Avatar of bsharath
bsharath
Flag for India asked on

Script when run on a local machine has to check each share and change the permission of all users and groups not to have full ownership.

Hi,

Script when run on a local machine has to check each share and change the permission of all users and groups not to have full ownership.
What i mean is.
Say a user has full permissions on a folder in a remote machine. he can change like add user to the share from his machine on the remote machine. I want to remote those powers. Not sure on how to do it. Can we have a script that can check all the 100's of shares that i have in the machine and do that change for all the shares except 1 group.

i have the group name as "Nas Admin" only this has to have all the powers and change any other even the Administrator should not have permissions.

Regards
Sharath
@ECHO on
SETLOCAL ENABLEDELAYEDEXPANSION
Set CSVFile=C:\EveryoneShareSecurity.csv
 
IF NOT EXIST "%CSVFile%" ECHO "Machine Name","Share Name","Share/Security Info">"%CSVFile%"
 
for /F %%a in (C:\Computers.txt) do CALL :PROCESS %%a
 
GOTO :EOF
 
:PROCESS
for /f "tokens=1 delims=:" %%a in ('rmtshare \\%1^| find /v /i "default share" ^| find /v /i "Remote admin" ^| find /v /i "Remote IPC" ^| FIND /v /i "Printer drivers" ^| FIND ":"') DO (
    set Share=%%a
    set Share=!Share:~0,-2!
    For /l %%z in (1,1,30) DO if "!Share:~-1!" == " " Set Share=!Share:~0,-1!
 
    Set EveryoneSharePerm=
    RMTSHARE \\%1\"!Share!" | find /i "\everyone" | find /i "FULL CONTROL"
    IF NOT ERRORLEVEL 1 Set EveryoneSharePerm=Writeable
 
    if not defined EveryoneSharePerm (
        RMTSHARE \\%1\"!Share!" | find /i "\everyone" | find /i "CHANGE"
        IF NOT ERRORLEVEL 1 Set EveryoneSharePerm=Writeable
    )
 
    
    IF DEFINED EveryoneSharePerm (
        ECHO "%1","!Share!","Share permissions for everyone is writeable">>"%CSVFile%"
        ECHO "%1","!Share!","Changing everyone share permmissions to read">>"%CSVFile%"
        RMTSHARE \\%1\"!Share!" /grant everyone:R
        RMTSHARE \\%1\"!Share!" | find /i "everyone" | find /i "READ"
        IF NOT ERRORLEVEL 1 (
            ECHO "%1","!Share!","Successfully changed everyone share permissions to read">>"%CSVFile%"
            Set EveryoneSharePerm=
        ) ELSE (
            ECHO "%1","!Share!","Error occurred while Changing everyone share permissions to read">>"%CSVFile%"
        )
    )
 
    Set EveryoneSecurityPerm=
        FOR /f "tokens=1,*" %%b in ('rmtshare \\%1\"!Share!" ^| FIND /i "Path"') DO (
            Set SharePath=%%c
            Set SharePath=!SharePath::=$!          
            cacls "\\%1\!SharePath!" | find /i "everyone" | findstr /e /i /c:"F "
            IF NOT ERRORLEVEL 1 Set EveryoneSecurityPerm=Writeable
 
            IF NOT DEFINED EveryoneSecurityPerm (
                cacls "\\%1\!SharePath!" | find /i "everyone" | findstr /e /i /c:"C "
                IF NOT ERRORLEVEL 1 Set EveryoneSecurityPerm=Writeable
            )
  
            IF DEFINED EveryoneSecurityPerm (
                ECHO "%1","!Share!","Security everyone is writeable">>"%CSVFile%"
                ECHO "%1","!Share!","Changing everyone security to read">>"%CSVFile%"
                cacls "\\%1\!SharePath!" /e /t /p everyone:R
                cacls "\\%1\!SharePath!" | find /i "everyone" | findstr /e /i /c:"R "
                IF NOT ERRORLEVEL 1 (
                    ECHO "%1","!Share!","Successfully changed everyone security to read">>"%CSVFile%"
                    Set EveryoneSecurityPerm=
                ) ELSE (
                    ECHO "%1","!Share!","Error occurred while Changing everyone security to read">>"%CSVFile%"
                )
            )
        )
    IF DEFINED EveryoneSharePerm IF DEFINED EveryoneSecurityPerm ECHO "%1","!Share!","Share/Security permissions for everyone is writeable">>"%CSVFile%" 
)

