Solved

Assigning Active Directory Folder Permissions with vbscript

Posted on 2009-05-08
21
1,380 Views
Last Modified: 2012-06-27
I'm working with a existing script that assigns permissions to a user home directory. The script appears to work ok, as far as assigning the permissions, however, the igrant.exe that's being used sends this error box to the screen: "igrant.exe" has stopped working. It stays up until I end it.

The interesting thing is that in an earlier portion of the script, SET ADMIN FUNCTION,  the previous programmer used xcacls.exe to assign some of the priveledges. One of the following would work for me:

1. Use xcacls.exe in place of igrant.exe, and show me what the permissions statements would look like. (Preferred)
2. Show me how to end igrant.exe once the permissions have been assigned, before it fails.

Thanks.
Const ForReading = 1

strLanAdmin = ""

strHomeDir = ""

strUserID = ""

strDeptID = ""

Set objFSO = CreateObject("Scripting.FileSystemObject")
 

If objFSO.FileExists("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt") Then

Set objTextFile = objFSO.OpenTextFile("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt", ForReading)

Else

'wscript.echo("No File to read.")

WScript.Quit

End If
 
 

Do Until objTextFile.AtEndOfStream

    strNextLine = objTextFile.Readline

    arrServiceList = Split(strNextLine , ";")

    For i = 1 To UBound(arrServiceList)

        

        strHomeDir = arrServiceList(0)

        strUserID = arrServiceList(1)

       'wscript.echo strHomeDir & " " & strUserID & " " & strDeptID

       

       

       call setPerms()

       Call CheckIt()

       i = i + 2

      Next

    WScript.Sleep 500

Loop
 
 

objTextFile.Close
 
 
 

Function Checkit()
 

strLanAdmin = "domain\AC"
 

Set objShell = CreateObject("WScript.Shell")

objShell.Exec "igrant -r " & strLanAdmin &":cteaACTEuDbP " & strHomeDir & ""
 
 

WScript.Echo "Value of StrLanAdmin: " & strLanAdmin

WScript.Echo "Value of StrHomeDir: " & strHomeDir	

WScript.Echo "I made it through CheckIt"
 

End Function
 

Function setPerms()
 

setAdmin()

setBCsec_1()

setBCsec_2()

setBCsec_3()

setUser()
 

wscript.echo("First set of user permissions added")
 

If strLanAdmin <> "" Then

wscript.echo strLanAdmin & " Group added"

Else 

wscript.echo "strLandAdmin: " & strLanAdmin

End If
 
 

End Function
 

Function setAdmin()
 

WScript.Echo strUserID

WScript.Echo strHomeDir

wscript.echo("Setting Permissions For " & strUserID & " on " & strHomeDir)
 

Set objShell = CreateObject("WScript.Shell")

objShell.Exec "xcacls "" & strHomeDir & "" /G builtin\administrators:F /y" 
 

wscript.echo("Administrator Permissions granted")
 

End Function
 

Function setBCsec_1()
 

Set objShell = CreateObject("WScript.Shell")

objShell.Exec "igrant -r domain\bcsec_1:cteau " & strHomeDir & ""
 

Call Checkit()
 

wscript.echo "BCsec_1 Added"

WScript.Sleep 10000
 
 

End Function
 

Function setBCsec_2()
 

Set objShell = CreateObject("WScript.Shell")

objShell.Exec "igrant -r domain\bcsec_2:cteaACTEuD " & strHomeDir & ""
 

wscript.echo "BCsec_2 Added"

WScript.Sleep 10000
 

End Function
 

Function setBCsec_3()
 

Set objShell = CreateObject("WScript.Shell")

objShell.Exec "igrant -r domain\bcsec_3:cteaACTEuDbPO " & strHomeDir & ""
 

wscript.echo "BCsec_3 Added"

WScript.Sleep 10000
 

End Function
 

Function setUser()
 

Set objShell = CreateObject("WScript.Shell")

objShell.Exec "igrant -r " & strUserID & ":cteaACTEuDbP " & strHomeDir & ""
 

Set objFSO = CreateObject("Scripting.FileSystemObject")

objFSO.DeleteFile("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt")

'wscript.echo ("permissions.TXT read and Deleted")
 

