Solved

Assigning Active Directory Folder Permissions with vbscript

Posted on 2009-05-08
21
1,410 Views
Last Modified: 2012-06-27
I'm working with a existing script that assigns permissions to a user home directory. The script appears to work ok, as far as assigning the permissions, however, the igrant.exe that's being used sends this error box to the screen: "igrant.exe" has stopped working. It stays up until I end it.

The interesting thing is that in an earlier portion of the script, SET ADMIN FUNCTION,  the previous programmer used xcacls.exe to assign some of the priveledges. One of the following would work for me:

1. Use xcacls.exe in place of igrant.exe, and show me what the permissions statements would look like. (Preferred)
2. Show me how to end igrant.exe once the permissions have been assigned, before it fails.

Thanks.
Const ForReading = 1
strLanAdmin = ""
strHomeDir = ""
strUserID = ""
strDeptID = ""
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
If objFSO.FileExists("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt") Then
Set objTextFile = objFSO.OpenTextFile("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt", ForReading)
Else
'wscript.echo("No File to read.")
WScript.Quit
End If
 
 
Do Until objTextFile.AtEndOfStream
    strNextLine = objTextFile.Readline
    arrServiceList = Split(strNextLine , ";")
    For i = 1 To UBound(arrServiceList)
        
        strHomeDir = arrServiceList(0)
        strUserID = arrServiceList(1)
       'wscript.echo strHomeDir & " " & strUserID & " " & strDeptID
       
       
       call setPerms()
       Call CheckIt()
       i = i + 2
      Next
    WScript.Sleep 500
Loop
 
 
objTextFile.Close
 
 
 
Function Checkit()
 
strLanAdmin = "domain\AC"
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r " & strLanAdmin &":cteaACTEuDbP " & strHomeDir & ""
 
 
WScript.Echo "Value of StrLanAdmin: " & strLanAdmin
WScript.Echo "Value of StrHomeDir: " & strHomeDir	
WScript.Echo "I made it through CheckIt"
 
End Function
 
Function setPerms()
 
setAdmin()
setBCsec_1()
setBCsec_2()
setBCsec_3()
setUser()
 
wscript.echo("First set of user permissions added")
 
If strLanAdmin <> "" Then
wscript.echo strLanAdmin & " Group added"
Else 
wscript.echo "strLandAdmin: " & strLanAdmin
End If
 
 
End Function
 
Function setAdmin()
 
WScript.Echo strUserID
WScript.Echo strHomeDir
wscript.echo("Setting Permissions For " & strUserID & " on " & strHomeDir)
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "xcacls "" & strHomeDir & "" /G builtin\administrators:F /y" 
 
wscript.echo("Administrator Permissions granted")
 
End Function
 
Function setBCsec_1()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r domain\bcsec_1:cteau " & strHomeDir & ""
 
Call Checkit()
 
wscript.echo "BCsec_1 Added"
WScript.Sleep 10000
 
 
End Function
 
Function setBCsec_2()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r domain\bcsec_2:cteaACTEuD " & strHomeDir & ""
 
wscript.echo "BCsec_2 Added"
WScript.Sleep 10000
 
End Function
 
Function setBCsec_3()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r domain\bcsec_3:cteaACTEuDbPO " & strHomeDir & ""
 
wscript.echo "BCsec_3 Added"
WScript.Sleep 10000
 
End Function
 
Function setUser()
 
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "igrant -r " & strUserID & ":cteaACTEuDbP " & strHomeDir & ""
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile("\\domain\dfs\nts1$\IS_NTS_Shared\NetAdmin\Scripts\Account_Automation\School\PA\permissions.txt")
'wscript.echo ("permissions.TXT read and Deleted")
 
End Function
 
WScript.Quit

Open in new window

0
Comment
Question by:JB4375
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
  • 4
21 Comments
 
LVL 1

Author Comment

by:JB4375
ID: 24340004
Correction: The SET ADMIN FUNCTION,  which uses xcacls.exe to assign some of the priveledges is the ONLY piece that works.
It might be easier to stick with option 1: Use xcacls.exe in place of igrant.exe, and show me what the permissions statements would look like.
Forget option 2 altogether unless there's some reason why this isn't feasible.
0
 
LVL 3

Assisted Solution

by:SalmanZG
SalmanZG earned 200 total points
ID: 24340073
XCACLS  is a vbscript.

