Solved

XCACLS switch syntax to remove user and uncheck inherit

Posted on 2008-06-11
13
3,658 Views
Last Modified: 2010-04-21
The final step to my script is to set the proper permissions on the user's home folder. The following VBScript syntax unchecks the box "inherit permissions from parent folder" after copying the users. According to documentation with the free Microsoft script XCACLS.VBS, removing a user/group from the ACL should require the /R switch. I can't get it to remove the "Authenticated Users" group.

This syntax works at the command line:
C:\WINNT>cscript c:\winnt\xcacls.vbs \\oak\users$\TEST /I COPY /r "authenticated users"
(the command line will change "authenticated users: to "NT AUTHORITY\Authenticated Users" automatically)

This VBScript syntax does everything except remove "Authenticated Users" from the ACL:

If objFSO.FolderExists(strHomeFolder) Then
                set objWsh = CreateObject("Wscript.Shell")
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r "NT    AUTHORITY\Authenticated Users"
                End If

All of this code is executed from a Windows 2000 Domain Controller.

I noticed that the /I part of the command has to complete before the /r part will work and it appears that XCACLS.vbs "removes" before it "Unchecks" the Inherit permissions box.

Brad
0
Comment
Question by:bstillion
  • 7
  • 6
13 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 21764316
Hi Brad,

Using /R "authenticated users" worked for me (on a local folder at least, I didn't test on a remote folder).

To effect the /I before /R, just run two commands:

Set objWsh = CreateObject("Wscript.Shell")
If objFSO.FolderExists(strHomeFolder) Then
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r ""NT    AUTHORITY\Authenticated Users""", 1, True
End If


Also, note that I have added quotes around NT AUTHORITY\Authenticated Users, because it contains a space, so if that makes a difference.

Regards,

Rob.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 250 total points
ID: 21764324
Ooops, in the second statement you can remove the /I copy bit.

Rob.
Set objWsh = CreateObject("Wscript.Shell")

If objFSO.FolderExists(strHomeFolder) Then

                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True

                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True

End If

Open in new window

0
 

Author Comment

by:bstillion
ID: 21764436
Rob,
That has put me on the right track. This works perfectly for everything except for the SYSTEM account that I want to add to the ACL. I used this syntax:

objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Do you notice any reason why that wouldn't work?

Brad
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21764548
Hi, No, I don't see any immediate reason why that wouldn't work....

Try this, and see if you can see the output....

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Regards,

Rob.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21764573
Oh wait! You need the /E switch to edit the rights, otherwise it will remove everything else!

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Rob.
0
 

Author Comment

by:bstillion
ID: 21764605
Rob,
The command window opens and it shows that the permissions were applied successfully. I looked in the properties of the folder and "SYSTEM" was there and granted FULL CONTROL. I then exited the command window and the script continued.
Once completed, I checked the properties again and the SYSTEM account was no longer listed but the Administrators group and the home folder owner was.
I might have to change the order of execution or maybe combine some statements.

Brad
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:bstillion
ID: 21764620
Rob,
I'm using this code (that was native to this Createusers.vbs script) to add the home folder owner's access which may be what is causing the problem:

If objFSO.FolderExists(strHomeFolder) Then
                     ' Assign user permission to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21765188
Hmmm, considering that bit you just posted performs an Edit with the /E switch, it should not change any existing permissions, so it doesn't seem that the order of things should change anything....

But you *could* try putting the line that adds the SYSTEM underneath the bit you just posted, and see what happens....who knows?!?

Rob.
0
 

Author Comment

by:bstillion
ID: 21766363
Rob,
The /E switch occured to me in the car on the way home from work last night also!
I believe you are exactly right but have not tried it yet. I will try first thing tomorrow and let you know but I'm pretty confident that will fix the problem.
I get a waring screen before each of the lines executes so I checked the properties before clicking each OK and noticed that the users were being added and then taken away (which led to the /E switch.) Is there a way to supress the warning? It states that something like "You are using Cscript and warning will not be echoed to the screen".

Brad
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21766561
Yes, you can suppress that warning.  Where you have
objWsh.run "c:\WINNT\xcacls.vbs .....

just add cscript to the front
objWsh.run "cscript c:\WINNT\xcacls.vbs .....

See how it goes.

Regards,

Rob.
0
 

Author Comment

by:bstillion
ID: 21768229
Rob,
Below is the syntax that works for me:
'set permissions on new home folder  
                    Set objWsh = CreateObject("Wscript.Shell")
                    If objFSO.FolderExists(strHomeFolder) Then
                    ' Uncheck inherit permissions on home folder.
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                    'remove Authenticated Users from ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
                    'Add SYSTEM account to ACL
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
                    'Add Administrators group to ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G administrators:F", 1, True
                    End If
I tried to insert cscript before each C:\WINNT\xcacls.vbs... but the script stopped after the first line. I will work on that in another interation of this script-I can live with it for now.

I did have to include the following syntax to add permissions for the user to his own folder:
(this syntax is part of the original Createusers.vbs script from Microsoft)
If objFSO.FolderExists(strHomeFolder) Then
                     ' Add the user permissions to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If        

This script is finally ready for use. I will use it initially and now document how to create the .xls file.

Thanks for your outstanding input!
I could never have completed this project without your help.

Brad              
0
 

Author Closing Comment

by:bstillion
ID: 31466275
Rob,
Thanks again for tackling this question during your busy day!

Brad
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21774454
Good work Brad.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Welcome to part one of a multi-part tutorial series, VBScript for Windows System Administrators.  The goal of this series is to teach non-programmers how to write useful VBS code to automate their environment, and perform tasks faster, and in a more…
Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now