Solved

Running a script to change icacls permissions but it needs to run twice over to work

Posted on 2015-01-20
4
114 Views
Last Modified: 2016-06-18
Hiya,

In the script below I am trying to

• Remove inheritance derived from parent folder.
• Remove “Authenticated Users” – the *s-1-5-11 SID
• Add a Domain group

for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 /grant:r "mf\mf_test":(OI)(CI)RX >> c:\testben\results.log

Unfortunately I have run to run the command twice to have the inheritance removed. is there a way I can do all three in one single line without running it again?
0
Comment
Question by:rhiancohen
4 Comments
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 40561453
How often do you need to run this script?
and on how many systems?
If you run the command directly as a test, does it error out?

You are running a loop, what is the issue with issuing the icalcs commands in squence that works?

Your issue is likely the inability of icalcs to resolve the group name "mf\mf_test"

You can run the command once by replacing the group name, with the group's SID
Just for clarity one way to obtain the group SiD is dsquery group -name "groupname"  | dsget group -sid (run it on a DC where these tools should be available)

for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 /grant:r *<sid of group you want to add>:(OI)(CI)RX >> c:\testben\results.log

Open in new window


These are part of the RSAT (if missing here is a way to add them https://technet.microsoft.com/en-us/library/cc731420%28v=WS.10%29.aspx)
0
 
LVL 24

Accepted Solution

by:
lionelmm earned 250 total points
ID: 40561879
I have found that running icacls works best with remove and grant as 2 separate commands. also I don not use domain\groupname--groupname only works
for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 >> c:\testben\results-remove.log
for /f %%R in (subfldrs_Test.txt) do icacls /grant:r "groupname":(OI)(CI)RX >> c:\testben\results-grant.log
0
 
LVL 1

Author Comment

by:rhiancohen
ID: 40565049
Thanks very much for the comments. I'll post back here when I've given it a try.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now