Assigning Active Directory Folder Permissions with vbscript

I'm working with a existing script that assigns permissions to a user home directory. The script appears to work ok, as far as assigning the permissions, however, the igrant.exe that's being used sends this error box to the screen: "igrant.exe" has stopped working. It stays up until I end it.

The interesting thing is that in an earlier portion of the script, SET ADMIN FUNCTION,  the previous programmer used xcacls.exe to assign some of the priveledges. One of the following would work for me:

1. Use xcacls.exe in place of igrant.exe, and show me what the permissions statements would look like. (Preferred)
2. Show me how to end igrant.exe once the permissions have been assigned, before it fails.

Thanks.
Const ForReading = 1
strLanAdmin = ""
strHomeDir = ""
strUserID = ""
strDeptID = ""
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
If objFSO.FileExists("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt") Then
Set objTextFile = objFSO.OpenTextFile("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt", ForReading)
Else
'wscript.echo("No File to read.")
WScript.Quit
End If
 
 
Do Until objTextFile.AtEndOfStream
    strNextLine = objTextFile.Readline
    arrServiceList = Split(strNextLine , ";")
    For i = 1 To UBound(arrServiceList)
        
        strHomeDir = arrServiceList(0)
        strUserID = arrServiceList(1)
       'wscript.echo strHomeDir & " " & strUserID & " " & strDeptID
       
       
       call setPerms()
       Call CheckIt()
       i = i + 2
      Next
    WScript.Sleep 500
Loop
 
 
objTextFile.Close
 
 
 
Function Checkit()
 
strLanAdmin = "domain\AC"
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r " & strLanAdmin &":cteaACTEuDbP " & strHomeDir & ""
 
 
WScript.Echo "Value of StrLanAdmin: " & strLanAdmin
WScript.Echo "Value of StrHomeDir: " & strHomeDir	
WScript.Echo "I made it through CheckIt"
 
End Function
 
Function setPerms()
 
setAdmin()
setBCsec_1()
setBCsec_2()
setBCsec_3()
setUser()
 
wscript.echo("First set of user permissions added")
 
If strLanAdmin <> "" Then
wscript.echo strLanAdmin & " Group added"
Else 
wscript.echo "strLandAdmin: " & strLanAdmin
End If
 
 
End Function
 
Function setAdmin()
 
WScript.Echo strUserID
WScript.Echo strHomeDir
wscript.echo("Setting Permissions For " & strUserID & " on " & strHomeDir)
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "xcacls "" & strHomeDir & "" /G builtin\administrators:F /y" 
 
wscript.echo("Administrator Permissions granted")
 
End Function
 
Function setBCsec_1()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r domain\bcsec_1:cteau " & strHomeDir & ""
 
Call Checkit()
 
wscript.echo "BCsec_1 Added"
WScript.Sleep 10000
 
 
End Function
 
Function setBCsec_2()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r domain\bcsec_2:cteaACTEuD " & strHomeDir & ""
 
wscript.echo "BCsec_2 Added"
WScript.Sleep 10000
 
End Function
 
Function setBCsec_3()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r domain\bcsec_3:cteaACTEuDbPO " & strHomeDir & ""
 
wscript.echo "BCsec_3 Added"
WScript.Sleep 10000
 
End Function
 
Function setUser()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r " & strUserID & ":cteaACTEuDbP " & strHomeDir & ""
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt")
'wscript.echo ("permissions.TXT read and Deleted")
 
End Function
 
WScript.Quit

Open in new window

LVL 1
JB4375Asked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

The sensible thing to do would be to take a look at what's happening when the script executes the command. This modification writes out the command it executes and any output returned from execution. Hopefully it will indicate the reason for failure.

Chris
Function RI() 'Removes the Inherited Permissions
  strCommand = "cscript xcacls.vbs " & strHomeDir & " /i copy"
 
  Set objShell = CreateObject("Wscript.Shell")
  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
    
  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn
  WScript.Sleep 6000
End Function
 
Function RA() 'Removes the Authenticated Users Groups
  strCommand = "cscript xcacls.vbs " & strHomeDir & _
    " /e /r ""NT AUTHORITY\Authenticated Users"""
 
  Set objShell = CreateObject("Wscript.Shell")
  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
 
  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn
  WScript.Sleep 6000
      
End Function
 
Function AddUser() 'Adds User Permissions to the Home Directory
  strCommand = "cscript xcacls.vbs " & strHomeDir & _
    " /e /g " & domain & "\" & strUserID & ":C"
 
  Set objShell = CreateObject("Wscript.Shell")
  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
 
  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn
  WScript.Sleep 6000
End Function

Open in new window

0
 
JB4375Author Commented:
Correction: The SET ADMIN FUNCTION,  which uses xcacls.exe to assign some of the priveledges is the ONLY piece that works.
It might be easier to stick with option 1: Use xcacls.exe in place of igrant.exe, and show me what the permissions statements would look like.
Forget option 2 altogether unless there's some reason why this isn't feasible.
0
 
SalmanZGConnect With a Mentor Commented:
XCACLS  is a vbscript.

Here is the simplest syntax that I use most of the time:

xcacls.vbs <folder> /E /G <domain>\<user>:<permission>

For example:
to give modify permission to login JOHN in domain PROD-DOMAIN, access to a folder H:\home\JOHN

Use:
XCACLS H:\HOME\JOHN /E /G PROD-DOMAIN\JOHN:M

Here are the other permission flags.
F  Full control
M  Modify
X  read and eXecute
L  List folder contents
R  Read
W  Write

Hope this helps.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Chris DentPowerShell DeveloperCommented:

> XCACLS  is a vbscript

There are two versions. One is a VbScript, the other is an exe. The syntax is much the same for fairly obvious reasons. The vbs is a little more capable, but unsupported.