Here is the simplest syntax that I use most of the time:

xcacls.vbs <folder> /E /G <domain>\<user>:<permission>

For example:
to give modify permission to login JOHN in domain PROD-DOMAIN, access to a folder H:\home\JOHN

Use:
XCACLS H:\HOME\JOHN /E /G PROD-DOMAIN\JOHN:M

Here are the other permission flags.
F  Full control
M  Modify
X  read and eXecute
L  List folder contents
R  Read
W  Write

Hope this helps.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24340272

> XCACLS  is a vbscript

There are two versions. One is a VbScript, the other is an exe. The syntax is much the same for fairly obvious reasons. The vbs is a little more capable, but unsupported.

Chris
0
Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

 
LVL 3

Expert Comment

by:SalmanZG
ID: 24340313
Thanks Chris.
I stand corrected.
0
 
LVL 1

Author Comment

by:JB4375
ID: 24340384
Just out of curiosity what function does the /E /G provide?
JB
0
 
LVL 3

Assisted Solution

by:SalmanZG
SalmanZG earned 200 total points
ID: 24340545
/E for editing the existing ACL, iinstead of replacing it with the new permission.
/G for Grant. User name and permissions are parameters to /G
0
 
LVL 1

Author Comment

by:JB4375
ID: 24340688
Ok... I'm calling the function below to assign Modify permisions to the user. I successfully echo the UserID and Home Directory. But it's not applying any permissions. Also, I don't know if it makes any difference, but I'm using xcacls.exe.

Function setUser()
WScript.Echo "UserID: " & strUserID
WScript.Echo "Home Directory: " & strHomeDir
Set objShell = CreateObject("WScript.Shell")
objShell.Exec "xcacls " & strHomeDir & " /E/G DOMAIN\ " & strUserID & ":M"  
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24340731
Can you echo or log the command xcacls command before executing it.
That way you can run it in a cmd window and verify if there is any syntax issue.

I may be wrong, but I see a space between domain and userid. /E /G can have a space b/w them.

0
 
LVL 1

Author Comment

by:JB4375
ID: 24340826
I put a ^ everywhere there's a space. Here's how it's laid out
objShell.Exec "xcacls^"^&^strHomeDir^&^"^/E/G^DOMAIN\"^&^strUserID^&^":M"  
Also... is there any possibility that this has something to do with being case specific?
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24340871
Here is what i tested it with:
cscript xcacls.vbs c:\temp\dump /E /G mydomain\mylogin:M

You need to put a space b/w /E and /G.
Also, use cscript to run xcacls.

CMD_GRANT  = "cscript XCACLS.vbs " & ROOT_FOLDER & "\%LOGIN% /E /G " & MYDOMAIN & "\" & MYLOGIN &":M"
0
 
LVL 1

Author Comment

by:JB4375
ID: 24340966
Don't know what to say about this. I don't have On error resume next. Every suggestion that's been given... The syntax is good, and it rolls right through with no errors. But its not touching the permssions.
0
 
LVL 3

Expert Comment

by:SalmanZG
ID: 24342189
Try to log the command in a log file and then copy paste the logged line in a cmd window.

The reason you don't see any error in the script is because the error may be occurring in the separate process started by objShell.Exec command.

So there are 2 options:
1. Either write a little more script after Exec function to collect stdout and stdErr.
2. Run the actual line in a command window and observe/fix the error first hand.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24343091

For xcacls.exe these are the valid Permissions:

Perm can be:
         R  Read
         C  Change (write)
         F  Full control
         P  Change Permissions (Special access)
         O  Take Ownership (Special access)
         X  EXecute (Special access)
         E  REad (Special access)
         W  Write (Special access)
         D  Delete (Special access)

M isn't included which would suggest that it is the reason your change is failing. Change M to C.

M is included with xcacls.vbs which may be the cause of confusion.

