Solved

CHANGE FOLDER PERMISION WITH A BAT FILE

Posted on 2011-02-11
21
891 Views
Last Modified: 2012-05-11
I would like to change a folders permissions with a startup script. The folder's name is C:\ABC and I would like to change the permission for the currently logged on user to full permission for this folder.

To be considered:
The user under which the script runs might very possibly not have Administrator privileges so the command might have to be executed specifying credentials or a user.
CACLS "C:\ABC\" /G %USERNAME%:F /Y
EXIT

Open in new window

0
Comment
Question by:Rebel_no_1
  • 9
  • 7
  • 4
  • +1
21 Comments
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
Would you want this to run automatically (i.e. without a user having to type in an admin password?)
0
 

Author Comment

by:Rebel_no_1
Comment Utility
Absolutely if possible.
0
 
LVL 5

Expert Comment

by:danubian
Comment Utility
'This script allows limited accounts to change folder c:\abc permissions
'as the machine Administrator, with full control for the logged on users.
'change "mymachine" and "yourpassword" with your own
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
oShell.Run "runas /noprofile /env /user:mymachine\administrator "CACLS C:\ABC /T /E /G %USERNAME%:F"
WScript.Sleep 100
'Replace the string yourpassword~ below with
'the password used on your system by machine admin. Include tilde
oShell.Sendkeys "yourpassword~"
Wscript.Quit
0
 

Author Comment

by:Rebel_no_1
Comment Utility
How exactly do I run this? This is not a .bat or a .vbs?
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
OK - the easiest way to achieve this is something like SANUR which can be downloaded from here:-

http://www.commandline.co.uk/sanur/

This allows you to run a command as an administrator and pipe in a password - you cannot do this with the normal runas command.

(Sanur is unsupported and they suggest on that page alternatives you could try if you are not happy using it).  I have used it loads though and not had any problems.

The batch file would look something like this

 
@echo off
@echo Changing File permissions
runas /u:domain\user "CACLS C:\ABC\ /G %USERNAME%:F /Y" | sanur adminpassword

Open in new window


Saved as scriptname.bat

You would need SANUR to be in the same folder (or include the complete path in the command).

The problem with this method is that the admin password will be included in clear text which is not good security practise.

The solution to this aspect of the problem, is to convert the batch (.BAT) file to an EXE file using something like Batch File Compiler (http://www.bdargo.com/).  This way the password will be encrypted.

Batch File Compiler is a paid version, but I'm sure you could Google for something free if you would prefer.

Once you have created an EXE file from the batch file, you would then just call the EXE file from another batch file like this:-

@echo off
start "" /WAIT scriptname.exe

Open in new window


Hope this all makes sense?
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
danubian's script would have the admin password sitting in clear text.  I would not be happy with this personally.
0
 
LVL 5

Accepted Solution

by:
danubian earned 500 total points
Comment Utility
I'm not happy also with passowrds send on users as clear text but this is what it requested.

Keep in mind that every user can read from netlogon folders, so the password will be accesible to all domain users...
It is working as vbs. Take care that i refined it. On my env some options did not worked.
Save it as "myrights.vbs" and run it to test. Then put it as login script.

Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
oShell.Run "runas /user:machine\administrator ""CACLS C:\ABC /T /E /G %USERNAME%:F"""
WScript.Sleep 100
oShell.Sendkeys "yourpassword~"
Wscript.Quit

The script is adapted from vlaurie.com
0
 

Author Comment

by:Rebel_no_1
Comment Utility
To me it is acceptable if the password is visible in an editable file as the normal users do not even have access to explorer or notepad. The text inside the file is therefore "secure" although the password must not be displayed on screen while the command is run. A simple CLS command should hide the command sufficiently. I also want to try not use any third party applications as this might complicate deployment of the script. I like to keep things as simple as possible.