Chris
0
 
SalmanZGCommented:
Thanks Chris.
I stand corrected.
0
 
JB4375Author Commented:
Just out of curiosity what function does the /E /G provide?
JB
0
 
SalmanZGConnect With a Mentor Commented:
/E for editing the existing ACL, iinstead of replacing it with the new permission.
/G for Grant. User name and permissions are parameters to /G
0
 
JB4375Author Commented:
Ok... I'm calling the function below to assign Modify permisions to the user. I successfully echo the UserID and Home Directory. But it's not applying any permissions. Also, I don't know if it makes any difference, but I'm using xcacls.exe.

Function setUser()
WScript.Echo "UserID: " & strUserID
WScript.Echo "Home Directory: " & strHomeDir
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "xcacls " & strHomeDir & " /E/G DOMAIN\ " & strUserID & ":M"  
0
 
SalmanZGCommented:
Can you echo or log the command xcacls command before executing it.
That way you can run it in a cmd window and verify if there is any syntax issue.

I may be wrong, but I see a space between domain and userid. /E /G can have a space b/w them.

0
 
JB4375Author Commented:
I put a ^ everywhere there's a space. Here's how it's laid out
objShell.Exec "xcacls^"^&^strHomeDir^&^"^/E/G^DOMAIN\"^&^strUserID^&^":M"  
Also... is there any possibility that this has something to do with being case specific?
0
 
SalmanZGCommented:
Here is what i tested it with:
cscript xcacls.vbs c:\temp\dump /E /G mydomain\mylogin:M

You need to put a space b/w /E and /G.
Also, use cscript to run xcacls.

CMD_GRANT  = "cscript XCACLS.vbs " & ROOT_FOLDER & "\%LOGIN% /E /G " & MYDOMAIN & "\" & MYLOGIN &":M"
0
 
JB4375Author Commented:
Don't know what to say about this. I don't have On error resume next. Every suggestion that's been given... The syntax is good, and it rolls right through with no errors. But its not touching the permssions.
0
 
SalmanZGCommented:
Try to log the command in a log file and then copy paste the logged line in a cmd window.

The reason you don't see any error in the script is because the error may be occurring in the separate process started by objShell.Exec command.

So there are 2 options:
1. Either write a little more script after Exec function to collect stdout and stdErr.
2. Run the actual line in a command window and observe/fix the error first hand.
0
 
Chris DentPowerShell DeveloperCommented:

For xcacls.exe these are the valid Permissions:

Perm can be:
         R  Read
         C  Change (write)
         F  Full control
         P  Change Permissions (Special access)
         O  Take Ownership (Special access)
         X  EXecute (Special access)
         E  REad (Special access)
         W  Write (Special access)
         D  Delete (Special access)

M isn't included which would suggest that it is the reason your change is failing. Change M to C.

M is included with xcacls.vbs which may be the cause of confusion.

Chris
0
 
JB4375Author Commented:
OK.. this is just starting to annoy me now. I ran these from the command line like you suggested and got no errors. I did little research and found that xcacls.vbs is the only one that allows you to remove inheritances.
I got tired of the slow progress with the script and played around with the command line and I came up the following and they all work, but I don't
xcacls.vbs /e /g "domain\userID" :M - Adds modify rights for the user
xcacls.vbs /e /r "NT Authority\Authentcated Users' - Removes Authenticated Users
xcalc.vbs /i copy - Removes inheritance rights for all users in advanced.
Below is my attempt to run them in a script. Same result. Runs with no result. What gives?

Function RI() 'Removes the Inherited Permissions
 
Set objShell = CreateObject("Wscript.Shell")
    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /i copy")
    WScript.Sleep 6000
      
End Function
 
 
Function RA() 'Removes the Authenticated Users Groups
 
Set objShell = CreateObject("Wscript.Shell")
    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /e /r ""NT AUTHORITY\Authenticated Users""")
    WScript.Sleep 6000
      
End Function
 
Function AddUser() 'Adds User Permissions to the Home Directory
 
Set objShell = CreateObject("Wscript.Shell")
    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /e /g " & domain & "\" & strUserID & ":C") 
    WScript.Sleep 6000

Open in new window

0
 
JB4375Author Commented:
*****Correction and they all work but I don't know to use the variables within a command line. I simply called the called the directory and userID directly during testing.
0
 
JB4375Author Commented:
Hey Chris,
You're right.... that would have been the sensible thing to do, had I known how to do that. LOL. Once I was able to see what was going on....amazing how quick you can figure things out. About 5 minutes, in fact.
So the FINAL step: I'm adding the permissions with:
strCommand = "StrCommand = "cscript xcacls.vbs " & strHomeDir &  " /e /g  " & domain\" & strUserID & ":M"
This gives me modfy permissions under the security tab, which is good, and modify "this folder and subfolders" under the advanced tab. How can I add the "delete subfolders and files" permission?
0
 
Chris DentPowerShell DeveloperCommented:

Delete should be included in the Modify right? Or are you wanting to deny delete?

Chris
0
 
JB4375Author Commented:
When I have modify selected under the advanced options. Delete is checked, which I want, but Delete Subfolders and Files is not selected. I need that as well.
Selecting Full control is not an option because we don't want to allow Change Permissions, and Take Ownership.
Thanks.
0
 
JB4375Author Commented:
Alright... I created folders, documents etc. Logged in as the user. Apparently Mod gives me all the rights the user needs whether "Delete Subfolders and Files" there or not. That's good enough for me.
Thanks for all the help everyone.
0
 
JB4375Author Commented:
Thanks for hanging in there with me guys. I'm still new to the scripting game, and your help was invaluable.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.