Open in new window

Programming Languages-OtherScripting LanguagesVB Script

Avatar of undefined
Last Comment
bsharath

8/22/2022 - Mon
AmazingTech

I would have to test but I think removing FULL CONTROL and give the MODIFY rights should fix the user granting another user rights.  But there is also the Ownership aspect that would need to be removed.
bsharath

ASKER
Ya i think so.
But this should exclude doing anything to one group called 'Nas Admin"
AmazingTech

The share permissions & NTFS permissions would need to have Nas Admins FULL CONTROL for every share or leave Everyone FULL CONTROL on the share permission and READ on the NTFS permission.

Do you already have Nas Admins FULL CONTROL for share &  NTFS permissions?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
bsharath

ASKER
Hi AT
I already have 'Nas Admin" in both Share and security.
if its not there can i get them logged in a txt file.
Change all the other users and groups just remove full control
So they cannot do any additions from there machines to the server shares.
AmazingTech

If it's not there we should add it before modifying the users permissions just in case you lose it.
bsharath

ASKER
yes you are right we will need to add them or else i will not have permissions myself... :-(
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bsharath

ASKER
Any luck on this
AmazingTech

Sorry just haven't had time yet.
bsharath

ASKER
Any luck this week :-)
Your help has saved me hundreds of hours of internet surfing.
fblack61
bsharath

ASKER
bsharath

ASKER
Any views on this.
AmazingTech

OK.

Try this out.

Will check for groups that have share permissions.

Groups that only have security permissions are not modified.
@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
Set Admin=NAS Admins
Set CSVFile=C:\ChangeShareSecurityOnly.csv
 
IF NOT EXIST "%CSVFile%" ECHO "Machine Name","Share Name","Share/Security Info">"%CSVFile%"
 
for /F %%a in (C:\Computers.txt) do CALL :PROCESS %%a
 
GOTO :EOF
 
:PROCESS
for /f "tokens=1 delims=:" %%a in ('rmtshare \\%1^| find /v /i "default share" ^| find /v /i "Remote admin" ^| find /v /i "Remote IPC" ^| FIND /v /i "Printer drivers" ^| FIND ":"') DO (
    set Share=%%a
    set Share=!Share:~0,-2!
    For /l %%z in (1,1,30) DO if "!Share:~-1!" == " " Set Share=!Share:~0,-1!
 
    RMTSHARE \\%1\"!Share!" | find /i "\%Admin%" | find /i "FULL CONTROL"
    IF ERRORLEVEL 1 (
        ECHO "%1","!Share!","Changing permissions for %Admin% to FULL access">>"%CSVFile%"
        RMTSHARE \\%1\"!Share!" /grant "%Admin%":F
        RMTSHARE \\%1\"!Share!" | find /i "%Admin%" | find /i "FULL"
        IF NOT ERRORLEVEL 1 (
            ECHO "%1","!Share!","Successfully changed %Admin% share permissions to FULL access">>"%CSVFile%"
        ) ELSE (
            ECHO "%1","!Share!","Error occurred while Changing %Admin% share permissions to FULL access">>"%CSVFile%"
        )
    ) 
 
    Set AdminSecurityPerm=
        FOR /f "tokens=1,*" %%b in ('rmtshare \\%1\"!Share!" ^| FIND /i "Path"') DO (
            Set SharePath=%%c
            Set SharePath=!SharePath::=$!
            cacls "\\%1\!SharePath!" | find /i "%Admin%" | findstr /e /i /c:"F "
            IF NOT ERRORLEVEL 1 Set AdminSecurityPerm=Writeable
 
