startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 (edited) It seems like it could be fun and help with doing alot of things .. i just have a hard time getting past all the syntax and grammar , and I keep getting confused , because I started this whole thing with tring to use the "cacls" and after 2 days nothing was working so went to the "xcacls" and everything worked fine there , but couldnt use the array had to keep typing in the username .. then you Hannes said to use the "Icacls" which i still dont understand because it talks about using the ssid and everything else , and i dont need any of that .. i just need to make a folder and set the permissions as the following .. 1. local admins (full control) ( this folder, subfolders, and files) 2. creator owner ( full control) ( subfolders and files only) 3. User (full control) ( this folder, subfolders, and files) 4. me (full control) ( this folder, subfolders, and files) 5. system (full control) ( this folder, subfolders, and files) 6. remove the inherit flag 7. set ownership to local admin 8. remove local users account never though it would be this hard .. Plus now I am all confused , because rcmaehl was trying to do with the "xcacls" and Hannes is trying to do it with the "Icacls" i dont know what command to be using anymore .. Edited August 26, 2011 by startrek133 Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 First of all, it is not a good idea granting users "Full Control" as there is no need for them to modify access rights. Second, discard the "Creator Owner" because he doesn't need to be there, as the user should stay it his own folder. Third, "The User" should only have the right to his folder to read, write and delete only subfolders and files, otherwise he will be ableto delete his own folder (bad idea) Fourth, don't grat yourself as a user the "full control" right to all users, use a separate AD group (e.g. "Userfolder_modify") and be a member of that group Fifth, why setting the ownership of the files (to the admin account)? You won't be able to use quotas later on. Either try to set the owner to "The user" on his folder or leave it like it is. Sixth, well, probably removing local users actually does make sense ... And now let me see: points "First" through "Fourth" will by done by my script. What else do you want?!? Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 I get what your saying Hannes, but I am stuck .. the boss wants the folders set like that , and if I don't give myself full access then I cant redo people profiles when they mess them up because I don't have access to there folder in order to go into and copy stuff out .. and the "upper" level IT team that controls the groups, policy's, and stuff like that so not big on letting me changes in AD .. in fact i don't even have access to AD , i have to call them to get things down at times ... I feel like at times the job they hired me i cant even do because i don't have access to have the systems i need, and that some of the network and AD settings need to be redone to make sense and run better .. as for your program, it never worked remember , i told you yesterday that when i went to run it , it opened hundreds of them and then crashed my computer .. and i don't understand the "icacls" enough or autoit enough to know why it did that .. so as it stands right now, i am more confused about what to do than i was at the begin of the week .. Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 (edited) The whole reason this little project started was because My Boss and I ad the Local Admins of this office, don't have rights to the current users profile folders, somehow they got all messed up .. and when trying to take ownership it will not let us .. So my Boss started fresh by making a new roaming profile folder out on the server and pointed some test people there. After about a month of testing he found that the settings that I was talking about work with the users and with roaming profiles .. its not like I am tiring to be a dick or a pain, its just confusing for me, because in college they didn't teach us anything about scripting, so i am noob at this, and this place has the some of the most messed up policies and network settings i have ever seen to where if we change the permissions on a folder its 50/50 to where it will work right or work how it should .. but I am great full for everyone's help and hope that someone will become of this because i really REALLY don't wanna have to hand type out 200+ folders and set the permissions on each folder .. Edited August 26, 2011 by startrek133 Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 (edited) This will do what you want: #AutoIt3Wrapper_Change2CUI=y #include <file.au3> Dim $s_basefolder = "C:\Test" Dim $s_inputfile = "C:\jobs\users.txt" Dim $a_users DirCreate($s_basefolder) ; Create basefolder RunWait("icacls.exe " & $s_basefolder & " /inheritance:d") ; Break inherti on base folder RunWait("icacls.exe " & $s_basefolder & ' /remove:g "CREATOR OWNER"') ; Remove Creator Owner RunWait("icacls.exe " & $s_basefolder & ' /remove:g "BUILTIN\Users"') ; Remove any users _FileReadToArray($s_inputfile, $a_users) For $i = 1 To $a_users[0] DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Create user folder RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant " & $a_users[$i] & ":(OI)(CI)(IO)(F)") ; Add user to Folder with Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant ""CREATOR OWNER"":(OI)(CI)(IO)(F)") ; Add creator owner with Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & @UserName & """:(OI)(CI)(IO)(F)") ; Grant you user Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /inheritance:d") ; Break inheritance, copy from parent RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /setowner ""BUILTIN\Administrators"" /T /C") ; Set owner to local administrator Next