End Function
 

WScript.Quit

Open in new window

0
Comment
Question by:JB4375
  • 11
  • 6
  • 4
21 Comments
 
LVL 1

Author Comment

by:JB4375
ID: 24340004
Correction: The SET ADMIN FUNCTION,  which uses xcacls.exe to assign some of the priveledges is the ONLY piece that works.
It might be easier to stick with option 1: Use xcacls.exe in place of igrant.exe, and show me what the permissions statements would look like.
Forget option 2 altogether unless there's some reason why this isn't feasible.
0
 
LVL 3

Assisted Solution

by:SalmanZG
SalmanZG earned 200 total points
ID: 24340073
XCACLS  is a vbscript.

Here is the simplest syntax that I use most of the time:

xcacls.vbs <folder> /E /G <domain>\<user>:<permission>

For example:
to give modify permission to login JOHN in domain PROD-DOMAIN, access to a folder H:\home\JOHN

Use:
XCACLS H:\HOME\JOHN /E /G PROD-DOMAIN\JOHN:M

Here are the other permission flags.
F  Full control
M  Modify
X  read and eXecute
L  List folder contents
R  Read
W  Write

Hope this helps.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24340272

> XCACLS  is a vbscript

There are two versions. One is a VbScript, the other is an exe. The syntax is much the same for fairly obvious reasons. The vbs is a little more capable, but unsupported.

Chris
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24340313
Thanks Chris.
I stand corrected.
0
 
LVL 1

Author Comment

by:JB4375
ID: 24340384
Just out of curiosity what function does the /E /G provide?
JB
0
 
LVL 3

Assisted Solution

by:SalmanZG
SalmanZG earned 200 total points
ID: 24340545
/E for editing the existing ACL, iinstead of replacing it with the new permission.
/G for Grant. User name and permissions are parameters to /G
0
 
LVL 1

Author Comment

by:JB4375
ID: 24340688
Ok... I'm calling the function below to assign Modify permisions to the user. I successfully echo the UserID and Home Directory. But it's not applying any permissions. Also, I don't know if it makes any difference, but I'm using xcacls.exe.

Function setUser()
WScript.Echo "UserID: " & strUserID
WScript.Echo "Home Directory: " & strHomeDir
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "xcacls " & strHomeDir & " /E/G DOMAIN\ " & strUserID & ":M"  
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24340731
Can you echo or log the command xcacls command before executing it.
That way you can run it in a cmd window and verify if there is any syntax issue.

I may be wrong, but I see a space between domain and userid. /E /G can have a space b/w them.

0
 
LVL 1

Author Comment

by:JB4375
ID: 24340826
I put a ^ everywhere there's a space. Here's how it's laid out
objShell.Exec "xcacls^"^&^strHomeDir^&^"^/E/G^DOMAIN\"^&^strUserID^&^":M"  
Also... is there any possibility that this has something to do with being case specific?
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24340871
Here is what i tested it with:
cscript xcacls.vbs c:\temp\dump /E /G mydomain\mylogin:M

You need to put a space b/w /E and /G.
Also, use cscript to run xcacls.

CMD_GRANT  = "cscript XCACLS.vbs " & ROOT_FOLDER & "\%LOGIN% /E /G " & MYDOMAIN & "\" & MYLOGIN &":M"
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:JB4375
ID: 24340966
Don't know what to say about this. I don't have On error resume next. Every suggestion that's been given... The syntax is good, and it rolls right through with no errors. But its not touching the permssions.
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24342189
Try to log the command in a log file and then copy paste the logged line in a cmd window.

The reason you don't see any error in the script is because the error may be occurring in the separate process started by objShell.Exec command.

So there are 2 options:
1. Either write a little more script after Exec function to collect stdout and stdErr.
2. Run the actual line in a command window and observe/fix the error first hand.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24343091

For xcacls.exe these are the valid Permissions:

Perm can be:
         R  Read
         C  Change (write)
         F  Full control
         P  Change Permissions (Special access)
         O  Take Ownership (Special access)
         X  EXecute (Special access)
         E  REad (Special access)
         W  Write (Special access)
         D  Delete (Special access)

M isn't included which would suggest that it is the reason your change is failing. Change M to C.

