Solved

Problem setting ownership with xcacls.vbs - "this security ID may not be assigned as the owner of this object (Error 543)"

Posted on 2009-03-31
5
2,081 Views
Last Modified: 2012-05-06
When attempting to fix permissions on a roaming profiles share.

I first took ownership of all files + subfolders for the administrator.
then edited the ACL to grant "domain admins" full control of all the folders.

When trying to change the ownership back to the original owners, i'm getting:

Error: This security ID may not be assigned as the owner of this object. (Msg#54
3)

when checking permissions via the GUI, the user account has full control.

the command being run is

cscript %systemroot%\system32\xcacls.vbs folder /E /O DOMAIN\user /F /T

any ideas?
based on http://support.microsoft.com/kb/825751 the syntax seems correct, NTFS perms should allow the owner to be changed to that user.





0
Comment
Question by:jspaziano
  • 4
5 Comments
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24035431
Try the script from here


 http://wasteil.blogspot.com/2007/04/reset-permissions-home-folder.html

'============================================================================

' VBScript Source File

' NAME: Permissions Home Folder

' AUTHOR: Ruudvdh (WASTEIL)

' WEBSITE : http://wasteil.blogspot.com

' DATE  : 19-3-2007

' COMMENT: This script changes the permissions of all the subfolders in the

' specified folders. It uses the folder name and matches this with a username

' in Active Directory. Therefore the foldername must be equal to the username.

'

' Permissions  (See CONST UsrPerm1 & UsrPerm2:

' R = Read

' C = Change (write)

' F = Full control

' P = Change Permissions (Special access)

' O = Take Ownership (Special access)

' X = EXecute (Special access)

' E = REad (Special access)

' W = Write (Special access)

' D = Delete (Special access)

'

' !!!NEEDED PROGRAMS!!!

' XCACLS.EXE 

' This program is part of the Support Tools

' DOWNLOAD: 

' http://support.microsoft.com/kb/892777

'

'============================================================================
 

' DECLARING VARIABLES

Option Explicit

DIM Commando, Counter, Domain 

DIM Folder, iReturn, objFSO

DIM objShell, objSysInfo, rootFolder

DIM strFolder, strUser, SubFolders
 

' INSTANTIATING AN OBJECT PART1

SET objSysInfo     =     CreateObject("ADSystemInfo")

SET objFSO         =     CreateObject("Scripting.FileSystemObject")

SET objShell     =     wscript.createObject("wscript.shell")
 

' ASSIGNING VALUES TO VARIABLES

strFolder     =    Lcase(Inputbox(Ucase("Enter path Home folder") &VbCr &VbCr _

                &"Use the following syntax:" &VbCr _

                &"D:\Users\","Home-Folder","D:\Users\"))

Domain        =    objSysInfo.ForestDNSName & "\"
 

' INSTANTIATING AN OBJECT PART2

SET rootFolder     =     objFSO.GetFolder(strFolder)

SET SubFolders     =     rootFolder.SubFolders
 

' ASSIGNING VALUES TO CONSTANTS

' INFO: You can find the possible permissions in the comment

CONST Usr1        =    "Domain Admins" 

CONST UsrPerm1    =    "F"

CONST UsrPerm2    =    "RWC"
 

'================================CODE=========================================
 

IF objFSO.FolderExists(strFolder) THEN

    FOR Each Folder In SubFolders

        strUser     =     replace(Lcase(Folder),strFolder,"")

        commando     =     "xcacls " &Folder &" /g ""Domain Admins"":" &UsrPerm1 _ 

                        &" """ &Domain &strUser &""":" &UsrPerm2 &" /T /C /Y"

        iReturn     =     objShell.Run(commando)

        Counter     =     Counter + 1

        ' This sleep is specially done to not overload the system with 

        ' xcacls screens.

        wscript.sleep 1500

    NEXT

    wscript.echo "Finished!" &VBCR &Counter &" folders are reset."

ELSE

    wscript.Echo "Folder: " &Ucase(strFolder) &"  doesn't exist." &VbCr _

    &"Verify the location and try again."

    END IF
 

SET objSysInfo     =     NOTHING

SET objFSO         =     NOTHING

SET objShell     =     NOTHING

SET rootFolder     =     NOTHING

SET SubFolders     =     NOTHING

'=============================END=OF=CODE=====================================

wscript.quit

Open in new window

0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035450
thanks,

i'll do testing with that.

This is driving me nuts.

from what i can tell, it SHOULD work OK but isn't.
The users have rights to be assigned perms to that folder, etc.

What i'm really doing.

is i dumped a list of all the subfolders of the profiles share.

i.e. dir /B > dirlist.txt

then am running this;

for /F %i in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\user /F /T

which basically runs the command noted in my original post for each subfolder and all the files and folders within it.

i've done some google searches and it seems that the xcacls.vbs supplied by microsoft may be buggy.
0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035456
actually the script is

for /F in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\%i /F /T

0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035470
sorry for all the typos.

for /F %i in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\%i /F /T
0
 
LVL 2

Accepted Solution

by:
jspaziano earned 0 total points
ID: 24115641
it was determined that xcacls.vbs is buggy and does not always work as expected.

The script given here did not help me as i had vista profiles that have .V2 in the name and that script always expects that the folder name matches the users' name.

I wound up just setting ownership to "domain admins" as that did work and it was acceptable as far as roaming profile permissions were concerned.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now