Solved

Problem setting ownership with xcacls.vbs - "this security ID may not be assigned as the owner of this object (Error 543)"

Posted on 2009-03-31
5
2,117 Views
Last Modified: 2012-05-06
When attempting to fix permissions on a roaming profiles share.

I first took ownership of all files + subfolders for the administrator.
then edited the ACL to grant "domain admins" full control of all the folders.

When trying to change the ownership back to the original owners, i'm getting:

Error: This security ID may not be assigned as the owner of this object. (Msg#54
3)

when checking permissions via the GUI, the user account has full control.

the command being run is

cscript %systemroot%\system32\xcacls.vbs folder /E /O DOMAIN\user /F /T

any ideas?
based on http://support.microsoft.com/kb/825751 the syntax seems correct, NTFS perms should allow the owner to be changed to that user.





0
Comment
Question by:jspaziano
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035431
Try the script from here


 http://wasteil.blogspot.com/2007/04/reset-permissions-home-folder.html

'============================================================================
' VBScript Source File
' NAME: Permissions Home Folder
' AUTHOR: Ruudvdh (WASTEIL)
' WEBSITE : http://wasteil.blogspot.com
' DATE  : 19-3-2007
' COMMENT: This script changes the permissions of all the subfolders in the
' specified folders. It uses the folder name and matches this with a username
' in Active Directory. Therefore the foldername must be equal to the username.
'
' Permissions  (See CONST UsrPerm1 & UsrPerm2:
' R = Read
' C = Change (write)
' F = Full control
' P = Change Permissions (Special access)
' O = Take Ownership (Special access)
' X = EXecute (Special access)
' E = REad (Special access)
' W = Write (Special access)
' D = Delete (Special access)
'
' !!!NEEDED PROGRAMS!!!
' XCACLS.EXE 
' This program is part of the Support Tools
' DOWNLOAD: 
' http://support.microsoft.com/kb/892777
'
'============================================================================
 
' DECLARING VARIABLES
Option Explicit
DIM Commando, Counter, Domain 
DIM Folder, iReturn, objFSO
DIM objShell, objSysInfo, rootFolder
DIM strFolder, strUser, SubFolders
 
' INSTANTIATING AN OBJECT PART1
SET objSysInfo     =     CreateObject("ADSystemInfo")
SET objFSO         =     CreateObject("Scripting.FileSystemObject")
SET objShell     =     wscript.createObject("wscript.shell")
 
' ASSIGNING VALUES TO VARIABLES
strFolder     =    Lcase(Inputbox(Ucase("Enter path Home folder") &VbCr &VbCr _
                &"Use the following syntax:" &VbCr _
                &"D:\Users\","Home-Folder","D:\Users\"))
Domain        =    objSysInfo.ForestDNSName & "\"
 
' INSTANTIATING AN OBJECT PART2
SET rootFolder     =     objFSO.GetFolder(strFolder)
SET SubFolders     =     rootFolder.SubFolders
 
' ASSIGNING VALUES TO CONSTANTS
' INFO: You can find the possible permissions in the comment
CONST Usr1        =    "Domain Admins" 
CONST UsrPerm1    =    "F"
CONST UsrPerm2    =    "RWC"
 
'================================CODE=========================================
 
IF objFSO.FolderExists(strFolder) THEN
    FOR Each Folder In SubFolders
        strUser     =     replace(Lcase(Folder),strFolder,"")
        commando     =     "xcacls " &Folder &" /g ""Domain Admins"":" &UsrPerm1 _ 
                        &" """ &Domain &strUser &""":" &UsrPerm2 &" /T /C /Y"
        iReturn     =     objShell.Run(commando)
        Counter     =     Counter + 1
        ' This sleep is specially done to not overload the system with 
        ' xcacls screens.
        wscript.sleep 1500
    NEXT
    wscript.echo "Finished!" &VBCR &Counter &" folders are reset."
ELSE
    wscript.Echo "Folder: " &Ucase(strFolder) &"  doesn't exist." &VbCr _
    &"Verify the location and try again."
    END IF
 
SET objSysInfo     =     NOTHING
SET objFSO         =     NOTHING
SET objShell     =     NOTHING
SET rootFolder     =     NOTHING
SET SubFolders     =     NOTHING
'=============================END=OF=CODE=====================================
wscript.quit

Open in new window

0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035450
thanks,

i'll do testing with that.

This is driving me nuts.

from what i can tell, it SHOULD work OK but isn't.
The users have rights to be assigned perms to that folder, etc.

What i'm really doing.

is i dumped a list of all the subfolders of the profiles share.

i.e. dir /B > dirlist.txt

then am running this;

for /F %i in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\user /F /T

which basically runs the command noted in my original post for each subfolder and all the files and folders within it.

i've done some google searches and it seems that the xcacls.vbs supplied by microsoft may be buggy.
0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035456
actually the script is

for /F in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\%i /F /T

0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035470
sorry for all the typos.

for /F %i in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\%i /F /T
0
 
LVL 2

Accepted Solution

by:
jspaziano earned 0 total points
ID: 24115641
it was determined that xcacls.vbs is buggy and does not always work as expected.

The script given here did not help me as i had vista profiles that have .V2 in the name and that script always expects that the folder name matches the users' name.

I wound up just setting ownership to "domain admins" as that did work and it was acceptable as far as roaming profile permissions were concerned.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question