?
Solved

Problem setting ownership with xcacls.vbs - "this security ID may not be assigned as the owner of this object (Error 543)"

Posted on 2009-03-31
5
Medium Priority
?
2,136 Views
Last Modified: 2012-05-06
When attempting to fix permissions on a roaming profiles share.

I first took ownership of all files + subfolders for the administrator.
then edited the ACL to grant "domain admins" full control of all the folders.

When trying to change the ownership back to the original owners, i'm getting:

Error: This security ID may not be assigned as the owner of this object. (Msg#54
3)

when checking permissions via the GUI, the user account has full control.

the command being run is

cscript %systemroot%\system32\xcacls.vbs folder /E /O DOMAIN\user /F /T

any ideas?
based on http://support.microsoft.com/kb/825751 the syntax seems correct, NTFS perms should allow the owner to be changed to that user.





0
Comment
Question by:jspaziano
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035431
Try the script from here


 http://wasteil.blogspot.com/2007/04/reset-permissions-home-folder.html

'============================================================================
' VBScript Source File
' NAME: Permissions Home Folder
' AUTHOR: Ruudvdh (WASTEIL)
' WEBSITE : http://wasteil.blogspot.com
' DATE  : 19-3-2007
' COMMENT: This script changes the permissions of all the subfolders in the
' specified folders. It uses the folder name and matches this with a username
' in Active Directory. Therefore the foldername must be equal to the username.
'
' Permissions  (See CONST UsrPerm1 & UsrPerm2:
' R = Read
' C = Change (write)
' F = Full control
' P = Change Permissions (Special access)
' O = Take Ownership (Special access)
' X = EXecute (Special access)
' E = REad (Special access)
' W = Write (Special access)
' D = Delete (Special access)
'
' !!!NEEDED PROGRAMS!!!
' XCACLS.EXE 
' This program is part of the Support Tools
' DOWNLOAD: 
' http://support.microsoft.com/kb/892777
'
'============================================================================
 
' DECLARING VARIABLES
Option Explicit
DIM Commando, Counter, Domain 
DIM Folder, iReturn, objFSO
DIM objShell, objSysInfo, rootFolder
DIM strFolder, strUser, SubFolders
 
' INSTANTIATING AN OBJECT PART1
SET objSysInfo     =     CreateObject("ADSystemInfo")
SET objFSO         =     CreateObject("Scripting.FileSystemObject")
SET objShell     =     wscript.createObject("wscript.shell")
 
' ASSIGNING VALUES TO VARIABLES
strFolder     =    Lcase(Inputbox(Ucase("Enter path Home folder") &VbCr &VbCr _
                &"Use the following syntax:" &VbCr _
                &"D:\Users\","Home-Folder","D:\Users\"))
Domain        =    objSysInfo.ForestDNSName & "\"
 
' INSTANTIATING AN OBJECT PART2
SET rootFolder     =     objFSO.GetFolder(strFolder)
SET SubFolders     =     rootFolder.SubFolders
 
' ASSIGNING VALUES TO CONSTANTS
' INFO: You can find the possible permissions in the comment
CONST Usr1        =    "Domain Admins" 
CONST UsrPerm1    =    "F"
CONST UsrPerm2    =    "RWC"
 
'================================CODE=========================================
 
IF objFSO.FolderExists(strFolder) THEN
    FOR Each Folder In SubFolders
        strUser     =     replace(Lcase(Folder),strFolder,"")
        commando     =     "xcacls " &Folder &" /g ""Domain Admins"":" &UsrPerm1 _ 
                        &" """ &Domain &strUser &""":" &UsrPerm2 &" /T /C /Y"
        iReturn     =     objShell.Run(commando)
        Counter     =     Counter + 1
        ' This sleep is specially done to not overload the system with 
        ' xcacls screens.
        wscript.sleep 1500
    NEXT
    wscript.echo "Finished!" &VBCR &Counter &" folders are reset."
ELSE
    wscript.Echo "Folder: " &Ucase(strFolder) &"  doesn't exist." &VbCr _
    &"Verify the location and try again."
    END IF
 
SET objSysInfo     =     NOTHING
SET objFSO         =     NOTHING
SET objShell     =     NOTHING
SET rootFolder     =     NOTHING
SET SubFolders     =     NOTHING
'=============================END=OF=CODE=====================================
wscript.quit

Open in new window

0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035450
thanks,

i'll do testing with that.

This is driving me nuts.

from what i can tell, it SHOULD work OK but isn't.
The users have rights to be assigned perms to that folder, etc.

What i'm really doing.

is i dumped a list of all the subfolders of the profiles share.

i.e. dir /B > dirlist.txt

then am running this;

for /F %i in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\user /F /T

which basically runs the command noted in my original post for each subfolder and all the files and folders within it.

i've done some google searches and it seems that the xcacls.vbs supplied by microsoft may be buggy.
0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035456
actually the script is

for /F in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\%i /F /T

0
 
LVL 2

Author Comment

by:jspaziano
ID: 24035470
sorry for all the typos.

for /F %i in (dirlist.txt) do cscript %systemroot%\system32\xcacls.vbs %i /E /O DOMAIN\%i /F /T
0
 
LVL 2

Accepted Solution

by:
jspaziano earned 0 total points
ID: 24115641
it was determined that xcacls.vbs is buggy and does not always work as expected.

The script given here did not help me as i had vista profiles that have .V2 in the name and that script always expects that the folder name matches the users' name.

I wound up just setting ownership to "domain admins" as that did work and it was acceptable as far as roaming profile permissions were concerned.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question