Solved

Changing permissions for user drives with a VB Script using xcacls and icacls

Posted on 2008-10-21
4
1,485 Views
Last Modified: 2012-05-05
I am current trying to change the permissions on a set of folders in a subfolder with a vb script.
Each folder in the sub-folder "redirect" is named with the username of the user that requires access to it
That user is also owner of the folder.
When i try to change the owner of the folder to Administrators I am getting permission denied errors. I have tried using subinacl, xcalcs and icalcs all with the same result.
Is there something i am doing wrong  or is it not possible to change ownership of a folder without having permission to it first?
My script is attached.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set objFolder = objFSO.GetFolder("E:\redirect")
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder in colSubfolders
    WshShell.Run "cmd icacls E:\" & objFolder.name & "\" & objSubfolder.Name & " /setowner DOMAINNAME\Administrators /T /C"
Next
 
    Wscript.Echo "Administrators now Owner"
 
Set objFolder = objFSO.GetFolder("E:\redirect")
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder in colSubfolders
 
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G Administrators:f"
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G " & objSubfolder.Name &":f"
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G SYSTEM:f"
Next
 
    Wscript.Echo "Permissions Set"
 
Set objFolder = objFSO.GetFolder("E:\redirect")
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder in colSubfolders
    WshShell.Run "icacls E:\" & objFolder.name & "\" & objSubfolder.Name & " /setowner DOMAINNAME\" & objSubFolder.Name & " /T /C"
Next
 
    Wscript.Echo "Users now Owner"

Open in new window

0
Comment
Question by:jeremypemberton
  • 2
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
igor-1965 earned 500 total points
ID: 22765847
Somehow it seems too overcomplicated. Why you would like to change ownership of the users subfolders?

I presume that E:\Redirect folder is a shared folder on a server. Set Share Permissions for this folder as Administrators have Full Access and the Users have Change Permission.

Then in NTFS Security Permissions set this folder Administrators and System have Full permissions and Users have Read & Execute (and all below in the list) permissions.

Note that if in xcacls.vbs you use /E parameter it edits ACL (not replacing it). But you would probably want to replace these permission so don't use /E parameter.

Then for each user subfolder:

1. Break the inheritance by running WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /I REMOVE"

2.  Grant Administrators and System Full Permissions (both for files and subfolders:

WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G Administrators:f;f"
WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G SYSTEM:f;f"

3. For the user of the folder grant Modify permissions (for both files and subdirectories):
WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G " & objSubfolder.Name &":M;M"

I think it should work. Let me know.

0
 
LVL 14

Expert Comment

by:igor-1965
ID: 22765853
Sorry - in steps 1 - 3 I forgot to remove /E parameter. Please do.

0
 

Author Comment

by:jeremypemberton
ID: 22766079
The folders below E:/redirects are are not inheriting permissions from the folder above, which is why I am unable to change the permissions, I have tested your solution and I am still getting the permission denied error.

**************************************************************************
Directory: E:\redirecttest\*******
Error -2147217406:  occurred setting Win32_LogicalFileSecuritySetting object. (M
sg#501)
Error description: Not found
**************************************************************************
Error 70:  occurred while in the DoTheWorkOnEverythingUnderDirectory routine. (M
sg#204)
Error description: Permission denied


As the current owner of the folder isnt the administrator account I was under the impression that the only way to change the permissions on the folder was change the owner to the administrator, change the permissions, and then change the owner back to the user.
Is this not the case?
0
 

Author Comment

by:jeremypemberton
ID: 22766283
Ok i have done it i think...
I have set the administrator to owner for all the subfolders in redirect then set the permissions you said to propagate to all subfolders also

Without the /E in the xcacls statement it was only setting the permissions for one user (i.e. replacing the other permissions)
So I've put each permission statement in a separate for to make sure the permissions for each folder are set before the next one starts.
Then set the owner back to the user with icacls.
Ive put the code below
Cheers for your help!


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set objFolder = objFSO.GetFolder("E:\redirecttest")
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder in colSubfolders
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /I REMOVE"
Next
    Wscript.Echo "Inheritance Removed"
 
For Each objSubfolder in colSubfolders
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /G 
 
Administrators:f;f"
Next
    Wscript.Echo "Admin Permissions Set"
 
 
For Each objSubfolder in colSubfolders
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G 
 
SYSTEM:f;f"
Next
    Wscript.Echo "System Permissions Set"
 
For Each objSubfolder in colSubfolders
    WshShell.Run "cscript xcacls.vbs E:" & objFolder.name & "\" & objSubfolder.Name & " /T /E /G 
 
CADOGAN\" & objSubfolder.Name &":M;M"
Next
    Wscript.Echo "User Permissions Set"
 
For Each objSubfolder in colSubfolders
    WshShell.Run "icacls E:\" & objFolder.name & "\" & objSubfolder.Name & " /setowner CADOGAN\" & 
 
objSubFolder.Name & " /T /C"
Next
 
    Wscript.Echo "Users now Owner"

Open in new window

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Big Problem with Redirected Folder 8 44
ESXi VM of Server 2003 Saving Slow. 7 60
Passing Credentials into a command line 13 35
Windows Services - Run a Program Grey Out 3 24
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question