[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Remove an inherited group from a folder

Posted on 2012-08-23
10
Medium Priority
?
668 Views
Last Modified: 2012-08-28
I have a script that will create folders based on a text file list of users. The folders are named the same as the users. Since these folders follow specific permissions from the top of the branch, I need to have a specific inherited local group removed form the created folders.

All of the users of the created folders have modify rights, domain admins have full, and the rest are standard created users with standard rights.

However, the inherited local group has "list" permissions, which means everyone can see into everyone elses' folder.

I've tried the remove command, but that doesn't work. I've tried the deny command, but that denys all permissions at the top branch folder to have deny attributes, which follows the folder creation.

This is my script so far:

Const ForReading = 1

strComputer = "servername"
Set objWMIService = GetObject ("winmgmts:\\" & strComputer _
    & "\root\cimv2:Win32_Process")

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set inputFile = objFSO.OpenTextFile("C:\Scripts\bio0204.txt", ForReading)

Do Until inputFile.AtEndOfStream
    strFolders = inputFile.ReadAll
Loop

arrFolders = Split(strFolders, vbCrLf)

For i = 0 To UBound(arrFolders)
  createFolder = objWMIService.Create ("cmd.exe /c md c:\top folder in tree\" & arrFolders(i) & "", _
      Null, Null, intProcessID)
  Wscript.sleep 10000
  assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /remove server local group " & arrFolders(i) & ":(OI)(CI)M", Null, Null, intProcessID)
  assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /Grant " & arrFolders(i) & ":(OI)(CI)M", Null, Null, intProcessID)
Next

Any suggestions and actual lines of code would b greatly appreciated.

Thanks in advance,
0
Comment
Question by:wheelgunr
  • 6
  • 4
10 Comments
 
LVL 2

Expert Comment

by:lesliem-sa
ID: 38324777
Hi,
You can remove inheritance by using icacls with the /inheritance:r
rather than using /remove server local group

Regards,
Leslie
0
 

Author Comment

by:wheelgunr
ID: 38324855
Hi Leslie

I tried that, and it removed everything. I couldn't delete the test folders without my having to take ownership of them as the domain admin.

I don't want to remove all of the inheritances. I need Domain Admins, system, local admin, etc. to still be part of the permissions.
0
 
LVL 2

Expert Comment

by:lesliem-sa
ID: 38324901
Hi,
using /inheritance:d will disable inheritance, but keep the current security descriptors.
You should then be able to remove and add as needed.

Regards,
Leslie
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:wheelgunr
ID: 38324965
Can you give me an example of the script line for the inheritance and then the removal (based on my current script)?
0
 
LVL 2

Assisted Solution

by:lesliem-sa
lesliem-sa earned 1500 total points
ID: 38325024
Hi,
I am rusty on my vbscript, but would be something like - just adding a new line to first remove inheritance, then carry on with your script to remove the local server and then thirdly, you add (using /grant) the required users/groups:

For i = 0 To UBound(arrFolders)
  createFolder = objWMIService.Create ("cmd.exe /c md c:\top folder in tree\" & arrFolders(i) & "", _
      Null, Null, intProcessID)
  Wscript.sleep 10000
  assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /inheritance:d " & arrFolders(i) & ":(OI)(CI)M", Null, Null, intProcessID)
  assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /remove server local group " & arrFolders(i) & ":(OI)(CI)M", Null, Null, intProcessID)
  assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /Grant " & arrFolders(i) & ":(OI)(CI)M", Null, Null, intProcessID)
Next
0
 

Author Comment

by:wheelgunr
ID: 38325102
Hi again,

Nope, those lines didn't do it. User is still inherited, and user is not removed. I even shuffled the sequence around, still nothing removed.
0
 
LVL 2

Expert Comment

by:lesliem-sa
ID: 38325117
can you complete the sequence manually from the command line?  Test this first and then incorporate into script
0
 

Author Comment

by:wheelgunr
ID: 38325556
Yes, I can run them in the command line and they work. BUT..since I'm not a programmer, I don't know how to plug in the inheritance:d and remove:g into a script line.

If I have to run 2 scripts, that's OK as well. One script can create the folders I need, the other can take care of permissions.
'
Any ideas?
0
 

Accepted Solution

by:
wheelgunr earned 0 total points
ID: 38326332
I finally got it to work, with your suggestions. The changes to he script you gave are"

assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /Grant " & arrFolders(i) & ":(OI)(CI)M", Null, Null, intProcessID)
WScript.Sleep 10000
assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /inheritance:d " )
WScript.Sleep 10000
assignACL = objWMIService.Create ("cmd.exe /c icacls.exe c:\top folder in tree\" & arrFolders(i) _
      & "" & " /remove server local group " )

Just needed some tweaking for this particular system. Thanks very much for the help.
0
 

Author Closing Comment

by:wheelgunr
ID: 38340078
Needed finall tweaking to solve the problem, but was given the direction to go to by Leslie
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Six Sigma Control Plans
Suggested Courses
Course of the Month18 days, 13 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question