Solved

Windows 2008 - Permissions on Folder are incorrectly ordered

Posted on 2009-05-03
7
3,808 Views
Last Modified: 2012-05-06
I am currently having an issue with CACL permissions in Windows 2008 Enterprise Server. I have a vbscript that run nightly to populate/create department folder on a SAN File cluster. The department folders are based on the department OU's in Active Directory. The department folders and permissions on the root department folders are created with no issues.
The issue that arises is with the sub-folders within the root department folders. Anytime a subfolder is created and a user goes to properties, and the security tab the following error appears: "The permissions on "folder name" are incorrectly ordered, which may cause some entries to be ineffective." As a reminder, this error only occurs on the sub-folders not the root department folders.
I do not believe there is an issue with the script. I realize that there is a known bug with incorrectly ordered permissions, but I can only find information on Windows 2000, and XP.
I need to know if there is a patch to resolve this issue for Windows 2008.

Thanks,
PulsarSolutions
VBScript code: 
(CACLS Section Only)
 
'========================================================================================
 
Function Permissions()
'Department group name with no spaces between the Department name & group
strFolderGroup = strFolder & "Group"
strFolderGroup = Replace(strFolderGroup,"_"," ")
 
'Department group name with a space between the department name & group
'strFolderGroup2 = strText & " Group"
strFolderGroup2 = strFolder & " Group"
strFolderGroup2 = Replace(strFolderGroup2,"_"," ")
 
Set objShell   = CreateObject("Wscript.Shell")
Set object2FSO = CreateObject("Scripting.FileSystemObject")
 
If object2FSO.FolderExists(strFolderPath) Then
	intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls "	&	_
	"""" & strFolderPath & """"	&	_
	" /e /t /c /g """ & strFolderGroup & """:F", 2, True)
 
	If intRunError <> 0 Then
	    'If error applying strFolderGroup group permissions to department folder
	    'Attempt to apply strFolderGroup2 group permission to department folder
	    If object2FSO.FolderExists(strFolderPath) Then
			intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls "	&	_
			"""" & strFolderPath & """"	&	_
			" /e /t /c /g """ & strFolderGroup2 & """:F", 2, True)
			
				'If unable to apply strFolderGroup & strFolderGroup2 then log an error message
				If intRunError <> 0 Then
					WScript.Echo "Error assigning permissions for: " & strFolderGroup1 & strFolderGroup2
					objLogFile.WriteLine "Error assigning permissions for: " & strFolderGroup1 & strFolderGroup2
				Else
				   	'Log strFolderGroup2 was successfully applied
				   	WScript.Echo strFolderGroup2 & " permissions applied successfully"
				    objLogFile.WriteLine strFolderGroup2 & " permissions applied successfully"
				End If
							
         End If
	Else
			'Log strFolderGroup was successfully applied
			WScript.Echo strFolderGroup & " permissions applied successfully"
			objLogFile.WriteLine strFolderGroup & " permissions applied successfully"				
	End If
End If
End Function

Open in new window

0
Comment
Question by:pulsarsolutions
  • 6
7 Comments
 
LVL 41

Assisted Solution

by:graye
graye earned 20 total points
ID: 24292380
I'd recommend that you switch to using ICACLS (it's the latest version of the tool for Vista, 2008, etc)
The command line syntax is a bit different...  http://technet.microsoft.com/en-us/library/cc753525.aspx
0
 

Author Comment

by:pulsarsolutions
ID: 24295038
I will write a separate icacls test script and see it resolves the problem. I will provide an update shortly.
0
 

Author Comment

by:pulsarsolutions
ID: 24297032
I have not had much luck locating any sample vbscript code for using icacls versus cacls. Does anyone have any example vbscript code for ICACLS?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:pulsarsolutions
ID: 24297228
The following works in a command line, but still working on correct syntax to apply via vbscript:
icacls sales_folder /grant fileadmins:(OI)f /T /C (command line)

0
 

Author Comment

by:pulsarsolutions
ID: 24297282
I believe I have the vbscript code method to run it via vbscript:

Set objShell   = CreateObject("Wscript.Shell")
intRunError = objShell.Run("icacls sales_folder /grant fileadmins:(OI)f /T /C")

I will now need to test it in the environment to see if it resolves the issue. I will provide an update
shortly.
0
 

Accepted Solution

by:
pulsarsolutions earned 0 total points
ID: 24301188
The issue is resolved. Using ICACLS resolved the issue. I will provide my permissions function that includes the ICACLS logic.

