Jump to content

Users Profile Folders


Recommended Posts

It seems like it could be fun and help with doing alot of things .. i just have a hard time getting past all the syntax and grammar , and I keep getting confused , because I started this whole thing with tring to use the "cacls" and after 2 days nothing was working so went to the "xcacls" and everything worked fine there , but couldnt use the array had to keep typing in the username ..

then you Hannes said to use the "Icacls" which i still dont understand because it talks about using the ssid and everything else , and i dont need any of that .. i just need to make a folder and set the permissions as the following ..

1. local admins (full control) ( this folder, subfolders, and files)

2. creator owner ( full control) ( subfolders and files only)

3. User (full control) ( this folder, subfolders, and files)

4. me (full control) ( this folder, subfolders, and files)

5. system (full control) ( this folder, subfolders, and files)

6. remove the inherit flag

7. set ownership to local admin

8. remove local users account

never though it would be this hard .. Plus now I am all confused , because rcmaehl was trying to do with the "xcacls" and Hannes is trying to do it with the "Icacls" i dont know what command to be using anymore ..

Edited by startrek133
Link to comment
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

First of all, it is not a good idea granting users "Full Control" as there is no need for them to modify access rights.

Second, discard the "Creator Owner" because he doesn't need to be there, as the user should stay it his own folder.

Third, "The User" should only have the right to his folder to read, write and delete only subfolders and files, otherwise he will be ableto delete his own folder (bad idea)

Fourth, don't grat yourself as a user the "full control" right to all users, use a separate AD group (e.g. "Userfolder_modify") and be a member of that group

Fifth, why setting the ownership of the files (to the admin account)? You won't be able to use quotas later on. Either try to set the owner to "The user" on his folder or leave it like it is.

Sixth, well, probably removing local users actually does make sense ... :mellow:

And now let me see: points "First" through "Fourth" will by done by my script. What else do you want?!?

Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

I get what your saying Hannes, but I am stuck .. the boss wants the folders set like that , and if I don't give myself full access then I cant redo people profiles when they mess them up because I don't have access to there folder in order to go into and copy stuff out .. and the "upper" level IT team that controls the groups, policy's, and stuff like that so not big on letting me changes in AD ..

in fact i don't even have access to AD , i have to call them to get things down at times ... I feel like at times the job they hired me i cant even do because i don't have access to have the systems i need, and that some of the network and AD settings need to be redone to make sense and run better ..

as for your program, it never worked remember , i told you yesterday that when i went to run it , it opened hundreds of them and then crashed my computer .. and i don't understand the "icacls" enough or autoit enough to know why it did that ..

so as it stands right now, i am more confused about what to do than i was at the begin of the week ..

Link to comment
Share on other sites

The whole reason this little project started was because My Boss and I ad the Local Admins of this office, don't have rights to the current users profile folders, somehow they got all messed up .. and when trying to take ownership it will not let us .. So my Boss started fresh by making a new roaming profile folder out on the server and pointed some test people there. After about a month of testing he found that the settings that I was talking about work with the users and with roaming profiles ..

its not like I am tiring to be a dick or a pain, its just confusing for me, because in college they didn't teach us anything about scripting, so i am noob at this, and this place has the some of the most messed up policies and network settings i have ever seen to where if we change the permissions on a folder its 50/50 to where it will work right or work how it should ..

but I am great full for everyone's help and hope that someone will become of this because i really REALLY don't wanna have to hand type out 200+ folders and set the permissions on each folder ..

Edited by startrek133
Link to comment
Share on other sites

This will do what you want:

#AutoIt3Wrapper_Change2CUI=y
#include <file.au3>

Dim $s_basefolder = "C:\Test"
Dim $s_inputfile = "C:\jobs\users.txt"
Dim $a_users

DirCreate($s_basefolder) ; Create basefolder

RunWait("icacls.exe " & $s_basefolder &  " /inheritance:d") ; Break inherti on base folder
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "CREATOR OWNER"') ; Remove Creator Owner
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "BUILTIN\Users"') ; Remove any users

_FileReadToArray($s_inputfile, $a_users)

For $i = 1 To $a_users[0]
    DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Create user folder
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant " & $a_users[$i] & ":(OI)(CI)(IO)(F)") ; Add user to Folder with Full Control
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant ""CREATOR OWNER"":(OI)(CI)(IO)(F)") ; Add creator owner with Full Control
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & @UserName & """:(OI)(CI)(IO)(F)") ; Grant you user Full Control
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] &  " /inheritance:d") ; Break inheritance, copy from parent
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] &  " /setowner ""BUILTIN\Administrators"" /T /C") ; Set owner to local administrator
Next

Except for removing the local users that have already access, because I assume you'll create a NEW folder.

Edited by Hannes123
Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

Hi Hannes,

just tired it again , I changed the two varibles like you said , and still did the same thing open hundreds of them and crashed my computer ..

