babyxeon
asked on
changing file ownership with subinacl.exe
unable to use subinacl.exe to change ownership of files I used a script from this site but i get the error ActiveX component can't create object: 'AdsSecurity' code 800A01AD. how can i make it work. it appears to be dependant on mwmapi.dll. Trying to do this on server 2003
click start>>>run>>>wscript -regserver
you could also save this as resetacl.cmd and run it
:rem install subinacl
cd /d %ProgramFiles%\Windows Resource Kits\Tools
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
ASKER
still the same error. when i just use the subinacl command to change ownership of 1 file it works when i run the script it fails. below is the script
path = "c:\"
Const oldOwner = "BUILTIN\Administrators"
Const newOwner = "domain\user"
'do not change below this point
Recurse(path)
Public Sub Recurse(path)
Set fso = CreateObject("Scripting.Fi leSystemOb ject")
Set fldr = fso.GetFolder(path)
dim subfolders,files,folder,fi le
Set subfolders = fldr.SubFolders
Set files = fldr.files
'Display the path and all of the folders.
Wscript.Echo ""
Wscript.Echo fldr.Path
For Each folder in subfolders
Wscript.Echo folder.path
'WScript.Echo folder.path
setOwner oldOwner,newOwner,folder.p ath
Next
'Display all of the files.
For Each file in files
wscript.echo file.path
setOwner oldOwner,newOwner,file.pat h
Next
'Recurse all of the subfolders.
For Each folder in subfolders
Recurse folder
Next
Set subfolders = Nothing
Set files = Nothing
End Sub
Sub setOwner(oldOwner,newOwner ,path)
Set sec = CreateObject("AdsSecurity" )
Set sd = sec.GetSecurityDescriptor( "FILE://" & path)
WScript.Echo " - Old Owner: " & sd.owner
If lcase(sd.owner) = lcase(oldOwner) Then
WScript.Echo " - New Owner: " & newOwner
Set CommandLine = CreateObject("WScript.Shel l")
commandline.run "subinacl /file " & path & " /setowner=" & newOwner
End if
Set sd = Nothing
Set sec = nothing
End Sub
path = "c:\"
Const oldOwner = "BUILTIN\Administrators"
Const newOwner = "domain\user"
'do not change below this point
Recurse(path)
Public Sub Recurse(path)
Set fso = CreateObject("Scripting.Fi
Set fldr = fso.GetFolder(path)
dim subfolders,files,folder,fi
Set subfolders = fldr.SubFolders
Set files = fldr.files
'Display the path and all of the folders.
Wscript.Echo ""
Wscript.Echo fldr.Path
For Each folder in subfolders
Wscript.Echo folder.path
'WScript.Echo folder.path
setOwner oldOwner,newOwner,folder.p
Next
'Display all of the files.
For Each file in files
wscript.echo file.path
setOwner oldOwner,newOwner,file.pat
Next
'Recurse all of the subfolders.
For Each folder in subfolders
Recurse folder
Next
Set subfolders = Nothing
Set files = Nothing
End Sub
Sub setOwner(oldOwner,newOwner
Set sec = CreateObject("AdsSecurity"
Set sd = sec.GetSecurityDescriptor(
WScript.Echo " - Old Owner: " & sd.owner
If lcase(sd.owner) = lcase(oldOwner) Then
WScript.Echo " - New Owner: " & newOwner
Set CommandLine = CreateObject("WScript.Shel
commandline.run "subinacl /file " & path & " /setowner=" & newOwner
End if
Set sd = Nothing
Set sec = nothing
End Sub
See if the script on this discussion works better for you
https://www.experts-exchange.com/questions/20903927/How-to-set-security-permissions-on-a-folder-with-VB-or-asp-net.html
https://www.experts-exchange.com/questions/20903927/How-to-set-security-permissions-on-a-folder-with-VB-or-asp-net.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I found a more flexible program , subinacl.
The normally distributed version contained a bug. The fixed version can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
For instance, the following command changes ownership and gives the new owner full control of the file.
subinacl /file "\data\allread\500.pdf" /setowner=jane.doe /grant=jane.doe=F
Plus, it has switches like /migratetodomain, so it might support migration, but I don't have time for much research. I think I will still just use a vba program.
Here are some other examples I noticed
* Allow the group "MYDOMAIN\Marketing" Read access to the folder "D:\Departments\Marketing" and all of its subfolders, but not on the files:
SUBINACL /verbose=1 /subdirectories "D:\Departments\Marketing" /grant=Users=R
* Grant Read access to "Everyone" on a share:
SUBINACL /verbose=1 /share \\server\share /grant=Everyone=R
* Allow the group "MYDOMAIN\Marketing" to Print and Manage documents on the printer "Color Laser":
SUBINACL /verbose=1 /printer "Color Laser" /grant=MYDOMAIN\Marketing= MP
* Allow "Authenticated Users" to start and stop the "Printer Spooler" service (use its short name: "Spooler"):
SUBINACL /verbose=1 /service Spooler /grant="Authenticated Users"=LQSTOP
* Grant "Authenticated Users" write access to "HKEY_LOCAL_MACHINE\SOFTWA RE\MyWacky Program", but not to subkeys:
SUBINACL /verbose=1 /keyreg "HKEY_LOCAL_MACHINE\SOFTWA RE\MyWacky Program" /grant="Authenticated Users"=QEDS
To check permissions, remove the /grant switch: if no "action" is specified, the default /display is used.
The normally distributed version contained a bug. The fixed version can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
For instance, the following command changes ownership and gives the new owner full control of the file.
subinacl /file "\data\allread\500.pdf" /setowner=jane.doe /grant=jane.doe=F
Plus, it has switches like /migratetodomain, so it might support migration, but I don't have time for much research. I think I will still just use a vba program.
Here are some other examples I noticed
* Allow the group "MYDOMAIN\Marketing" Read access to the folder "D:\Departments\Marketing"
SUBINACL /verbose=1 /subdirectories "D:\Departments\Marketing"
* Grant Read access to "Everyone" on a share:
SUBINACL /verbose=1 /share \\server\share /grant=Everyone=R
* Allow the group "MYDOMAIN\Marketing" to Print and Manage documents on the printer "Color Laser":
SUBINACL /verbose=1 /printer "Color Laser" /grant=MYDOMAIN\Marketing=
* Allow "Authenticated Users" to start and stop the "Printer Spooler" service (use its short name: "Spooler"):
SUBINACL /verbose=1 /service Spooler /grant="Authenticated Users"=LQSTOP
* Grant "Authenticated Users" write access to "HKEY_LOCAL_MACHINE\SOFTWA
SUBINACL /verbose=1 /keyreg "HKEY_LOCAL_MACHINE\SOFTWA
To check permissions, remove the /grant switch: if no "action" is specified, the default /display is used.