            IF NOT DEFINED AdminSecurityPerm (
                ECHO "%1","!Share!","Security Group %Admin% is not FULL access">>"%CSVFile%"
                ECHO "%1","!Share!","Changing %Admin% security to FULL access">>"%CSVFile%"
                cacls "\\%1\!SharePath!" /e /t /p "%Admin%":F
                cacls "\\%1\!SharePath!" | find /i "%Admin%" | findstr /e /i /c:"F "
                IF NOT ERRORLEVEL 1 (
                    ECHO "%1","!Share!","Successfully changed %Admin% security to FULL access">>"%CSVFile%"
                    Set AdminSecurityPerm=
                ) ELSE (
                    ECHO "%1","!Share!","Error occurred while Changing %Admin% security to FULL access">>"%CSVFile%"
                )
            )
 
        )
 
   FOR /f "Skip=6 Tokens=1 delims=:" %%b in ('RMTSHARE \\0012620-SXP\"!Share!" ^| FIND /v /i "The command completed successfully."') do (
       Set Group=%%b
       For /l %%z in (1,1,30) DO if "!Group:~-1!" == " " Set Group=!Group:~0,-1!
       For /l %%z in (1,1,30) DO if "!Group:~0,1!" == " " Set Group=!Group:~1!
       ECHO !Group!
 
       Set GroupSharePerm=
       RMTSHARE \\%1\"!Share!" | find /i "!Group!" | find /i "FULL CONTROL"
       IF NOT ERRORLEVEL 1 Set GroupSharePerm=FULL
 
       if not defined GroupSharePerm (
           RMTSHARE \\%1\"!Share!" | find /i "!Group!" | find /i "CHANGE"
           IF NOT ERRORLEVEL 1 Set GroupSharePerm=CHANGE
       )
 
       if not defined GroupSharePerm (
           RMTSHARE \\%1\"!Share!" | find /i "!Group!" | find /i "READ"
           IF NOT ERRORLEVEL 1 Set GroupSharePerm=READ
       )
 
       echo !Group! | FIND /i "%Admin%"
       IF ERRORLEVEL 1 IF "!GroupSharePerm!" == "FULL" (
           ECHO "%1","!Share!","Share permissions for !Group! is FULL access">>"%CSVFile%"
           ECHO "%1","!Share!","Changing !Group! share permmissions to CHANGE access">>"%CSVFile%"
           RMTSHARE \\%1\"!Share!" /grant "!Group!":C
           RMTSHARE \\%1\"!Share!" | find /i "!Group!" | find /i "CHANGE"
           IF NOT ERRORLEVEL 1 (
               ECHO "%1","!Share!","Successfully changed !Group! share permissions to CHANGE access">>"%CSVFile%"
               Set GroupSharePerm=CHANGE
           ) ELSE (
               ECHO "%1","!Share!","Error occurred while changing !Group! share permissions to CHANGE access">>"%CSVFile%"
           )
       )
       
       IF "!Group:~0,1!"=="\" Set Group=!Group:~1!
       Set GroupSecurityPerm=
           FOR /f "tokens=1,*" %%b in ('rmtshare \\%1\"!Share!" ^| FIND /i "Path"') DO (
               Set SharePath=%%c
               Set SharePath=!SharePath::=$!
               cacls "\\%1\!SharePath!" | find /i "!Group!" | findstr /e /i /c:"F "
               IF NOT ERRORLEVEL 1 Set GroupSecurityPerm=FULL
 
               IF NOT DEFINED GroupSecurityPerm (
                   cacls "\\%1\!SharePath!" | find /i "!Group!" | findstr /e /i /c:"C "
                   IF NOT ERRORLEVEL 1 Set GroupSecurityPerm=CHANGE
               )
 
               IF NOT DEFINED GroupSecurityPerm (
                   cacls "\\%1\!SharePath!" | find /i "!Group!" | findstr /e /i /c:"R "
                   IF NOT ERRORLEVEL 1 Set GroupSecurityPerm=READ
               )
 