At this stage I would therefore try to get danubian's solution running. (How do I run his script) and if unsuccessful will look at scriven's solution as a last resort. I say last resort as I would like to stick to standard windows components and commands.
0
 

Author Comment

by:Rebel_no_1
Comment Utility
I ran the attached vbs... Open with a text editor. What am I doing wrong?
I know my password is visible...
XXX.vbs
0
 
LVL 5

Expert Comment

by:danubian
Comment Utility
The script seems right.  But if the system is Windows 7, administrator user is disabled by default.
On other environments local administrator user is renamed.

For testing purpose run on command prompt first:
CACLS C:\ABC /T /E /G %USERNAME%:F
Then
runas /user:machine\administrator "CACLS C:\ABC /T /E /G %USERNAME%:F"

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Rebel_no_1
Comment Utility
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
Ok, I did on two folders:


C:\Users\A3AN>cd\

C:\>CACLS C:\ABC /T /E /G %USERNAME%:F
processed dir: C:\ABC
Access is denied.

C:\>CACLS C:\BCD /T /E /G %USERNAME%:F
The data is invalid.

C:\>

I removed the environment variable:

C:\>CACLS C:\BCD /T /E /G A3AN-LPT:F
processed dir: C:\BCD

C:\>CACLS C:\ABC /T /E /G A3AN-LPT:F
processed dir: C:\ABC
Access is denied.

C:\>

I am not sure if that means it is working?
0
 

Author Comment

by:Rebel_no_1
Comment Utility
It seems that the environment variable might be causing an issue,
ECHO %USERNAME% will yield "A3AN"

I can give you my actual settings (it might help) because I format my testing laptop every few days.
My current details:
My computer name is: A3AN-LPT
My (Administrator) user name is: A3AN
My password is: a4
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
The switch from your original command /Y does not seem to be a valid command.

Also, when I run CACLS command myself, it asks "Are you sure" and expects a Y / N answer, so these things might be causing problems?

Are you running the command when you test as with the RUNAS?
0
 

Author Comment

by:Rebel_no_1
Comment Utility
Ok it works, i think but it requests a password before completing the final step. Can I put this password in the script?


C:\>CACLS C:\BCD /T /E /G %USERNAME%:F
processed dir: C:\BCD

C:\>runas /user:A3AN-LPT\A3AN "CACLS C:\ABC /T /E /G %USERNAME%:F"
Enter the password for A3AN-LPT\A3AN:
Attempting to start CACLS C:\ABC /T /E /G A3AN:F as user "A3AN-LPT\A3AN" ...

C:\>
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
I get Access Denied error when using an invalid folder.  (badly worded error)  Does the folder exist?
0
 

Author Comment

by:Rebel_no_1
Comment Utility
I am running windows 7 on my test pc. Sorry, guess I should have told you this earlier. :-)
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
You can always use my solution if it won't work (change the CACLS line to the one you have working)
0
 
LVL 10

Expert Comment

by:scriven_j
Comment Utility
SANUR might not work with Windows 7 though - original post stated Windows XP.
0
 

Author Comment

by:Rebel_no_1
Comment Utility
I will test this current solution on monday using a windows xp pc as the final solution is expected to work on windows xp. I will then also test with the correct users and verify if the folder attributes changed. I should not have tested on windows 7 in the first place I guess. I was hoping that DOS would behave all the same. Thanks for all the help and I will get back to you as soon as I have tested this. I appreciate your time scriven and danubian.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Try this one:
'Start of Script
'VBRUNAS.VBS
'v1.2 March 2001
'Jeffery Hicks
'jhicks@quilogy.com http://www.quilogy.com
'USAGE: cscript|wscript VBRUNAS.VBS Username Password Command
'DESC: A RUNAS replacement to take password at a command prompt.
'NOTES: This is meant to be used for local access. If you want to run a command
'across the network as another user, you must add the /NETONLY switch to the RUNAS 
'command.

