Link to home
Create AccountLog in
Avatar of bstillion
bstillionFlag for United States of America

asked on

XCACLS switch syntax to remove user and uncheck inherit

The final step to my script is to set the proper permissions on the user's home folder. The following VBScript syntax unchecks the box "inherit permissions from parent folder" after copying the users. According to documentation with the free Microsoft script XCACLS.VBS, removing a user/group from the ACL should require the /R switch. I can't get it to remove the "Authenticated Users" group.

This syntax works at the command line:
C:\WINNT>cscript c:\winnt\xcacls.vbs \\oak\users$\TEST /I COPY /r "authenticated users"
(the command line will change "authenticated users: to "NT AUTHORITY\Authenticated Users" automatically)

This VBScript syntax does everything except remove "Authenticated Users" from the ACL:

If objFSO.FolderExists(strHomeFolder) Then
                set objWsh = CreateObject("Wscript.Shell")
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r "NT    AUTHORITY\Authenticated Users"
                End If

All of this code is executed from a Windows 2000 Domain Controller.

I noticed that the /I part of the command has to complete before the /r part will work and it appears that XCACLS.vbs "removes" before it "Unchecks" the Inherit permissions box.

Brad
Avatar of RobSampson
RobSampson
Flag of Australia image

Hi Brad,

Using /R "authenticated users" worked for me (on a local folder at least, I didn't test on a remote folder).

To effect the /I before /R, just run two commands:

Set objWsh = CreateObject("Wscript.Shell")
If objFSO.FolderExists(strHomeFolder) Then
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r ""NT    AUTHORITY\Authenticated Users""", 1, True
End If


Also, note that I have added quotes around NT AUTHORITY\Authenticated Users, because it contains a space, so if that makes a difference.

Regards,

Rob.
ASKER CERTIFIED SOLUTION
Avatar of RobSampson
RobSampson
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of bstillion

ASKER

Rob,
That has put me on the right track. This works perfectly for everything except for the SYSTEM account that I want to add to the ACL. I used this syntax:

objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Do you notice any reason why that wouldn't work?

Brad
Hi, No, I don't see any immediate reason why that wouldn't work....

Try this, and see if you can see the output....

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Regards,

Rob.
Oh wait! You need the /E switch to edit the rights, otherwise it will remove everything else!

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Rob.
Rob,
The command window opens and it shows that the permissions were applied successfully. I looked in the properties of the folder and "SYSTEM" was there and granted FULL CONTROL. I then exited the command window and the script continued.
Once completed, I checked the properties again and the SYSTEM account was no longer listed but the Administrators group and the home folder owner was.
I might have to change the order of execution or maybe combine some statements.

Brad
Rob,
I'm using this code (that was native to this Createusers.vbs script) to add the home folder owner's access which may be what is causing the problem:

If objFSO.FolderExists(strHomeFolder) Then
                     ' Assign user permission to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If
Hmmm, considering that bit you just posted performs an Edit with the /E switch, it should not change any existing permissions, so it doesn't seem that the order of things should change anything....

But you *could* try putting the line that adds the SYSTEM underneath the bit you just posted, and see what happens....who knows?!?

Rob.
Rob,
The /E switch occured to me in the car on the way home from work last night also!
I believe you are exactly right but have not tried it yet. I will try first thing tomorrow and let you know but I'm pretty confident that will fix the problem.
I get a waring screen before each of the lines executes so I checked the properties before clicking each OK and noticed that the users were being added and then taken away (which led to the /E switch.) Is there a way to supress the warning? It states that something like "You are using Cscript and warning will not be echoed to the screen".

Brad
Yes, you can suppress that warning.  Where you have
objWsh.run "c:\WINNT\xcacls.vbs .....

just add cscript to the front
objWsh.run "cscript c:\WINNT\xcacls.vbs .....

See how it goes.

Regards,

Rob.
Rob,
Below is the syntax that works for me:
'set permissions on new home folder  
                    Set objWsh = CreateObject("Wscript.Shell")
                    If objFSO.FolderExists(strHomeFolder) Then
                    ' Uncheck inherit permissions on home folder.
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                    'remove Authenticated Users from ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
                    'Add SYSTEM account to ACL
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
                    'Add Administrators group to ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G administrators:F", 1, True
                    End If
I tried to insert cscript before each C:\WINNT\xcacls.vbs... but the script stopped after the first line. I will work on that in another interation of this script-I can live with it for now.

I did have to include the following syntax to add permissions for the user to his own folder:
(this syntax is part of the original Createusers.vbs script from Microsoft)
If objFSO.FolderExists(strHomeFolder) Then
                     ' Add the user permissions to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If        

This script is finally ready for use. I will use it initially and now document how to create the .xls file.

Thanks for your outstanding input!
I could never have completed this project without your help.

Brad              
Rob,
Thanks again for tackling this question during your busy day!

Brad
Good work Brad.  Thanks for the grade.

Regards,

Rob.