use it initially and now document how to create the .xls file.

Thanks for your outstanding input!
I could never have completed this project without your help.

Brad              
0
 
bstillionAuthor Commented:
Rob,
Thanks again for tackling this question during your busy day!

Brad
0
 
RobSampsonCommented:
Good work Brad.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now