' *********************************************************************************
' * THIS PROGRAM IS OFFERED AS IS AND MAY BE FREELY MODIFIED OR ALTERED AS *
' * NECESSARY TO MEET YOUR NEEDS. THE AUTHOR MAKES NO GUARANTEES OR WARRANTIES, *
' * EXPRESS, IMPLIED OR OF ANY OTHER KIND TO THIS CODE OR ANY USER MODIFICATIONS. *
' * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED IN A SECURED LAB *
' * ENVIRONMENT. USE AT YOUR OWN RISK. *
' *********************************************************************************

On Error Resume Next
dim WshShell,oArgs,FSO

set oArgs=wscript.Arguments

if InStr(oArgs(0),"?")<>0 then
wscript.echo VBCRLF & "? HELP ?" & VBCRLF
Usage
end if

if oArgs.Count <3 then
wscript.echo VBCRLF & "! Usage Error !" & VBCRLF
Usage
end if

sUser=oArgs(0)
sPass=oArgs(1)&VBCRLF
sCmd=oArgs(2)

set WshShell = CreateObject("WScript.Shell")
set WshEnv = WshShell.Environment("Process")
WinPath = WshEnv("SystemRoot")&"\System32\runas.exe"
set FSO = CreateObject("Scripting.FileSystemObject")

if FSO.FileExists(winpath) then
'wscript.echo winpath & " " & "verified"
else
wscript.echo "!! ERROR !!" & VBCRLF & "Can't find or verify " & winpath &"." & VBCRLF & "You must be running Windows 2000 for this script to work."
set WshShell=Nothing
set WshEnv=Nothing
set oArgs=Nothing
set FSO=Nothing
wscript.quit
end if

rc=WshShell.Run("runas /user:" & sUser & " " & CHR(34) & sCmd & CHR(34), 2, FALSE)
Wscript.Sleep 30 'need to give time for window to open.
WshShell.AppActivate(WinPath) 'make sure we grab the right window to send password to
WshShell.SendKeys sPass 'send the password to the waiting window.

set WshShell=Nothing
set oArgs=Nothing
set WshEnv=Nothing
set FSO=Nothing

wscript.quit

'************************
'* Usage Subroutine *
'************************
Sub Usage()
On Error Resume Next
msg="Usage: cscript|wscript vbrunas.vbs Username Password Command" & VBCRLF & VBCRLF & "You should use the full path where necessary and put long file names or commands" & VBCRLF & "with parameters in quotes" & VBCRLF & VBCRLF &"For example:" & VBCRLF &" cscript vbrunas.vbs quilogy\jhicks luckydog e:\scripts\admin.vbs" & VBCRLF & VBCRLF &" cscript vbrunas.vbs quilogy\jhicks luckydog " & CHR(34) &"e:\program files\scripts\admin.vbs 1stParameter 2ndParameter" & CHR(34)& VBCRLF & VBCRLF & VBCLRF & "cscript vbrunas.vbs /?|-? will display this message."

wscript.echo msg

wscript.quit

end sub
'End of Script 

Open in new window


Copy & paste this script into a file called vbrunas.vbs and call it like this

Usage:wscript vbrunas.vbs A3AN password "CACLS C:\BCD /T /E /G %USERNAME%:F"

Open in new window

0
 
LVL 5

Expert Comment

by:danubian
Comment Utility
'Runas' command request passowrd. This is the normal behaviour and the vbs script just add the option to give password automatically.

On my Windows 7 system my script worked well. But you have to meet some conditions:
 - The credentials used to run the script have to have full control rights on the c:\abc folder. By default Windows 7 local administrator is not enabled. So, you need another user with full control rights on the requested folder;
 - The folder c:\abc have to already exists, with the credentials used already having full control on it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
YESTERDAY YESTERDAY.BAT is inspired by a previous article I wrote entitled: TOMORROW.BAT (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/MS_DOS/A_4196-Advanced-Batch-File-Programming-TOMORROW-BAT.html). The crux of this batch f…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now