Except for removing the local users that have already access, because I assume you'll create a NEW folder. Edited August 26, 2011 by Hannes123 Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 Hi Hannes,just tired it again , I changed the two varibles like you said , and still did the same thing open hundreds of them and crashed my computer .. #AutoIt3Wrapper_Change2CUI=y #include <file.au3> Dim $s_basefolder = "C:\" Dim $s_inputfile = "C:\test.txt" Dim $a_users DirCreate($s_basefolder) RunWait("icacls.exe " & $s_basefolder & " /inheritance:d") RunWait("icacls.exe " & $s_basefolder & ' /remove:g "CREATOR OWNER"') RunWait("icacls.exe " & $s_basefolder & ' /remove:g "BUILTIN\Users"') _FileReadToArray($s_inputfile, $a_users) For $i = 1 To $a_users[0] DirCreate($s_basefolder & "\" & $a_users[$i] ) RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant " & $a_users[$i] & ":(OI)(CI)(RX,W,DC)") Next Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 (edited) Well, pal what happens if you name your program "icacls" and you're trying to open "icacls" from that script?!? --> Loop of death! Edited August 26, 2011 by Hannes123 Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 duh !!! ok my bad , never even though that , because i have the icacls.exe program on the c:\ and my folder stuff in a different folder .. sorry my bad !!! but still didnt working .. i made the folder this time and ended .. but still not setting the permissions or setting the users right .. > "C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "\\my docs\Folder Maker\icaclstest.au3" /autoit3dir "C:\Program Files\AutoIt3" /UserParams +>09:51:14 Starting AutoIt3Wrapper v.2.0.3.0 Environment(Language:0409 Keyboard:00000409 OS:WIN_XP/Service Pack 3 CPU:X64 OS:X86) >Running AU3Check (1.54.19.0) from:C:\Program Files\AutoIt3 +>09:51:14 AU3Check ended.rc:0 >Running:(3.3.6.1):C:\Program Files\AutoIt3\autoit3.exe "\\my docs\Folder Maker\icaclstest.au3" +>09:51:14 AutoIT3.exe ended.rc:0 >Exit code: 0 Time: 4.256 Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 duh !!! ok my bad , never even though that , because i have the icacls.exe program on the c:\ and my folder stuff in a different folder .. sorry my bad !!! but still didnt working .. i made the folder this time and ended .. but still not setting the permissions or setting the users right .. > "C:\Program Files\AutoIt3\SciTE\AutoIt3Wrapper\AutoIt3Wrapper.exe" /run /prod /ErrorStdOut /in "\\my docs\Folder Maker\icaclstest.au3" /autoit3dir "C:\Program Files\AutoIt3" /UserParams +>09:51:14 Starting AutoIt3Wrapper v.2.0.3.0 Environment(Language:0409 Keyboard:00000409 OS:WIN_XP/Service Pack 3 CPU:X64 OS:X86) >Running AU3Check (1.54.19.0) from:C:\Program Files\AutoIt3 +>09:51:14 AU3Check ended.rc:0 >Running:(3.3.6.1):C:\Program Files\AutoIt3\autoit3.exe "\\my docs\Folder Maker\icaclstest.au3" +>09:51:14 AutoIT3.exe ended.rc:0 >Exit code: 0 Time: 4.256 Put the icacls.exe in the same folder, as probably "C:\" is not in your "PATH" environment variable. If you compile the script and start it from a command line (cmd.exe) you will see the output of icacls.exe in the same window. Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 well getting closer .. it kinda worked .. it made the folder , gave local admin full control, deleted local user, gave system full control, and added the user of that folder in there and gave him some permissions .. so just need to figure out, how to give the user full control, remove the inherit flag, set owner to local admin, and add me with full control . LOL my head hurts !!! Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 This will do what you want: #AutoIt3Wrapper_Change2CUI=y #include <file.au3> Dim $s_basefolder = "C:\Test" Dim $s_inputfile = "C:\jobs\users.txt" Dim $a_users DirCreate($s_basefolder) ; Create basefolder RunWait("icacls.exe " & $s_basefolder & " /inheritance:d") ; Break inherti on base folder RunWait("icacls.exe " & $s_basefolder & ' /remove:g "CREATOR OWNER"') ; Remove Creator Owner RunWait("icacls.exe " & $s_basefolder & ' /remove:g "BUILTIN\Users"') ; Remove any users _FileReadToArray($s_inputfile, $a_users) For $i = 1 To $a_users[0] DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Create user folder RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant " & $a_users[$i] & ":(OI)(CI)(IO)(F)") ; Add user to Folder with Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant ""CREATOR OWNER"":(OI)(CI)(IO)(F)") ; Add creator owner with Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & @UserName & """:(OI)(CI)(IO)(F)") ; Grant you user Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /inheritance:d") ; Break inheritance, copy from parent RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /setowner ""BUILTIN\Administrators"" /T /C") ; Set owner to local administrator Next Except for removing the local users that have already access, because I assume you'll create a NEW folder. Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
