?
Solved

Logon or Startup Script - Which changes a local folder's permissions

Posted on 2008-11-04
10
Medium Priority
?
1,026 Views
Last Modified: 2010-11-01
Recently a bad CRM application update was pushed, causing users to not be able to launch the application. This update cannot be rolled back.

The culprit folder was quickly discovered, and the remedy was to change the permissions on this folder to users/full control.

We used Altiris to push a VBS script which renames this folder from Cache to Cache_Old - this way when users log onto the application folder it is recreated with "file owner" permissions.

Regardless, Altiris is not yet setup correctly and only corrected 40% of the enterprise workstations.

Would there be a way to configure a .vbs script (logon or startuo) that can activley change the permissions of the folder without giving the user local admin rights, or having to manaually adjust each workstation?

If it helps, the path to the culprit folder is:
C:\Documents and Settings\All Users\Application Data\SalesLogix\Cache
 
I'm still very novice and a beginner in scripting and can only configure simple add printer scripts or similar - so any simplified help is greatly appeciated.


0
Comment
Question by:NOLA504
10 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1000 total points
ID: 22881340
How abouit a batch file to do it? The code below will give the users group full control of the folder.
cacls "C:\Documents and Settings\All Users\Application Data\SalesLogix\Cache" /t /e /g users:F

Open in new window

0
 
LVL 3

Expert Comment

by:kg69
ID: 22881359
Since you have to elevate privledges to make the change (Which I would use SetACL for) I would recommend Kixtart. Its what I use for the logon scripts, and you can tokenize a script (meaning encrypt it).

So in short create a kixtart script that RUN or SHELL s the SetACL on the folder using runas type code:
Example :

;RUNAS USER;Kixtart script put together by Jason L Stenklyft;Jason@Stenklyft.com;example of using sendkeys to pass a password to runas;not recommended for production networks, due to security risks;Requirements to test this script;Create a make a user on the local box named LUser and set the password to passwordSETTITLE ("SENDKEYS ROCKS!")  ;set self window titleRUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'  ;launch some notepad action as LUser$trash= SetFocus ("SENDKEYS ROCKS!")  ;set focus back to self$trash= SendKeys("password{ENTER}")  ;send the password and entersleep 3;wait a few for notepad to launchIf SetFocus ("Untitled - Notepad") = 0;if we can now setfocus to notepad, write some text $trash = SendKeys("Would you like to play a game?")Endif

Then once you have it working Tokenize the script by running kix32:

Kix32 myscript.kix /T

You will then get (a very lightly) encrypted script file that you can run by:

kix32 myscript.KX

www.kixtart.org
0
 
LVL 3

Expert Comment

by:kg69
ID: 22881369
Sorry Code did not paste well
;RUNAS USER
;Kixtart script put together by Jason L Stenklyft
;Jason@Stenklyft.com
;example of using sendkeys to pass a password to runas
;not recommended for production networks, due to security risks
 
;Requirements to test this script
;Create a make a user on the local box named LUser and set the password to password
 
SETTITLE ("SENDKEYS ROCKS!")
;set self window title
RUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'
;launch some notepad action as LUser
$trash= SetFocus ("SENDKEYS ROCKS!")
;set focus back to self
$trash= SendKeys("password{ENTER}")
;send the password and enter
sleep 3
;wait a few for notepad to launch
If SetFocus ("Untitled - Notepad") = 0
;if we can now setfocus to notepad, write some text
$trash = SendKeys("Would you like to play a game?")
Endif

Open in new window

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 38

Assisted Solution

by:Shift-3
Shift-3 earned 1000 total points
ID: 22881417
xxdcmast's method is the simplest.  Below is a way to do the same thing in vbscript.

Regardless of what type of script you use, run it as a startup script (under the group policy node Computer Configuration\Windows Settings\Scripts\Startup) rather than as a logon script.  This way it will run under the local SYSTEM account and will be able to change permissions on the folder.


Set objShell = CreateObject("WScript.Shell")
strAllUsersProfile = objShell.ExpandEnvironmentStrings("%allusersprofile%")
 
strFolder = strAllUsersProfile & "\Application Data\SalesLogix\Cache"
objShell.Run "cacls " & Chr(34) & strFolder & Chr(34) & " /T /E /C /G Users:F"

Open in new window

0
 
LVL 3

Expert Comment

by:kg69
ID: 22881482
Just a thought it would also be good to map a drive in your logon script and have all the files needed on your domain Controllers Netlogon directory.

So a batch file like:

net use x: /d /y
net use x: \\mydc\netlogon
x:
cd\
x:\kix32 myscript.KX
net use x: /d /y
0
 
LVL 3

Expert Comment

by:kg69
ID: 22881527
With a script that elevates privledges he could even just email a link to a batch file to kick it off without even having to have users relog.  Problem then is only exposing credentials which on a temporary basis an semi-encrypted script like this would work.
0
 
LVL 3

Expert Comment

by:kg69
ID: 22881549
runas btw accepts a /password parameter sorry the code did not show that. Was just a quick example I found.
0
 
LVL 3

Expert Comment

by:kg69
ID: 22881568

$myRUNNAS = "%COMSPEC% /e:1024 /c RUNNAS /user:Administrator /password:123test
;# BEGIN: Add Domain Admins to Local Administrators
$myCMD = "net localgroup administrators \" + Chr(34) + "ADOMAIN\Domain Admins\" + Chr(34)+ " /ADD" + Chr(34) + " >nul 2>nul"
$myVar = $myRUNNAS + Chr(34) + $myCMD

Open in new window

0
 
LVL 3

Expert Comment

by:kg69
ID: 22881581
Then just

SHELL 4myVar
0
 
LVL 2

Author Closing Comment

by:NOLA504
ID: 31513311
You guys are life and time savers, thank you!!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses
Course of the Month15 days, 16 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question