bstillion
asked on
XCACLS switch syntax to remove user and uncheck inherit
The final step to my script is to set the proper permissions on the user's home folder. The following VBScript syntax unchecks the box "inherit permissions from parent folder" after copying the users. According to documentation with the free Microsoft script XCACLS.VBS, removing a user/group from the ACL should require the /R switch. I can't get it to remove the "Authenticated Users" group.
This syntax works at the command line:
C:\WINNT>cscript c:\winnt\xcacls.vbs \\oak\users$\TEST /I COPY /r "authenticated users"
(the command line will change "authenticated users: to "NT AUTHORITY\Authenticated Users" automatically)
This VBScript syntax does everything except remove "Authenticated Users" from the ACL:
If objFSO.FolderExists(strHom eFolder) Then
set objWsh = CreateObject("Wscript.Shel l")
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r "NT AUTHORITY\Authenticated Users"
End If
All of this code is executed from a Windows 2000 Domain Controller.
I noticed that the /I part of the command has to complete before the /r part will work and it appears that XCACLS.vbs "removes" before it "Unchecks" the Inherit permissions box.
Brad
This syntax works at the command line:
C:\WINNT>cscript c:\winnt\xcacls.vbs \\oak\users$\TEST /I COPY /r "authenticated users"
(the command line will change "authenticated users: to "NT AUTHORITY\Authenticated Users" automatically)
This VBScript syntax does everything except remove "Authenticated Users" from the ACL:
If objFSO.FolderExists(strHom
set objWsh = CreateObject("Wscript.Shel
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r "NT AUTHORITY\Authenticated Users"
End If
All of this code is executed from a Windows 2000 Domain Controller.
I noticed that the /I part of the command has to complete before the /r part will work and it appears that XCACLS.vbs "removes" before it "Unchecks" the Inherit permissions box.
Brad
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Rob,
That has put me on the right track. This works perfectly for everything except for the SYSTEM account that I want to add to the ACL. I used this syntax:
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Do you notice any reason why that wouldn't work?
Brad
That has put me on the right track. This works perfectly for everything except for the SYSTEM account that I want to add to the ACL. I used this syntax:
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Do you notice any reason why that wouldn't work?
Brad
Hi, No, I don't see any immediate reason why that wouldn't work....
Try this, and see if you can see the output....
objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Regards,
Rob.
Try this, and see if you can see the output....
objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Regards,
Rob.
Oh wait! You need the /E switch to edit the rights, otherwise it will remove everything else!
objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Rob.
objWsh.run "cmd /k cscript c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G ""NT AUTHORITY\SYSTEM"":F", 1, True
Rob.
ASKER
Rob,
The command window opens and it shows that the permissions were applied successfully. I looked in the properties of the folder and "SYSTEM" was there and granted FULL CONTROL. I then exited the command window and the script continued.
Once completed, I checked the properties again and the SYSTEM account was no longer listed but the Administrators group and the home folder owner was.
I might have to change the order of execution or maybe combine some statements.
Brad
The command window opens and it shows that the permissions were applied successfully. I looked in the properties of the folder and "SYSTEM" was there and granted FULL CONTROL. I then exited the command window and the script continued.
Once completed, I checked the properties again and the SYSTEM account was no longer listed but the Administrators group and the home folder owner was.
I might have to change the order of execution or maybe combine some statements.
Brad
ASKER
Rob,
I'm using this code (that was native to this Createusers.vbs script) to add the home folder owner's access which may be what is causing the problem:
If objFSO.FolderExists(strHom eFolder) Then
' Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
& strHomeFolder & " /E /C /G " & strNetBIOSDomain _
& "\" & strNTName & ":C", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strNTName & " to home folder " & strHomeFolder
End If
End If
I'm using this code (that was native to this Createusers.vbs script) to add the home folder owner's access which may be what is causing the problem:
If objFSO.FolderExists(strHom
' Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
& strHomeFolder & " /E /C /G " & strNetBIOSDomain _
& "\" & strNTName & ":C", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strNTName & " to home folder " & strHomeFolder
End If
End If
Hmmm, considering that bit you just posted performs an Edit with the /E switch, it should not change any existing permissions, so it doesn't seem that the order of things should change anything....
But you *could* try putting the line that adds the SYSTEM underneath the bit you just posted, and see what happens....who knows?!?
Rob.
But you *could* try putting the line that adds the SYSTEM underneath the bit you just posted, and see what happens....who knows?!?
Rob.
