Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

XCACLS switch syntax to remove user and uncheck inherit

Posted on 2008-06-11
13
3,666 Views
Last Modified: 2010-04-21
The final step to my script is to set the proper permissions on the user's home folder. The following VBScript syntax unchecks the box "inherit permissions from parent folder" after copying the users. According to documentation with the free Microsoft script XCACLS.VBS, removing a user/group from the ACL should require the /R switch. I can't get it to remove the "Authenticated Users" group.

This syntax works at the command line:
C:\WINNT>cscript c:\winnt\xcacls.vbs \\oak\users$\TEST /I COPY /r "authenticated users"
(the command line will change "authenticated users: to "NT AUTHORITY\Authenticated Users" automatically)

This VBScript syntax does everything except remove "Authenticated Users" from the ACL:

If objFSO.FolderExists(strHomeFolder) Then
                set objWsh = CreateObject("Wscript.Shell")
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r "NT    AUTHORITY\Authenticated Users"
                End If

All of this code is executed from a Windows 2000 Domain Controller.

I noticed that the /I part of the command has to complete before the /r part will work and it appears that XCACLS.vbs "removes" before it "Unchecks" the Inherit permissions box.

Brad
0
Comment
Question by:bstillion
  • 7
  • 6
13 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 21764316
Hi Brad,

Using /R "authenticated users" worked for me (on a local folder at least, I didn't test on a remote folder).

To effect the /I before /R, just run two commands:

Set objWsh = CreateObject("Wscript.Shell")
If objFSO.FolderExists(strHomeFolder) Then
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r ""NT    AUTHORITY\Authenticated Users""", 1, True
End If


Also, note that I have added quotes around NT AUTHORITY\Authenticated Users, because it contains a space, so if that makes a difference.

Regards,

Rob.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 250 total points
ID: 21764324
Ooops, in the second statement you can remove the /I copy bit.

Rob.
Set objWsh = CreateObject("Wscript.Shell")
If objFSO.FolderExists(strHomeFolder) Then
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
End If

Open in new window

0
 

Author Comment

by:bstillion
ID: 21764436
Rob,
That has put me on the right track. This works perfectly for everything except for the SYSTEM account that I want to add to the ACL. I used this syntax:

objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Do you notice any reason why that wouldn't work?

Brad
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 65

Expert Comment

by:RobSampson
ID: 21764548
Hi, No, I don't see any immediate reason why that wouldn't work....

Try this, and see if you can see the output....

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Regards,

Rob.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21764573
Oh wait! You need the /E switch to edit the rights, otherwise it will remove everything else!

objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G ""NT AUTHORITY\SYSTEM"":F", 1, True

Rob.
0
 

Author Comment

by:bstillion
ID: 21764605
Rob,
The command window opens and it shows that the permissions were applied successfully. I looked in the properties of the folder and "SYSTEM" was there and granted FULL CONTROL. I then exited the command window and the script continued.
Once completed, I checked the properties again and the SYSTEM account was no longer listed but the Administrators group and the home folder owner was.
I might have to change the order of execution or maybe combine some statements.

Brad
0
 

Author Comment

by:bstillion
ID: 21764620
Rob,
I'm using this code (that was native to this Createusers.vbs script) to add the home folder owner's access which may be what is causing the problem:

If objFSO.FolderExists(strHomeFolder) Then
                     ' Assign user permission to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21765188
Hmmm, considering that bit you just posted performs an Edit with the /E switch, it should not change any existing permissions, so it doesn't seem that the order of things should change anything....

But you *could* try putting the line that adds the SYSTEM underneath the bit you just posted, and see what happens....who knows?!?

Rob.
0
 

Author Comment

by:bstillion
ID: 21766363
Rob,
The /E switch occured to me in the car on the way home from work last night also!
I believe you are exactly right but have not tried it yet. I will try first thing tomorrow and let you know but I'm pretty confident that will fix the problem.
I get a waring screen before each of the lines executes so I checked the properties before clicking each OK and noticed that the users were being added and then taken away (which led to the /E switch.) Is there a way to supress the warning? It states that something like "You are using Cscript and warning will not be echoed to the screen".

Brad
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21766561
Yes, you can suppress that warning.  Where you have
objWsh.run "c:\WINNT\xcacls.vbs .....

just add cscript to the front
objWsh.run "cscript c:\WINNT\xcacls.vbs .....

See how it goes.

Regards,

Rob.
0
 

Author Comment

by:bstillion
ID: 21768229
Rob,
Below is the syntax that works for me:
'set permissions on new home folder  
                    Set objWsh = CreateObject("Wscript.Shell")
                    If objFSO.FolderExists(strHomeFolder) Then
                    ' Uncheck inherit permissions on home folder.
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
                    'remove Authenticated Users from ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
                    'Add SYSTEM account to ACL
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
                    'Add Administrators group to ACL'
                    objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G administrators:F", 1, True
                    End If
I tried to insert cscript before each C:\WINNT\xcacls.vbs... but the script stopped after the first line. I will work on that in another interation of this script-I can live with it for now.

I did have to include the following syntax to add permissions for the user to his own folder:
(this syntax is part of the original Createusers.vbs script from Microsoft)
If objFSO.FolderExists(strHomeFolder) Then
                     ' Add the user permissions to home folder.
                    intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
                    & strHomeFolder & " /E /C /G " & strNetBIOSDomain _
                    & "\" & strNTName & ":C", 2, True)
                    If intRunError <> 0 Then
                        Wscript.Echo "Error assigning permissions for user " _
                        & strNTName & " to home folder " & strHomeFolder
                    End If
                End If        

This script is finally ready for use. I will use it initially and now document how to create the .xls file.

Thanks for your outstanding input!
I could never have completed this project without your help.

Brad              
0
 

Author Closing Comment

by:bstillion
ID: 31466275
Rob,
Thanks again for tackling this question during your busy day!

Brad
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 21774454
Good work Brad.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an addendum to the following article: Acitve Directory based Outlook Signature (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_24950055.html) The script is fine, and works in normal client-server domains…
Introduction During my participation as a VBScript contributor at Experts Exchange, one of the most common questions I come across is this: "I have a script that runs against only one computer. How can I make it run against a list of computers in …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question