Posted Image

#AutoIt3Wrapper_Change2CUI=y 
#include <file.au3>  

Dim $s_basefolder = "C:\" 
Dim $s_inputfile = "C:\test.txt" 
Dim $a_users  

DirCreate($s_basefolder)  

RunWait("icacls.exe " & $s_basefolder &  " /inheritance:d") 
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "CREATOR OWNER"') 
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "BUILTIN\Users"')  _FileReadToArray($s_inputfile, $a_users)  

For $i = 1 To $a_users[0]     

DirCreate($s_basefolder & "\" & $a_users[$i] )     
RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant " & $a_users[$i] & ":(OI)(CI)(RX,W,DC)") 

Next
Link to comment
Share on other sites

Well, pal what happens if you name your program "icacls" and you're trying to open "icacls" from that script?!?

--> Loop of death! :mellow:

Edited by Hannes123
Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

duh !!!

ok my bad , never even though that , because i have the icacls.exe program on the c:\ and my folder stuff in a different folder .. sorry my bad !!!

but still didnt working .. i made the folder this time and ended .. but still not setting the permissions or setting the users right ..

>
"C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "\\my docs\Folder Maker\icaclstest.au3" /autoit3dir "C:\Program Files\AutoIt3" /UserParams

+>09:51:14 Starting AutoIt3Wrapper v.2.0.3.0    Environment(Language:0409  Keyboard:00000409  OS:WIN_XP/Service Pack 3  
CPU:X64 OS:X86) >Running AU3Check (1.54.19.0)  from:C:\Program Files\AutoIt3 
+>09:51:14 AU3Check ended.rc:0 
>Running:(3.3.6.1):C:\Program Files\AutoIt3\autoit3.exe "\\my docs\Folder Maker\icaclstest.au3"     
+>09:51:14 AutoIT3.exe ended.rc:0 
>Exit code: 0    Time: 4.256
Link to comment
Share on other sites

duh !!!

ok my bad , never even though that , because i have the icacls.exe program on the c:\ and my folder stuff in a different folder .. sorry my bad !!!

but still didnt working .. i made the folder this time and ended .. but still not setting the permissions or setting the users right ..

>
"C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "\\my docs\Folder Maker\icaclstest.au3" /autoit3dir "C:\Program Files\AutoIt3" /UserParams

+>09:51:14 Starting AutoIt3Wrapper v.2.0.3.0    Environment(Language:0409  Keyboard:00000409  OS:WIN_XP/Service Pack 3  
CPU:X64 OS:X86) >Running AU3Check (1.54.19.0)  from:C:\Program Files\AutoIt3 
+>09:51:14 AU3Check ended.rc:0 
>Running:(3.3.6.1):C:\Program Files\AutoIt3\autoit3.exe "\\my docs\Folder Maker\icaclstest.au3"     
+>09:51:14 AutoIT3.exe ended.rc:0 
>Exit code: 0    Time: 4.256

Put the icacls.exe in the same folder, as probably "C:\" is not in your "PATH" environment variable.

If you compile the script and start it from a command line (cmd.exe) you will see the output of icacls.exe in the same window.

Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

well getting closer ..

it kinda worked .. it made the folder , gave local admin full control, deleted local user, gave system full control, and added the user of that folder in there and gave him some permissions ..

so just need to figure out, how to give the user full control, remove the inherit flag, set owner to local admin, and add me with full control .

LOL my head hurts !!!

Link to comment
Share on other sites

This will do what you want:

#AutoIt3Wrapper_Change2CUI=y
#include <file.au3>

Dim $s_basefolder = "C:\Test"
Dim $s_inputfile = "C:\jobs\users.txt"
Dim $a_users

DirCreate($s_basefolder) ; Create basefolder

RunWait("icacls.exe " & $s_basefolder &  " /inheritance:d") ; Break inherti on base folder
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "CREATOR OWNER"') ; Remove Creator Owner
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "BUILTIN\Users"') ; Remove any users

_FileReadToArray($s_inputfile, $a_users)

For $i = 1 To $a_users[0]
    DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Create user folder
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant " & $a_users[$i] & ":(OI)(CI)(IO)(F)") ; Add user to Folder with Full Control
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant ""CREATOR OWNER"":(OI)(CI)(IO)(F)") ; Add creator owner with Full Control
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & @UserName & """:(OI)(CI)(IO)(F)") ; Grant you user Full Control
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] &  " /inheritance:d") ; Break inheritance, copy from parent
    RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] &  " /setowner ""BUILTIN\Administrators"" /T /C") ; Set owner to local administrator
Next

Except for removing the local users that have already access, because I assume you'll create a NEW folder.

Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

G'day

Just had a read through as I've got an academic interest (at the moment) with permissions and such.

I noticed that you weren't putting inverted commas around your paths.

This shouldn't cause you any problem with the test environment but will if you have a space in any of the paths when you get it working.

I've edited your code but it's untested. Hope it helps!