Chris
0
 
LVL 1

Author Comment

by:JB4375
ID: 24352223
OK.. this is just starting to annoy me now. I ran these from the command line like you suggested and got no errors. I did little research and found that xcacls.vbs is the only one that allows you to remove inheritances.
I got tired of the slow progress with the script and played around with the command line and I came up the following and they all work, but I don't
xcacls.vbs /e /g "domain\userID" :M - Adds modify rights for the user
xcacls.vbs /e /r "NT Authority\Authentcated Users' - Removes Authenticated Users
xcalc.vbs /i copy - Removes inheritance rights for all users in advanced.
Below is my attempt to run them in a script. Same result. Runs with no result. What gives?

Function RI() 'Removes the Inherited Permissions
 
Set objShell = CreateObject("Wscript.Shell")
    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /i copy")
    WScript.Sleep 6000
      
End Function
 
 
Function RA() 'Removes the Authenticated Users Groups
 
Set objShell = CreateObject("Wscript.Shell")
    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /e /r ""NT AUTHORITY\Authenticated Users""")
    WScript.Sleep 6000
      
End Function
 
Function AddUser() 'Adds User Permissions to the Home Directory
 
Set objShell = CreateObject("Wscript.Shell")
    objShell.exec ("cscript xcacls.vbs " & strHomeDir & " /e /g " & domain & "\" & strUserID & ":C") 
    WScript.Sleep 6000

Open in new window

0
 
LVL 1

Author Comment

by:JB4375
ID: 24352233
*****Correction and they all work but I don't know to use the variables within a command line. I simply called the called the directory and userID directly during testing.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 300 total points
ID: 24352680

The sensible thing to do would be to take a look at what's happening when the script executes the command. This modification writes out the command it executes and any output returned from execution. Hopefully it will indicate the reason for failure.

Chris
Function RI() 'Removes the Inherited Permissions
  strCommand = "cscript xcacls.vbs " & strHomeDir & " /i copy"
 
  Set objShell = CreateObject("Wscript.Shell")
  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
    
  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn
  WScript.Sleep 6000
End Function
 
Function RA() 'Removes the Authenticated Users Groups
  strCommand = "cscript xcacls.vbs " & strHomeDir & _
    " /e /r ""NT AUTHORITY\Authenticated Users"""
 
  Set objShell = CreateObject("Wscript.Shell")
  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
 
  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn
  WScript.Sleep 6000
      
End Function
 
Function AddUser() 'Adds User Permissions to the Home Directory
  strCommand = "cscript xcacls.vbs " & strHomeDir & _
    " /e /g " & domain & "\" & strUserID & ":C"
 
  Set objShell = CreateObject("Wscript.Shell")
  strCommandReturn = objShell.Exec(strCommand).StdOut.ReadAll
 
  WScript.Echo strCommand & vbCrLf & vbCrLf & strCommandReturn
  WScript.Sleep 6000
End Function

Open in new window

0
 
LVL 1

Author Comment

by:JB4375
ID: 24354339
Hey Chris,
You're right.... that would have been the sensible thing to do, had I known how to do that. LOL. Once I was able to see what was going on....amazing how quick you can figure things out. About 5 minutes, in fact.
So the FINAL step: I'm adding the permissions with:
strCommand = "StrCommand = "cscript xcacls.vbs " & strHomeDir &  " /e /g  " & domain\" & strUserID & ":M"
This gives me modfy permissions under the security tab, which is good, and modify "this folder and subfolders" under the advanced tab. How can I add the "delete subfolders and files" permission?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24354603

Delete should be included in the Modify right? Or are you wanting to deny delete?

Chris
0
 
LVL 1

Author Comment

by:JB4375
ID: 24354651
When I have modify selected under the advanced options. Delete is checked, which I want, but Delete Subfolders and Files is not selected. I need that as well.
Selecting Full control is not an option because we don't want to allow Change Permissions, and Take Ownership.
Thanks.
0
 
LVL 1

Author Comment

by:JB4375
ID: 24354805
Alright... I created folders, documents etc. Logged in as the user. Apparently Mod gives me all the rights the user needs whether "Delete Subfolders and Files" there or not. That's good enough for me.
Thanks for all the help everyone.
0
 
LVL 1

Author Closing Comment

by:JB4375
ID: 31579626
Thanks for hanging in there with me guys. I'm still new to the scripting game, and your help was invaluable.
0

Featured Post

Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Certificate Authority Issues 6 50
PowerShell:  foreach where object notmatch? 17 71
How to turn on numlock via VBS code? 12 25
Run powershell against OU 7 70
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question