Logon or Startup Script - Which changes a local folder's permissions

Recently a bad CRM application update was pushed, causing users to not be able to launch the application. This update cannot be rolled back.

The culprit folder was quickly discovered, and the remedy was to change the permissions on this folder to users/full control.

We used Altiris to push a VBS script which renames this folder from Cache to Cache_Old - this way when users log onto the application folder it is recreated with "file owner" permissions.

Regardless, Altiris is not yet setup correctly and only corrected 40% of the enterprise workstations.

Would there be a way to configure a .vbs script (logon or startuo) that can activley change the permissions of the folder without giving the user local admin rights, or having to manaually adjust each workstation?

If it helps, the path to the culprit folder is:
C:\Documents and Settings\All Users\Application Data\SalesLogix\Cache
 
I'm still very novice and a beginner in scripting and can only configure simple add printer scripts or similar - so any simplified help is greatly appeciated.


LVL 2
NOLA504Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph DalyCommented:
How abouit a batch file to do it? The code below will give the users group full control of the folder.
cacls "C:\Documents and Settings\All Users\Application Data\SalesLogix\Cache" /t /e /g users:F

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kg69Commented:
Since you have to elevate privledges to make the change (Which I would use SetACL for) I would recommend Kixtart. Its what I use for the logon scripts, and you can tokenize a script (meaning encrypt it).

So in short create a kixtart script that RUN or SHELL s the SetACL on the folder using runas type code:
Example :

;RUNAS USER;Kixtart script put together by Jason L Stenklyft;Jason@Stenklyft.com;example of using sendkeys to pass a password to runas;not recommended for production networks, due to security risks;Requirements to test this script;Create a make a user on the local box named LUser and set the password to passwordSETTITLE ("SENDKEYS ROCKS!")  ;set self window titleRUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'  ;launch some notepad action as LUser$trash= SetFocus ("SENDKEYS ROCKS!")  ;set focus back to self$trash= SendKeys("password{ENTER}")  ;send the password and entersleep 3;wait a few for notepad to launchIf SetFocus ("Untitled - Notepad") = 0;if we can now setfocus to notepad, write some text $trash = SendKeys("Would you like to play a game?")Endif

Then once you have it working Tokenize the script by running kix32:

Kix32 myscript.kix /T

You will then get (a very lightly) encrypted script file that you can run by:

kix32 myscript.KX

www.kixtart.org
0
kg69Commented:
Sorry Code did not paste well
;RUNAS USER
;Kixtart script put together by Jason L Stenklyft
;Jason@Stenklyft.com
;example of using sendkeys to pass a password to runas
;not recommended for production networks, due to security risks
 
;Requirements to test this script
;Create a make a user on the local box named LUser and set the password to password
 
SETTITLE ("SENDKEYS ROCKS!")
;set self window title
RUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'
;launch some notepad action as LUser
$trash= SetFocus ("SENDKEYS ROCKS!")
;set focus back to self
$trash= SendKeys("password{ENTER}")
;send the password and enter
sleep 3
;wait a few for notepad to launch
If SetFocus ("Untitled - Notepad") = 0
;if we can now setfocus to notepad, write some text
$trash = SendKeys("Would you like to play a game?")
Endif

Open in new window

0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Shift-3Commented:
xxdcmast's method is the simplest.  Below is a way to do the same thing in vbscript.

Regardless of what type of script you use, run it as a startup script (under the group policy node Computer Configuration\Windows Settings\Scripts\Startup) rather than as a logon script.  This way it will run under the local SYSTEM account and will be able to change permissions on the folder.


Set objShell = CreateObject("WScript.Shell")
strAllUsersProfile = objShell.ExpandEnvironmentStrings("%allusersprofile%")
 
strFolder = strAllUsersProfile & "\Application Data\SalesLogix\Cache"
objShell.Run "cacls " & Chr(34) & strFolder & Chr(34) & " /T /E /C /G Users:F"

Open in new window

0
kg69Commented:
Just a thought it would also be good to map a drive in your logon script and have all the files needed on your domain Controllers Netlogon directory.

So a batch file like:

net use x: /d /y
net use x: \\mydc\netlogon
x:
cd\
x:\kix32 myscript.KX
net use x: /d /y
0
kg69Commented:
With a script that elevates privledges he could even just email a link to a batch file to kick it off without even having to have users relog.  Problem then is only exposing credentials which on a temporary basis an semi-encrypted script like this would work.
0
kg69Commented:
runas btw accepts a /password parameter sorry the code did not show that. Was just a quick example I found.
0
kg69Commented:

$myRUNNAS = "%COMSPEC% /e:1024 /c RUNNAS /user:Administrator /password:123test
;# BEGIN: Add Domain Admins to Local Administrators
$myCMD = "net localgroup administrators \" + Chr(34) + "ADOMAIN\Domain Admins\" + Chr(34)+ " /ADD" + Chr(34) + " >nul 2>nul"
$myVar = $myRUNNAS + Chr(34) + $myCMD

Open in new window

0
kg69Commented:
Then just

SHELL 4myVar
0
NOLA504Author Commented:
You guys are life and time savers, thank you!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.