M is included with xcacls.vbs which may be the cause of confusion.

Chris
0
 
LVL 1

Author Comment

by:JB4375
ID: 24352223
OK.. this is just starting to annoy me now. I ran these from the command line like you suggested and got no errors. I did little research and found that xcacls.vbs is the only one that allows you to remove inheritances.
I got tired of the slow progress with the script and played around with the command line and I came up the following and they all work, but I don't
xcacls.vbs /e /g "domain\userID" :M - Adds modify rights for the user
xcacls.vbs /e /r "NT Authority\Authentcated Users' - Removes Authenticated Users
xcalc.vbs /i copy - Removes inheritance rights for all users in advanced.
Below is my attempt to run them in a script. Same result. Runs with no result. What gives?

Function RI() 'Removes the Inherited Permissions
 

Set objShell = CreateObject("Wscript.Shell")

    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /i copy")

    WScript.Sleep 6000

      

End Function
 
 

Function RA() 'Removes the Authenticated Users Groups
 

Set objShell = CreateObject("Wscript.Shell")

    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /e /r ""NT AUTHORITY\Authenticated Users""")

    WScript.Sleep 6000

      

End Function
 

Function AddUser() 'Adds User Permissions to the Home Directory
 

Set objShell = CreateObject("Wscript.Shell")

    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /e /g " & domain & "\" & strUserID & ":C") 

    WScript.Sleep 6000

Open in new window

0
 
LVL 1

Author Comment

by:JB4375
ID: 24352233
*****Correction and they all work but I don't know to use the variables within a command line. I simply called the called the directory and userID directly during testing.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 300 total points
ID: 24352680

The sensible thing to do would be to take a look at what's happening when the script executes the command. This modification writes out the command it executes and any output returned from execution. Hopefully it will indicate the reason for failure.

Chris
Function RI() 'Removes the Inherited Permissions

  strCommand = "cscript xcacls.vbs " & strHomeDir & " /i copy"
 

  Set objShell = CreateObject("Wscript.Shell")

  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll

    

  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn

  WScript.Sleep 6000

End Function
 

Function RA() 'Removes the Authenticated Users Groups

  strCommand = "cscript xcacls.vbs " & strHomeDir & _

    " /e /r ""NT AUTHORITY\Authenticated Users"""
 

  Set objShell = CreateObject("Wscript.Shell")

  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
 

  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn

  WScript.Sleep 6000

      

End Function

 

Function AddUser() 'Adds User Permissions to the Home Directory

  strCommand = "cscript xcacls.vbs " & strHomeDir & _

    " /e /g " & domain & "\" & strUserID & ":C"
 

  Set objShell = CreateObject("Wscript.Shell")

  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
 

  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn

  WScript.Sleep 6000

End Function

Open in new window

0
 
LVL 1

Author Comment

by:JB4375
ID: 24354339
Hey Chris,
You're right.... that would have been the sensible thing to do, had I known how to do that. LOL. Once I was able to see what was going on....amazing how quick you can figure things out. About 5 minutes, in fact.
So the FINAL step: I'm adding the permissions with:
strCommand = "StrCommand = "cscript xcacls.vbs " & strHomeDir &  " /e /g  " & domain\" & strUserID & ":M"
This gives me modfy permissions under the security tab, which is good, and modify "this folder and subfolders" under the advanced tab. How can I add the "delete subfolders and files" permission?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24354603

Delete should be included in the Modify right? Or are you wanting to deny delete?

Chris
0
 
LVL 1

Author Comment

by:JB4375
ID: 24354651
When I have modify selected under the advanced options. Delete is checked, which I want, but Delete Subfolders and Files is not selected. I need that as well.
Selecting Full control is not an option because we don't want to allow Change Permissions, and Take Ownership.
Thanks.
0
 
LVL 1

Author Comment

by:JB4375
ID: 24354805
Alright... I created folders, documents etc. Logged in as the user. Apparently Mod gives me all the rights the user needs whether "Delete Subfolders and Files" there or not. That's good enough for me.
Thanks for all the help everyone.
0
 
LVL 1

Author Closing Comment

by:JB4375
ID: 31579626
Thanks for hanging in there with me guys. I'm still new to the scripting game, and your help was invaluable.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now