 
               echo !Group! | FIND /i "%Admin%"
               IF ERRORLEVEL 1 IF "!GroupSecurityPerm!" == "FULL" (
                   ECHO "%1","!Share!","Security !Group! is !GroupSecurityPerm! access">>"%CSVFile%"
                   ECHO "%1","!Share!","Changing !Group! security to CHANGE access">>"%CSVFile%"
                   cacls "\\%1\!SharePath!" /e /t /p "!Group!":C
                   cacls "\\%1\!SharePath!" | find /i "!Group!" | findstr /e /i /c:"C "
                   IF NOT ERRORLEVEL 1 (
                       ECHO "%1","!Share!","Successfully changed !Group! security to CHANGE access">>"%CSVFile%"
                       Set GroupSecurityPerm=CHANGE
                   ) ELSE (
                       ECHO "%1","!Share!","Error occurred while changing !Group! security to CHANGE access">>"%CSVFile%"
                   )
               )
           )
       IF DEFINED GroupSharePerm IF DEFINED GroupSecurityPerm ECHO "%1","!Share!","!Group! has Share permissions=!GroupSharePerm! Security permissions=!GroupSecurityPerm!">>"%CSVFile%"
   )
)

Open in new window

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bsharath

ASKER
AT Thanks
Will the permissions be changed for all groups in Share and permissions.Will this script just log the data or does the changes?

AmazingTech

It will do the changes if the group not "NAS Admin" is set to FULL.
bsharath

ASKER
Will i get a log that shows what has been done.

Does it even change the poermissions of all users and groups in the shares in both Share permission and security.?

Why i ask is i will be doing it on a 500 Shares Nas machine...:-)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
bsharath

ASKER
Will i get a log that shows what has been done.

Does it even change the poermissions of all users and groups in the shares in both Share permission and security.?

Why i ask is i will be doing it on a 500 Shares Nas machine...:-)
AmazingTech

Users or groups that have share permissions.

Users or groups that only have security permissions only are untouched.

All activity is logged in

Set CSVFile=C:\ChangeShareSecurityOnly.csv
bsharath

ASKER
I get this

Account NAS Admin is not found.
The command failed: 1788
The trust relationship between the primary domain and the trusted domain failed.
In the csv i get this

Dev-nas01      LE22      Changing permissions for NAS Admin to FULL access
Dev-nas01      LE22      Error occurred while Changing NAS Admin share permissions to FULL access
Dev-nas01      LE22      Security Group NAS Admin is not FULL access
Dev-nas01      LE22      Changing NAS Admin security to FULL access
Dev-nas01      LE22      Error occurred while Changing NAS Admin security to FULL access
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
AmazingTech

Can you add the domain to this line?

Set Admin=Domain\NAS Admins
bsharath

ASKER
I get this
Account development\NAS Admin is not found.
The command failed: 1332
No mapping between account names and security IDs was done.

nas Admin is a group will that be a problem.?
AmazingTech

Hmm...

try:

dsquery group -name "NAS Admin" | dsget group -samid
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
AmazingTech

Or just this first to see if it can find NAS Admin.

dsquery group -name "NAS Admin"
bsharath

ASKER
Sorry AT the group name is
Nas_Admin now i get all as successfull but could not find a difference in the shares. Can you tell me what the script does.
Gives full permissions to Nas_Admin group in both Share and security. If not there then add's the group.
Does it change the other users & groups permissions ?
bsharath

ASKER
Sorry AT the group name is
Nas_Admin now i get all as successfull but could not find a difference in the shares. Can you tell me what the script does.
Gives full permissions to Nas_Admin group in both Share and security. If not there then add's the group.
Does it change the other users & groups permissions ?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
AmazingTech

It only takes the Groups or Users who have Share permissions. If the Share or NTFS security permissions for the group or user is FULL it changes it to CHANGE. READ will stay READ and CHANGE will stay CHANGE.

All extra users or groups in NTFS security are not checked.
bsharath

ASKER
Ok...

Say i have a folder called
Products
Thers are 3 groups in both share and security and 1 user
Nas_Admin (Full access)
Products-SGR (REad access)
Products-SGW (Full access)
Sharath (Full access)

Now what will the changes be.

Why i ask is i could not find any changes being made... :-(
bsharath

ASKER
Ok...

Say i have a folder called
Products
Thers are 3 groups in both share and security and 1 user
Nas_Admin (Full access)
Products-SGR (REad access)
Products-SGW (Full access)
Sharath (Full access)

Now what will the changes be.

