Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Running a script to change icacls permissions but it needs to run twice over to work

Posted on 2015-01-20
4
Medium Priority
?
192 Views
Last Modified: 2016-06-18
Hiya,

In the script below I am trying to

• Remove inheritance derived from parent folder.
• Remove “Authenticated Users” – the *s-1-5-11 SID
• Add a Domain group

for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 /grant:r "mf\mf_test":(OI)(CI)RX >> c:\testben\results.log

Unfortunately I have run to run the command twice to have the inheritance removed. is there a way I can do all three in one single line without running it again?
0
Comment
Question by:rhiancohen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 79

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 40561453
How often do you need to run this script?
and on how many systems?
If you run the command directly as a test, does it error out?

You are running a loop, what is the issue with issuing the icalcs commands in squence that works?

Your issue is likely the inability of icalcs to resolve the group name "mf\mf_test"

You can run the command once by replacing the group name, with the group's SID
Just for clarity one way to obtain the group SiD is dsquery group -name "groupname"  | dsget group -sid (run it on a DC where these tools should be available)

for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 /grant:r *<sid of group you want to add>:(OI)(CI)RX >> c:\testben\results.log

Open in new window


These are part of the RSAT (if missing here is a way to add them https://technet.microsoft.com/en-us/library/cc731420%28v=WS.10%29.aspx)
0
 
LVL 25

Accepted Solution

by:
Lionel MM earned 1000 total points
ID: 40561879
I have found that running icacls works best with remove and grant as 2 separate commands. also I don not use domain\groupname--groupname only works
for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 >> c:\testben\results-remove.log
for /f %%R in (subfldrs_Test.txt) do icacls /grant:r "groupname":(OI)(CI)RX >> c:\testben\results-grant.log
0
 
LVL 1

Author Comment

by:rhiancohen
ID: 40565049
Thanks very much for the comments. I'll post back here when I've given it a try.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question