How to modify c drive permissions remotely when the drive is not shared

Posted on 2011-04-27
Last Modified: 2012-05-11
It was discovered that all workstations have everyone read and execute set on the local c drives.

I can run to \\workstation\c$ and see the contents. But since the drive is not shared out I cannot get to the root permissions of the cdrive.

End result: Be able to run a script or remotely access a local c drive and remove the everyone group from the permissions list.

I tried

cacls /E /R user everyone

But I get the error

No mapping between account names and security IDs was done.

I can use vbscript or any command that would be a default .exe on a windows XP machine.
Question by:Mikehyde
    LVL 7

    Accepted Solution

    Use of the NET command should assist.

    net use [{DEVICE | *}] [\\COMPUTER\SHARE[\VOL]]
      net use m \\MyComputer\c$

    Assuming you have administrative rights, you will have mapped the Cdrive of MyComputer as M on your local machine.

    You can command line permission changes using the cacls.exe
       Be careful and read thoroughly on cacls, it can be tricky.  But that would provide you with the ability to script through cmd line to set permissions.
    LVL 1

    Author Comment

    no kidding. I am aware of the pitfalls of calcs.

    It gets worse. Apparantly the local group (users) on their workstations have full control. Nested in this group is "domain users". So I need to remove this permission as well.

    While we are on the subject, this will most likely disable users from using their pc's as they rely on this permission. No one is named specifically.

    So I will need to add "%username% to have full control over the c drive. Aye. Really? Like I dont have enuf to do already. : P

    New end result:

    Remove Everyone from c drive
    remove Domain users from local Users group or remove local users from c drive
    Add named user to c drive full control
    LVL 7

    Assisted Solution

    Domain Users are typically added to the local machine with Domain Group Policy.  I would check that route first and determine if you could modify the access through the GPO for domain SIDs.

    Local accounts, it may be suggested, to remove them all, except the local admin account (for offline/emergency purposes)

     You can also assign specific Domain Users to Local Groups, such as Power Users or Local Admin via Group Policy, as well.

      this centralizes your administration of machines and should achieve your goal.

    Here is a brief synopsis of how this can be done, you will need to test and tweak it for your roll-out, of course : Tech-Republic - GPO for Local Admin
    LVL 1

    Author Comment

    This allows you to get to the properties page, but breaks ineritance. : (

    Use of the NET command should assist.

    net use [{DEVICE | *}] [\\COMPUTER\SHARE[\VOL]]
      net use m \\MyComputer\c$

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    I wanted to pass this along in case anyone has a problem removing a device from the Device Manager, or if you suspect a corrupted Driver that you want to remove in its entirety. I know it is kinda lengthy and very basic in its format, but I figured …
    Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now