Logon or Startup Script - Which changes a local folder's permissions

Recently a bad CRM application update was pushed, causing users to not be able to launch the application. This update cannot be rolled back.

The culprit folder was quickly discovered, and the remedy was to change the permissions on this folder to users/full control.

We used Altiris to push a VBS script which renames this folder from Cache to Cache_Old - this way when users log onto the application folder it is recreated with "file owner" permissions.

Regardless, Altiris is not yet setup correctly and only corrected 40% of the enterprise workstations.

Would there be a way to configure a .vbs script (logon or startuo) that can activley change the permissions of the folder without giving the user local admin rights, or having to manaually adjust each workstation?

If it helps, the path to the culprit folder is:
C:\Documents and Settings\All Users\Application Data\SalesLogix\Cache
 
I'm still very novice and a beginner in scripting and can only configure simple add printer scripts or similar - so any simplified help is greatly appeciated.


LVL 2
NOLA504Asked:
Who is Participating?
 
Joseph DalyConnect With a Mentor Commented:
How abouit a batch file to do it? The code below will give the users group full control of the folder.
cacls "C:\Documents and Settings\All Users\Application Data\SalesLogix\Cache" /t /e /g users:F

Open in new window

0
 
kg69Commented:
Since you have to elevate privledges to make the change (Which I would use SetACL for) I would recommend Kixtart. Its what I use for the logon scripts, and you can tokenize a script (meaning encrypt it).

So in short create a kixtart script that RUN or SHELL s the SetACL on the folder using runas type code:
Example :

;RUNAS USER;Kixtart script put together by Jason L Stenklyft;Jason@Stenklyft.com;example of using sendkeys to pass a password to runas;not recommended for production networks, due to security risks;Requirements to test this script;Create a make a user on the local box named LUser and set the password to passwordSETTITLE ("SENDKEYS ROCKS!")  ;set self window titleRUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'  ;launch some notepad action as LUser$trash= SetFocus ("SENDKEYS ROCKS!")  ;set focus back to self$trash= SendKeys("password{ENTER}")  ;send the password and entersleep 3;wait a few for notepad to launchIf SetFocus ("Untitled - Notepad") = 0;if we can now setfocus to notepad, write some text $trash = SendKeys("Would you like to play a game?")Endif

Then once you have it working Tokenize the script by running kix32:

Kix32 myscript.kix /T

You will then get (a very lightly) encrypted script file that you can run by:

kix32 myscript.KX

www.kixtart.org
0
 
kg69Commented:
Sorry Code did not paste well
;RUNAS USER
;Kixtart script put together by Jason L Stenklyft
;Jason@Stenklyft.com
;example of using sendkeys to pass a password to runas
;not recommended for production networks, due to security risks
 
;Requirements to test this script
;Create a make a user on the local box named LUser and set the password to password
 
SETTITLE ("SENDKEYS ROCKS!")
;set self window title
RUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'
;launch some notepad action as LUser
$trash= SetFocus ("SENDKEYS ROCKS!")
;set focus back to self
$trash= SendKeys("password{ENTER}")
;send the password and enter
sleep 3
;wait a few for notepad to launch
If SetFocus ("Untitled - Notepad") = 0
;if we can now setfocus to notepad, write some text
$trash = SendKeys("Would you like to play a game?")
Endif

Open in new window

0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Shift-3Connect With a Mentor Commented:
xxdcmast's method is the simplest.  Below is a way to do the same thing in vbscript.

Regardless of what type of script you use, run it as a startup script (under the group policy node Computer Configuration\Windows Settings\Scripts\Startup) rather than as a logon script.  This way it will run under the local SYSTEM account and will be able to change permissions on the folder.


Set objShell = CreateObject("WScript.Shell")
strAllUsersProfile = objShell.ExpandEnvironmentStrings("%allusersprofile%")
 
strFolder = strAllUsersProfile & "\Application Data\SalesLogix\Cache"
objShell.Run "cacls " & Chr(34) & strFolder & Chr(34) & " /T /E /C /G Users:F"

Open in new window

0
 
kg69Commented:
Just a thought it would also be good to map a drive in your logon script and have all the files needed on your domain Controllers Netlogon directory.

So a batch file like:

net use x: /d /y
net use x: \\mydc\netlogon
x:
cd\
x:\kix32 myscript.KX
net use x: /d /y
0
 
kg69Commented:
With a script that elevates privledges he could even just email a link to a batch file to kick it off without even having to have users relog.  Problem then is only exposing credentials which on a temporary basis an semi-encrypted script like this would work.
0
 
kg69Commented:
runas btw accepts a /password parameter sorry the code did not show that. Was just a quick example I found.
0
 
kg69Commented:

$myRUNNAS = "%COMSPEC% /e:1024 /c RUNNAS /user:Administrator /password:123test
;# BEGIN: Add Domain Admins to Local Administrators
$myCMD = "net localgroup administrators \" + Chr(34) + "ADOMAIN\Domain Admins\" + Chr(34)+ " /ADD" + Chr(34) + " >nul 2>nul"
$myVar = $myRUNNAS + Chr(34) + $myCMD

Open in new window

0
 
kg69Commented:
Then just

SHELL 4myVar
0
 
NOLA504Author Commented:
You guys are life and time savers, thank you!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.