CHANGE FOLDER PERMISION WITH A BAT FILE

Would you want this to run automatically (i.e. without a user having to type in an admin password?)

Absolutely if possible.

'This script allows limited accounts to change folder c:\abc permissions
'as the machine Administrator, with full control for the logged on users.
'change "mymachine" and "yourpassword" with your own
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
oShell.Run "runas /noprofile /env /user:mymachine\administrator "CACLS C:\ABC /T /E /G %USERNAME%:F"
WScript.Sleep 100
'Replace the string yourpassword~ below with
'the password used on your system by machine admin. Include tilde
oShell.Sendkeys "yourpassword~"
Wscript.Quit

How exactly do I run this? This is not a .bat or a .vbs?

OK - the easiest way to achieve this is something like SANUR which can be downloaded from here:-

http://www.commandline.co.uk/sanur/

This allows you to run a command as an administrator and pipe in a password - you cannot do this with the normal runas command.

(Sanur is unsupported and they suggest on that page alternatives you could try if you are not happy using it).  I have used it loads though and not had any problems.

The batch file would look something like this

 

@echo off
@echo Changing File permissions
runas /u:domain\user "CACLS C:\ABC\ /G %USERNAME%:F /Y" | sanur adminpassword

Select allOpen in new window

Saved as scriptname.bat

You would need SANUR to be in the same folder (or include the complete path in the command).

The problem with this method is that the admin password will be included in clear text which is not good security practise.

The solution to this aspect of the problem, is to convert the batch (.BAT) file to an EXE file using something like Batch File Compiler (http://www.bdargo.com/).  This way the password will be encrypted.

Batch File Compiler is a paid version, but I'm sure you could Google for something free if you would prefer.

Once you have created an EXE file from the batch file, you would then just call the EXE file from another batch file like this:-

@echo off
start "" /WAIT scriptname.exe

Select allOpen in new window

Hope this all makes sense?

danubian's script would have the admin password sitting in clear text.  I would not be happy with this personally.

To me it is acceptable if the password is visible in an editable file as the normal users do not even have access to explorer or notepad. The text inside the file is therefore "secure" although the password must not be displayed on screen while the command is run. A simple CLS command should hide the command sufficiently. I also want to try not use any third party applications as this might complicate deployment of the script. I like to keep things as simple as possible.

At this stage I would therefore try to get danubian's solution running. (How do I run his script) and if unsuccessful will look at scriven's solution as a last resort. I say last resort as I would like to stick to standard windows components and commands.

I ran the attached vbs... Open with a text editor. What am I doing wrong?
I know my password is visible...
XXX.vbs

The script seems right.  But if the system is Windows 7, administrator user is disabled by default.
On other environments local administrator user is renamed.

For testing purpose run on command prompt first:
CACLS C:\ABC /T /E /G %USERNAME%:F
Then
runas /user:machine\administrator "CACLS C:\ABC /T /E /G %USERNAME%:F"

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
Ok, I did on two folders:


C:\Users\A3AN>cd\

C:\>CACLS C:\ABC /T /E /G %USERNAME%:F
processed dir: C:\ABC
Access is denied.

C:\>CACLS C:\BCD /T /E /G %USERNAME%:F
The data is invalid.

C:\>

I removed the environment variable:

C:\>CACLS C:\BCD /T /E /G A3AN-LPT:F
processed dir: C:\BCD

C:\>CACLS C:\ABC /T /E /G A3AN-LPT:F
processed dir: C:\ABC
Access is denied.

C:\>

I am not sure if that means it is working?

It seems that the environment variable might be causing an issue,
ECHO %USERNAME% will yield "A3AN"

I can give you my actual settings (it might help) because I format my testing laptop every few days.
My current details:
My computer name is: A3AN-LPT
My (Administrator) user name is: A3AN
My password is: a4

The switch from your original command /Y does not seem to be a valid command.

Also, when I run CACLS command myself, it asks "Are you sure" and expects a Y / N answer, so these things might be causing problems?

Are you running the command when you test as with the RUNAS?

Ok it works, i think but it requests a password before completing the final step. Can I put this password in the script?


C:\>CACLS C:\BCD /T /E /G %USERNAME%:F
processed dir: C:\BCD

C:\>runas /user:A3AN-LPT\A3AN "CACLS C:\ABC /T /E /G %USERNAME%:F"
Enter the password for A3AN-LPT\A3AN:
Attempting to start CACLS C:\ABC /T /E /G A3AN:F as user "A3AN-LPT\A3AN" ...

C:\>

I get Access Denied error when using an invalid folder.  (badly worded error)  Does the folder exist?