Why i ask is i could not find any changes being made... :-(
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
AmazingTech

What does the csv file say?
bsharath

ASKER
Shows as
Dev-nas01      LE22      Changing permissions for NAS Admin to FULL access
Dev-nas01      LE22      Error occurred while Changing NAS Admin share permissions to FULL access
Dev-nas01      LE22      Security Group NAS Admin is not FULL access
Dev-nas01      LE22      Changing NAS Admin security to FULL access
Dev-nas01      LE22      Error occurred while Changing NAS Admin security to FULL access

AmazingTech

Did you change it to the underscore?

Set Admin=NAS_Admin
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bsharath

ASKER
Yes i did change.
I pasted the old one.
I get this
Dev-chen-nas01      STS      Changing permissions for development\NAS_Admin to FULL access
Dev-chen-nas01      STS      Successfully changed development\NAS_Admin share permissions to FULL access

I cannot find any change as the Nas_admin already has full access. The change that needs to be made is mostly on the other users and groups in share and security permissions
AmazingTech

It doesn't seem to be picking up the other groups from the share.

Can you post?

RMTSHARE \\Dev-chen-nas01\STS
bsharath

ASKER
I get this

C:\>RMTSHARE \\Dev-chen-nas01\STS-sgw

The command failed: 2310

C:\>RMTSHARE \\Dev-chen-nas01\STS
Share name        \\Dev-chen-nas01\STS
Path              D:\STS
Remark
Maximum users     No limit
Users             0
Permissions:
DEVELOPMENT\STS-SGW   :  FULL CONTROL
DEVELOPMENT\Nas_Admin :  FULL CONTROL

The command completed successfully.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
AmazingTech

Post C:\Test.txt
SETLOCAL ENABLEDELAYEDEXPANSION
   FOR /f "Skip=6 Tokens=1 delims=:" %%b in ('RMTSHARE \\dev-chen-nas01\"STS" ^| FIND /v /i "The command completed successfully."') do (
       Set Group=%%b
       For /l %%z in (1,1,30) DO if "!Group:~-1!" == " " Set Group=!Group:~0,-1!
       For /l %%z in (1,1,30) DO if "!Group:~0,1!" == " " Set Group=!Group:~1!
       ECHO "!Group!">>C:\Test.txt
)

Open in new window

ASKER CERTIFIED SOLUTION
AmazingTech

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
bsharath

ASKER
At its been say 3 + hrs and the script is running i could see these changes for the groups that have full access to be changed as this

Full control is Unchecked
Delete Subfolders and Files is unchecked
Change permissions is unchecked
Take Ownership is unchecked

Is the
Delete Subfolders and Files mandatory
Why i ask is a user may need to delete them...
bsharath

ASKER
At its been say 3 + hrs and the script is running i could see these changes for the groups that have full access to be changed as this

Full control is Unchecked
Delete Subfolders and Files is unchecked
Change permissions is unchecked
Take Ownership is unchecked

Is the
Delete Subfolders and Files mandatory
Why i ask is a user may need to delete them...
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
AmazingTech

It's only changing to CHANGE using cacls

cacls "\\%1\!SharePath!" /e /t /p "!Group!":C
bsharath

ASKER
Will the script change folder permissions and even try inheriting them on all child folders and files?

Even this is unchecked
Delete Subfolders and Files is unchecked
Is this required?
bsharath

ASKER
Will the script change folder permissions and even try inheriting them on all child folders and files?

Even this is unchecked
Delete Subfolders and Files is unchecked
Is this required?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
AmazingTech

Hmm... The normal CHANGE permission has these unchecked.

Full Control
Delete Subfolders and Files
Change Permissions
Take Ownership

Using CACLS you need to /t to make sure the subfolders and files get the change in permissions it does this my explicitly setting the permission to each subfolder or file. Any new file or subfolder it will get it's permission inherited. Unfortunately, I don't think there is a way to get around this using cacls.
bsharath

ASKER
AT if this is unchecked
Delete Subfolders and Files
That means no one except the Nas_Admins can delete the files in there?
AmazingTech

They can they have Delete right.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bsharath

ASKER
Ok then what does this option mean.
Delete Subfolders and Files
bsharath

ASKER
Thanks a lot AT works perfect... This was an Awesome help....
bsharath

ASKER
Your help has saved me hundreds of hours of internet surfing.
fblack61