ASKER
Rob,
The /E switch occured to me in the car on the way home from work last night also!
I believe you are exactly right but have not tried it yet. I will try first thing tomorrow and let you know but I'm pretty confident that will fix the problem.
I get a waring screen before each of the lines executes so I checked the properties before clicking each OK and noticed that the users were being added and then taken away (which led to the /E switch.) Is there a way to supress the warning? It states that something like "You are using Cscript and warning will not be echoed to the screen".
Brad
The /E switch occured to me in the car on the way home from work last night also!
I believe you are exactly right but have not tried it yet. I will try first thing tomorrow and let you know but I'm pretty confident that will fix the problem.
I get a waring screen before each of the lines executes so I checked the properties before clicking each OK and noticed that the users were being added and then taken away (which led to the /E switch.) Is there a way to supress the warning? It states that something like "You are using Cscript and warning will not be echoed to the screen".
Brad
Yes, you can suppress that warning. Where you have
objWsh.run "c:\WINNT\xcacls.vbs .....
just add cscript to the front
objWsh.run "cscript c:\WINNT\xcacls.vbs .....
See how it goes.
Regards,
Rob.
objWsh.run "c:\WINNT\xcacls.vbs .....
just add cscript to the front
objWsh.run "cscript c:\WINNT\xcacls.vbs .....
See how it goes.
Regards,
Rob.
ASKER
Rob,
Below is the syntax that works for me:
'set permissions on new home folder
Set objWsh = CreateObject("Wscript.Shel l")
If objFSO.FolderExists(strHom eFolder) Then
' Uncheck inherit permissions on home folder.
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
'remove Authenticated Users from ACL'
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
'Add SYSTEM account to ACL
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
'Add Administrators group to ACL'
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G administrators:F", 1, True
End If
I tried to insert cscript before each C:\WINNT\xcacls.vbs... but the script stopped after the first line. I will work on that in another interation of this script-I can live with it for now.
I did have to include the following syntax to add permissions for the user to his own folder:
(this syntax is part of the original Createusers.vbs script from Microsoft)
If objFSO.FolderExists(strHom eFolder) Then
' Add the user permissions to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
& strHomeFolder & " /E /C /G " & strNetBIOSDomain _
& "\" & strNTName & ":C", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strNTName & " to home folder " & strHomeFolder
End If
End If
This script is finally ready for use. I will use it initially and now document how to create the .xls file.
Thanks for your outstanding input!
I could never have completed this project without your help.
Brad
Below is the syntax that works for me:
'set permissions on new home folder
Set objWsh = CreateObject("Wscript.Shel
If objFSO.FolderExists(strHom
' Uncheck inherit permissions on home folder.
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
'remove Authenticated Users from ACL'
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /r ""NT AUTHORITY\Authenticated Users""", 1, True
'Add SYSTEM account to ACL
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /G ""NT AUTHORITY\SYSTEM"":F", 1, True
'Add Administrators group to ACL'
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /E /G administrators:F", 1, True
End If
I tried to insert cscript before each C:\WINNT\xcacls.vbs... but the script stopped after the first line. I will work on that in another interation of this script-I can live with it for now.
I did have to include the following syntax to add permissions for the user to his own folder:
(this syntax is part of the original Createusers.vbs script from Microsoft)
If objFSO.FolderExists(strHom
' Add the user permissions to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _
& strHomeFolder & " /E /C /G " & strNetBIOSDomain _
& "\" & strNTName & ":C", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strNTName & " to home folder " & strHomeFolder
End If
End If
This script is finally ready for use. I will use it initially and now document how to create the .xls file.
Thanks for your outstanding input!
I could never have completed this project without your help.
Brad
ASKER
Rob,
Thanks again for tackling this question during your busy day!
Brad
Thanks again for tackling this question during your busy day!
Brad
Good work Brad. Thanks for the grade.
Regards,
Rob.
Regards,
Rob.
Using /R "authenticated users" worked for me (on a local folder at least, I didn't test on a remote folder).
To effect the /I before /R, just run two commands:
Set objWsh = CreateObject("Wscript.Shel
If objFSO.FolderExists(strHom
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy", 1, True
objWsh.run "c:\WINNT\xcacls.vbs \\oak\Users$\" & strNTName & " /I copy /r ""NT AUTHORITY\Authenticated Users""", 1, True
End If
Also, note that I have added quotes around NT AUTHORITY\Authenticated Users, because it contains a space, so if that makes a difference.
Regards,
Rob.