I am running windows 7 on my test pc. Sorry, guess I should have told you this earlier. :-)

You can always use my solution if it won't work (change the CACLS line to the one you have working)

SANUR might not work with Windows 7 though - original post stated Windows XP.

I will test this current solution on monday using a windows xp pc as the final solution is expected to work on windows xp. I will then also test with the correct users and verify if the folder attributes changed. I should not have tested on windows 7 in the first place I guess. I was hoping that DOS would behave all the same. Thanks for all the help and I will get back to you as soon as I have tested this. I appreciate your time scriven and danubian.

Try this one:

'Start of Script
'VBRUNAS.VBS
'v1.2 March 2001
'Jeffery Hicks
'jhicks@quilogy.com http://www.quilogy.com
'USAGE: cscript|wscript VBRUNAS.VBS Username Password Command
'DESC: A RUNAS replacement to take password at a command prompt.
'NOTES: This is meant to be used for local access. If you want to run a command
'across the network as another user, you must add the /NETONLY switch to the RUNAS 
'command.

' *********************************************************************************
' * THIS PROGRAM IS OFFERED AS IS AND MAY BE FREELY MODIFIED OR ALTERED AS *
' * NECESSARY TO MEET YOUR NEEDS. THE AUTHOR MAKES NO GUARANTEES OR WARRANTIES, *
' * EXPRESS, IMPLIED OR OF ANY OTHER KIND TO THIS CODE OR ANY USER MODIFICATIONS. *
' * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED IN A SECURED LAB *
' * ENVIRONMENT. USE AT YOUR OWN RISK. *
' *********************************************************************************

On Error Resume Next
dim WshShell,oArgs,FSO

set oArgs=wscript.Arguments

if InStr(oArgs(0),"?")<>0 then
wscript.echo VBCRLF & "? HELP ?" & VBCRLF
Usage
end if

if oArgs.Count <3 then
wscript.echo VBCRLF & "! Usage Error !" & VBCRLF
Usage
end if

sUser=oArgs(0)
sPass=oArgs(1)&VBCRLF
sCmd=oArgs(2)

set WshShell = CreateObject("WScript.Shell")
set WshEnv = WshShell.Environment("Process")
WinPath = WshEnv("SystemRoot")&"\System32\runas.exe"
set FSO = CreateObject("Scripting.FileSystemObject")

if FSO.FileExists(winpath) then
'wscript.echo winpath & " " & "verified"
else
wscript.echo "!! ERROR !!" & VBCRLF & "Can't find or verify " & winpath &"." & VBCRLF & "You must be running Windows 2000 for this script to work."
set WshShell=Nothing
set WshEnv=Nothing
set oArgs=Nothing
set FSO=Nothing
wscript.quit
end if

rc=WshShell.Run("runas /user:" & sUser & " " & CHR(34) & sCmd & CHR(34), 2, FALSE)
Wscript.Sleep 30 'need to give time for window to open.
WshShell.AppActivate(WinPath) 'make sure we grab the right window to send password to
WshShell.SendKeys sPass 'send the password to the waiting window.

set WshShell=Nothing
set oArgs=Nothing
set WshEnv=Nothing
set FSO=Nothing

wscript.quit

'************************
'* Usage Subroutine *
'************************
Sub Usage()
On Error Resume Next
msg="Usage: cscript|wscript vbrunas.vbs Username Password Command" & VBCRLF & VBCRLF & "You should use the full path where necessary and put long file names or commands" & VBCRLF & "with parameters in quotes" & VBCRLF & VBCRLF &"For example:" & VBCRLF &" cscript vbrunas.vbs quilogy\jhicks luckydog e:\scripts\admin.vbs" & VBCRLF & VBCRLF &" cscript vbrunas.vbs quilogy\jhicks luckydog " & CHR(34) &"e:\program files\scripts\admin.vbs 1stParameter 2ndParameter" & CHR(34)& VBCRLF & VBCRLF & VBCLRF & "cscript vbrunas.vbs /?|-? will display this message."

wscript.echo msg

wscript.quit

end sub
'End of Script 

Select allOpen in new window

Copy & paste this script into a file called vbrunas.vbs and call it like this

Usage:wscript vbrunas.vbs A3AN password "CACLS C:\BCD /T /E /G %USERNAME%:F"

Select allOpen in new window

'Runas' command request passowrd. This is the normal behaviour and the vbs script just add the option to give password automatically.

On my Windows 7 system my script worked well. But you have to meet some conditions:
 - The credentials used to run the script have to have full control rights on the c:\abc folder. By default Windows 7 local administrator is not enabled. So, you need another user with full control rights on the requested folder;
 - The folder c:\abc have to already exists, with the credentials used already having full control on it.