#AutoIt3Wrapper_Change2CUI=y
#include <file.au3>

Dim $s_basefolder = "C:\Test"
Dim $s_inputfile = "C:\jobs\users.txt"
Dim $a_users

DirCreate($s_basefolder) ; Create basefolder

RunWait('icacls.exe "' & $s_basefolder &  '" /inheritance:d') ; Break inherti on base folder
RunWait('icacls.exe "' & $s_basefolder &  '" /remove:g "CREATOR OWNER"') ; Remove Creator Owner
RunWait('icacls.exe "' & $s_basefolder &  '" /remove:g "BUILTIN\Users"') ; Remove any users

_FileReadToArray($s_inputfile, $a_users)

For $i = 1 To $a_users[0]
    DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Create user folder
    RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /grant ' & $a_users[$i] & ":(OI)(CI)(IO)(F)") ; Add user to Folder with Full Control
    RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /grant "CREATOR OWNER":(OI)(CI)(IO)(F)') ; Add creator owner with Full Control
    RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /grant "' & @UserName & '":(OI)(CI)(IO)(F)') ; Grant you user Full Control
    RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] &  '" /inheritance:d') ; Break inheritance, copy from parent
    RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] &  '" /setowner "BUILTIN\Administrators" /T /C') ; Set owner to local administrator
Next

Good Luck

John

Link to comment
Share on other sites

Thanks very much Hannes,

I think I might be getting this .. but knowing me I am not even close ..

don't I have to dim a variable with my username to match the @UserName you have in the one part where it gives me full access ??

something like ..

Dim $a_me

and then change & @UserName & to & $a_me &

maybe ??

Link to comment
Share on other sites

I noticed that you weren't putting inverted commas around your paths.

This shouldn't cause you any problem with the test environment but will if you have a space in any of the paths when you get it working.

Thanks, you just eliminated another built-in trap.

:mellow:

If you have questions about permissions, fell free to ask :)

Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

Thanks very much Hannes,

I think I might be getting this .. but knowing me I am not even close ..

don't I have to dim a variable with my username to match the @UserName you have in the one part where it gives me full access ??

something like ..

Dim $a_me

and then change & @UserName & to & $a_me &

maybe ??

From the helpfile:

@UserName        ID of the currently logged on user.

If you are running this as another user, you need to change it. :mellow:

Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]
Link to comment
Share on other sites

aahh really , i didn't know that .. man all this time i could have used that variable for other stuff i am working on .. thanks !!!

(deep breath)

still didn't work .. but closer , it added me and the user , but didn't set either of us to full control, and the inherit flag is still there ..

sigh !!!

man at this rate if you lived in the Orlando area , i would have to buy you dinner for all the help .. .thanks Hannes !!!!

Link to comment
Share on other sites

well just figured something ..

i was using the Icacls command in the command prompt to play and just see if i could manually set the permissions .. Me as the local admin i can set my own permissions to full control, but when i go to set the user it will not let me .. even if i put in the domain name and then his username which is the same the folder ..

and the /inheritance:d is a invalid parameter , so no wounder why its removing it ..

and as for the /setowner command i keep getting access is denied ..

aahhh was so close !!!!

Link to comment
Share on other sites

ok think i have figure out what my problem might be .. i think i am running an older version of the Icacls.exe file ..

i have version 5.2.3790.3959 and i just saw something about a newer version that was .4213

wounder where i could find that .. seeing how the exe i got was off the server ..

Link to comment
Share on other sites

well another week starts and i get to keep trying to get this to work ..

I made vmware image of 2003 server over the weekend hoping that an update would install the a newer version of Icacls and no luck ..

so not sure what i can do now .. seeing how the icacls program doesn't work, the xcacls doesn't work ..

i am at a lose now ..

any thoughts or advice on what i could do ?

Link to comment
Share on other sites

well I got a newer verison of the icacls.exe file , so i know have the inhert option to me .. but when running the script now all it does is strip all the security out and doesnt sent anything and the inhert flag is still checked ..

Running this on my xp box Hannes boss says cant play with live server until i get it working on my box frist .. and i dont mind changing it from the c:\ just though it would be easier to use there ..

here is the code i currently have ..

#include <file.au3>
 
 
Dim $s_basefolder = "C:\"
Dim $s_inputfile = "C:\test.txt"
Dim $a_users
 
; Create basefolder
DirCreate($s_basefolder)
 
 
; Remove Creator Owner
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "CREATOR OWNER"')
 
; Remove any users
RunWait("icacls.exe " & $s_basefolder &  ' /remove:g "BUILTIN\Users"')

_FileReadToArray($s_inputfile, $a_users)
For $i = 1 To $a_users[0]
 
             ; Create user folder
             DirCreate($s_basefolder & "\" & $a_users[$i] )
 
             ; Break inheritance, copy from parent
             RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] &  " /inheritance:d")

             ; Add user to Folder with Full Control
             RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & $a_users[$i] & """:(F)")
 
             ; Add creator owner with Full Control
            RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant ""CREATOR OWNER"":(OI)(CI)(IO)(F)")

            ; Grant Me Full Control
            RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & @UserName & """:(OI)(CI)(IO)(F)")
 
           ; Set owner to local administrator
            RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] &  " /setowner ""BUILTIN\Administrators"" /T /C")
 
Next
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...