Solved

Modify File Permissions With Startup Script

Posted on 2008-10-14
11
981 Views
Last Modified: 2012-06-22
Hi experts,

By way of a script, I need to create a couple of folders in the root of workstation C: drives, and then set the permissions so that Domain Users have Modify permissions. I need this to all happen on the first login.

I have written a startup script which succesfully creates the folders, but I can't set the permissions. I am using the following to set the permissions:

objShell.Run("%COMSPEC% /c cacls C:\<FOLDERNAME> /T /E /G BUILTIN\Users:C")

It's not working though. I am assuming it's a permissions problem with the computer account not being able to set the permissions. I know I can set the file permissions using a GPO, but I need this all to be on first login, and at the time of the GPO being processed the first time around, the folders won't exist for the permissions to be set (as the script hasn't yet ran) so I can't get this to work.

Does anyone have any suggestions on how I can allow the file permissions to be set during startup, immediately after they are created?

Thanks,

0
Comment
Question by:gcz
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 9

Expert Comment

by:gregcmcse
ID: 22712033
Does SYSTEM have full control to C:?

You may need to specify the full path to cacls.exe and remove the %COMSPEC% reference.  I'm not sure that startup scripts running under the system context have access to environment variables.
0
 
LVL 1

Author Comment

by:gcz
ID: 22712190
Hi,

Thanks for the quick reply. SYSTEM does have Full Control of C: and this is being inherited by it's subfolders.

I changed the command to read...

objShell.Run("C:\WINDOWS\System32\cmd.exe /c cacls C:\quitsbas /T /E /G BUILTIN\Users:C")

...but this still hasn't worked unfortunately. I do not know a lot about this, but under what context do startup scripts run in? Is it SYSTEM, or the computer account? (i.e. computername$).

Unfortunately I can't seem to get the command prompt window to stay on the screen long enough for me to definately read what the error is. I've tried the cmd /k switch, and also tried adding '&& pause' to the end of the above command, but neither work.

Any ideas? Thanks.
0
 
LVL 14

Expert Comment

by:igor-1965
ID: 22713050
Quite logically any login script runs in the context of the user who is logging. I presume, when the folder created it inherits the permissions of the root (C: drive). CREATOR OWNER has Full Permissions so it is probably critical to create folder and set permissions in one script.
0
 
LVL 1

Author Comment

by:gcz
ID: 22713273
Hi,

The script in question is a Startup script, not a login script, so before any user has logged in.

I believe that these run under the context of SYSTEM or the AD computer account (I think depending on whether network permissions are required).

Actually, thinking about it, before I create the folders, I am mapping per-machine printer connections, so I would assume the script is operating under the AD computer account context, otherwise the mapping of printers wouldn't be possible.

I have tried granting the AD computer account full control, but this doesn't seem to make a difference.

I'm pretty stumped now, please help!

0
 
LVL 14

Expert Comment

by:igor-1965
ID: 22713480
Have you considered to use Xcacls.vbs http://support.microsoft.com/kb/825751/en-us
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 9

Accepted Solution

by:
gregcmcse earned 500 total points
ID: 22715335
The COMPUTERNAME$ account is how the domain sees it.  It sees itself as SYSTEM.  So, is it COMPUTERNAME$ or SYSTEM?  Yes, it's both.

You don't want to run cmd.exe -- it won't gain you anything as cacls.exe isn't an internal command.

Try:
objShell.Run("C:\WINDOWS\System32\cacls.exe C:\quitsbas /T /E /G BUILTIN\Users:C")

(That assumes the syntax of the cacls command is correct, by the way -- I assume you've run the cacls command separately to confirm correct syntax?)
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 22715980
Hi, you can just use Group Policy (if you're in an Active Directory domain) to apply registry and file system security settings....

http://network.mpei.ac.ru/lang/rus/faqw2kxp/jsifaq/rh8724.htm

Regards,

Rob.
0
 
LVL 9

Expert Comment

by:gregcmcse
ID: 22726833
Rob -- gcz has already indicated that a GPO won't work for his needs.

gcz:  How are things going?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 22727343
>> Rob -- gcz has already indicated that a GPO won't work for his needs.

Oh yeah, sorry, my bad......

XCacls.vbs is a bit more robust than Cacls.exe, but you could also try SetACL.exe:
http://setacl.sourceforge.net/html/examples.html

or it even comes as an ActiveX, although I haven't tried that...

Regards,

Rob.
0
 
LVL 1

Author Comment

by:gcz
ID: 22729165
Hi Guys,

Thanks for the posts, and sorry for the delay in getting back - I was out of the office yesterday.

Greg - this worked a treat, thanks! I actually don't know why I was calling cmd.exe as looking at it now it's obviously not necessary. Running cacls.exe directly worked fine.

Thank you.

Tony
0
 
LVL 1

Author Closing Comment

by:gcz
ID: 31505912
Thanks for explaining the SYSTEM/COMPUTERNAME$ also...
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Recently, I got a requirement to zip all files individually with batch file script in Windows OS. I don't know much about scripting, but I searched Google and found a lot of examples and websites to complete my task. Finally, I was ab…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now