storme Posted August 26, 2011 Share Posted August 26, 2011 G'day Just had a read through as I've got an academic interest (at the moment) with permissions and such. I noticed that you weren't putting inverted commas around your paths. This shouldn't cause you any problem with the test environment but will if you have a space in any of the paths when you get it working. I've edited your code but it's untested. Hope it helps! #AutoIt3Wrapper_Change2CUI=y #include <file.au3> Dim $s_basefolder = "C:\Test" Dim $s_inputfile = "C:\jobs\users.txt" Dim $a_users DirCreate($s_basefolder) ; Create basefolder RunWait('icacls.exe "' & $s_basefolder & '" /inheritance:d') ; Break inherti on base folder RunWait('icacls.exe "' & $s_basefolder & '" /remove:g "CREATOR OWNER"') ; Remove Creator Owner RunWait('icacls.exe "' & $s_basefolder & '" /remove:g "BUILTIN\Users"') ; Remove any users _FileReadToArray($s_inputfile, $a_users) For $i = 1 To $a_users[0] DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Create user folder RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /grant ' & $a_users[$i] & ":(OI)(CI)(IO)(F)") ; Add user to Folder with Full Control RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /grant "CREATOR OWNER":(OI)(CI)(IO)(F)') ; Add creator owner with Full Control RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /grant "' & @UserName & '":(OI)(CI)(IO)(F)') ; Grant you user Full Control RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /inheritance:d') ; Break inheritance, copy from parent RunWait('icacls.exe "' & $s_basefolder & "\" & $a_users[$i] & '" /setowner "BUILTIN\Administrators" /T /C') ; Set owner to local administrator Next Good Luck John Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 Thanks very much Hannes, I think I might be getting this .. but knowing me I am not even close .. don't I have to dim a variable with my username to match the @UserName you have in the one part where it gives me full access ?? something like .. Dim $a_me and then change & @UserName & to & $a_me & maybe ?? Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 I noticed that you weren't putting inverted commas around your paths.This shouldn't cause you any problem with the test environment but will if you have a space in any of the paths when you get it working.Thanks, you just eliminated another built-in trap. If you have questions about permissions, fell free to ask Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
hannes08 Posted August 26, 2011 Share Posted August 26, 2011 Thanks very much Hannes, I think I might be getting this .. but knowing me I am not even close .. don't I have to dim a variable with my username to match the @UserName you have in the one part where it gives me full access ?? something like .. Dim $a_me and then change & @UserName & to & $a_me & maybe ?? From the helpfile: @UserName ID of the currently logged on user. If you are running this as another user, you need to change it. Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler] Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 aahh really , i didn't know that .. man all this time i could have used that variable for other stuff i am working on .. thanks !!! (deep breath) still didn't work .. but closer , it added me and the user , but didn't set either of us to full control, and the inherit flag is still there .. sigh !!! man at this rate if you lived in the Orlando area , i would have to buy you dinner for all the help .. .thanks Hannes !!!! Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 well just figured something .. i was using the Icacls command in the command prompt to play and just see if i could manually set the permissions .. Me as the local admin i can set my own permissions to full control, but when i go to set the user it will not let me .. even if i put in the domain name and then his username which is the same the folder .. and the /inheritance:d is a invalid parameter , so no wounder why its removing it .. and as for the /setowner command i keep getting access is denied .. aahhh was so close !!!! Link to comment Share on other sites More sharing options...
startrek133 Posted August 26, 2011 Author Share Posted August 26, 2011 ok think i have figure out what my problem might be .. i think i am running an older version of the Icacls.exe file .. i have version 5.2.3790.3959 and i just saw something about a newer version that was .4213 wounder where i could find that .. seeing how the exe i got was off the server .. Link to comment Share on other sites More sharing options...
startrek133 Posted August 29, 2011 Author Share Posted August 29, 2011 well another week starts and i get to keep trying to get this to work .. I made vmware image of 2003 server over the weekend hoping that an update would install the a newer version of Icacls and no luck .. so not sure what i can do now .. seeing how the icacls program doesn't work, the xcacls doesn't work .. i am at a lose now .. any thoughts or advice on what i could do ? Link to comment Share on other sites More sharing options...
startrek133 Posted August 30, 2011 Author Share Posted August 30, 2011 well I got a newer verison of the icacls.exe file , so i know have the inhert option to me .. but when running the script now all it does is strip all the security out and doesnt sent anything and the inhert flag is still checked .. Running this on my xp box Hannes boss says cant play with live server until i get it working on my box frist .. and i dont mind changing it from the c:\ just though it would be easier to use there .. here is the code i currently have .. expandcollapse popup#include <file.au3> Dim $s_basefolder = "C:\" Dim $s_inputfile = "C:\test.txt" Dim $a_users ; Create basefolder DirCreate($s_basefolder) ; Remove Creator Owner RunWait("icacls.exe " & $s_basefolder & ' /remove:g "CREATOR OWNER"') ; Remove any users RunWait("icacls.exe " & $s_basefolder & ' /remove:g "BUILTIN\Users"') _FileReadToArray($s_inputfile, $a_users) For $i = 1 To $a_users[0] ; Create user folder DirCreate($s_basefolder & "\" & $a_users[$i] ) ; Break inheritance, copy from parent RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /inheritance:d") ; Add user to Folder with Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & $a_users[$i] & """:(F)") ; Add creator owner with Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant ""CREATOR OWNER"":(OI)(CI)(IO)(F)") ; Grant Me Full Control RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /grant """ & @UserName & """:(OI)(CI)(IO)(F)") ; Set owner to local administrator RunWait("icacls.exe " & $s_basefolder & "\" & $a_users[$i] & " /setowner ""BUILTIN\Administrators"" /T /C") Next Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now