Thanks for the suggestion!
Function Permissions()
'Department group name with no spaces between the Department name & group
strFolderGroup = strFolder & "Group"
strFolderGroup = Replace(strFolderGroup,"_"," ")
 
'Department group name with a space between the department name & group
'strFolderGroup2 = strText & " Group"
strFolderGroup2 = strFolder & " Group"
strFolderGroup2 = Replace(strFolderGroup2,"_"," ")
 
Set objShell   = CreateObject("Wscript.Shell")
Set object2FSO = CreateObject("Scripting.FileSystemObject")
 
If object2FSO.FolderExists(strFolderPath) Then
	intRunError = objShell.Run("icacls """ & strFolderPath & """ /grant """ & strFolderGroup & """:(OI)(CI)f /T /C")
		     
	If intRunError <> 0 Then
	    
	    If object2FSO.FolderExists(strFolderPath) Then
			intRunError = objShell.Run("icacls """ & strFolderPath & """ /grant """ & strFolderGroup2 & """:(OI)(CI)f /T /C")
		
			 'If unable to apply strFolderGroup & strFolderGroup2 then log an error message
				If intRunError <> 0 Then
					WScript.Echo "Error assigning permissions for: " & strFolderGroup1 & strFolderGroup2
					objLogFile.WriteLine "Error assigning permissions for: " & strFolderGroup1 & strFolderGroup2
				Else
				   	'Log strFolderGroup2 was successfully applied
				   	WScript.Echo strFolderGroup2 & " permissions applied successfully"
				    objLogFile.WriteLine strFolderGroup2 & " permissions applied successfully"
				End If
							
         End If
	Else
			'Log strFolderGroup was successfully applied
			WScript.Echo strFolderGroup & " permissions applied successfully"
			objLogFile.WriteLine strFolderGroup & " permissions applied successfully"				
	End If
End If
End Function

Open in new window

0
 

Author Comment

by:pulsarsolutions
ID: 24301206
ICACLS code resolved the issue:

Function Permissions()
'Department group name with no spaces between the Department name & group
strFolderGroup = strFolder & "Group"
strFolderGroup = Replace(strFolderGroup,"_"," ")

'Department group name with a space between the department name & group
'strFolderGroup2 = strText & " Group"
strFolderGroup2 = strFolder & " Group"
strFolderGroup2 = Replace(strFolderGroup2,"_"," ")
 
Set objShell   = CreateObject("Wscript.Shell")
Set object2FSO = CreateObject("Scripting.FileSystemObject")

If object2FSO.FolderExists(strFolderPath) Then
      intRunError = objShell.Run("icacls """ & strFolderPath & """ /grant """ & strFolderGroup & """:(OI)(CI)f /T /C")
                 
      If intRunError <> 0 Then
          
          If object2FSO.FolderExists(strFolderPath) Then
                  intRunError = objShell.Run("icacls """ & strFolderPath & """ /grant """ & strFolderGroup2 & """:(OI)(CI)f /T /C")
            
                   'If unable to apply strFolderGroup & strFolderGroup2 then log an error message
                        If intRunError <> 0 Then
                              WScript.Echo "Error assigning permissions for: " & strFolderGroup1 & strFolderGroup2
                              objLogFile.WriteLine "Error assigning permissions for: " & strFolderGroup1 & strFolderGroup2
                        Else
                                 'Log strFolderGroup2 was successfully applied
                                 WScript.Echo strFolderGroup2 & " permissions applied successfully"
                            objLogFile.WriteLine strFolderGroup2 & " permissions applied successfully"
                        End If
                                          
         End If
      Else
                  'Log strFolderGroup was successfully applied
                  WScript.Echo strFolderGroup & " permissions applied successfully"
                  objLogFile.WriteLine strFolderGroup & " permissions applied successfully"                        
      End If
End If
End Function
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
i can't open my printer  GUI 3 42
default domain policy exemptions 4 36
server core and windows updates 3 40
accidental deletion - ad recycle bin 3 21
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question