Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Running a script to change icacls permissions but it needs to run twice over to work

Posted on 2015-01-20
4
Medium Priority
?
208 Views
Last Modified: 2016-06-18
Hiya,

In the script below I am trying to

• Remove inheritance derived from parent folder.
• Remove “Authenticated Users” – the *s-1-5-11 SID
• Add a Domain group

for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 /grant:r "mf\mf_test":(OI)(CI)RX >> c:\testben\results.log

Unfortunately I have run to run the command twice to have the inheritance removed. is there a way I can do all three in one single line without running it again?
0
Comment
Question by:rhiancohen
4 Comments
 
LVL 80

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 40561453
How often do you need to run this script?
and on how many systems?
If you run the command directly as a test, does it error out?

You are running a loop, what is the issue with issuing the icalcs commands in squence that works?

Your issue is likely the inability of icalcs to resolve the group name "mf\mf_test"

You can run the command once by replacing the group name, with the group's SID
Just for clarity one way to obtain the group SiD is dsquery group -name "groupname"  | dsget group -sid (run it on a DC where these tools should be available)

for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 /grant:r *<sid of group you want to add>:(OI)(CI)RX >> c:\testben\results.log

Open in new window


These are part of the RSAT (if missing here is a way to add them https://technet.microsoft.com/en-us/library/cc731420%28v=WS.10%29.aspx)
0
 
LVL 26

Accepted Solution

by:
Lionel MM earned 1000 total points
ID: 40561879
I have found that running icacls works best with remove and grant as 2 separate commands. also I don not use domain\groupname--groupname only works
for /f %%R in (subfldrs_Test.txt) do icacls c:\testben\%%R /inheritance:d /remove:g *s-1-5-11 >> c:\testben\results-remove.log
for /f %%R in (subfldrs_Test.txt) do icacls /grant:r "groupname":(OI)(CI)RX >> c:\testben\results-grant.log
0
 
LVL 1

Author Comment

by:rhiancohen
ID: 40565049
Thanks very much for the comments. I'll post back here when I've given it a try.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question