SetACL Syntax

[v3rt1g0]

I'm running the following command locally on the target machine, and while it says the command completed, %windir%\auto does not have the permissions set.

D:\>\\server\share\bin\setacl.exe -on "%windir%\auto" -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"
Processing ACL of: <\\?\D:\WINDOWS\auto>

SetACL finished successfully.

What's wrong with the above syntax?

I find it strange that it says "\\?\D:\WINDOWS\auto", as if it's trying to set a remote share.

[v3rt1g0]

Also, this is being run after the following AutoIt script which creates and shares the folder.

Dim $machine, $windows, $WMIService, $NewShare, $errReturn
;================================================================
; If %windir%\auto does not exist, create it and share it
;================================================================
$machine = @ComputerName
$windows = @WindowsDir
$os = @OSVersion
If Not FileExists("" & $windows & "\auto") Then
    If $os = "WIN_VISTA" Then
        DirCreate("" & $windows & "\auto")
        Run("\\server\share\vista_auto_share.cmd")
    ElseIf $os = "WIN_XP" or "WIN_2000" or "WIN_2003" Then
        DirCreate("" & $windows & "\auto")
        $WMIService = ObjGet("winmgmts:" & "{impersonationLevel=impersonate}!\\"& $machine & "\root\cimv2")
        $NewShare = $WMIService.Get("Win32_Share")
        $errReturn = $NewShare.Create("" & $windows & "\auto", "auto", 0, 10, "Install automation")
        RunWait('\\server\share\setacl.exe -on "%windir%\auto" -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"')
    EndIf
EndIf

[Legacy99]

Never used setacl yet but maybe this will work?

RunWait('\\server\share\setacl.exe -on ' & @WindowsDir & ' \auto -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"')

or

RunWait('\\server\share\setacl.exe -on ' & $windows & ' \auto -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"')

I have not tested it but I would think that %windir% would be interpreted as %windir% and not C:\windows. Maybe I'm wrong.

[v3rt1g0]

I don't think that's the problem. I've even tried it with a hardcoded path:

\\server\share\setacl.exe -on d:\windows\auto -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"

..and I get the same result. I think it must be something with the -ace portion, but I seem to be using the syntax that is given on the setacl examples page.

Never used setacl yet but maybe this will work?

RunWait('\\server\share\setacl.exe -on ' & @WindowsDir & ' \auto -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"')

or

RunWait('\\server\share\setacl.exe -on ' & $windows & ' \auto -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"')

I have not tested it but I would think that %windir% would be interpreted as %windir% and not C:\windows. Maybe I'm wrong.

[PsaltyDS]

I don't think that's the problem. I've even tried it with a hardcoded path:

\\server\share\setacl.exe -on d:\windows\auto -ot file -actn ace -ace "n:domain\userone;p:full" -ace "n:domain\usertwo;p:full"

..and I get the same result. I think it must be something with the -ace portion, but I seem to be using the syntax that is given on the setacl examples page.

I use SetACL.exe in some of my scripts, and your syntax look correct to me. I even tested it with %MyDir% for the path, and it worked (in my scripts I always parse the path in AutoIt, so it's a literal string by the time it gets to the command line). Of course the user running the SetACL instance must have sufficient rights to make the changes, but even if they didn't you should see an error from it, not a success message.

P.S. The "<\\?\D:\WINDOWS\auto>" syntax is the correct message for a local path, too. That's not the problem, unless you're setting the ACL on D: and then checking it on C:.

Edited March 4, 2008 by PsaltyDS

[Legacy99]

I've run into problems with Anti Viri software stopping me from running programs from the temp directories, changes to system files, editing the hosts file, sending email, you get the idea. Anything like that blocking (or intercepting) the script? just a thought

I ran it at home, (no domain), and this worked

$source = "c:\Setacl"
RunWait($source& '\setacl.exe -on ' &@WindowsDir& '\auto -ot file -actn ace -ace "n:TonyStark;p:full"')  ; <-yes I made a new user called Tony Stark. DA DA DA DAA DAAAA.

I left off the "%domain/computername%" and TonyStark was added to the folder. I will have to test tomorrow on a domain with multiple users to see if it works.

(Oh, and for the record I tried it with %windir% and it breaks the above)

[v3rt1g0]

OK, I was using the wrong syntax for shares. It's working now.

It was indeed setting *file* permissions correctly before, but not the share permissions, which is what I wanted.

Change from: \\server\share\bin\setacl.exe -on "%windir%\auto" -ot file -actn ace -ace "n:domain\usrone;p:full" -ace "n:domain\usrtwo;p:full"

Change to: \\server\share\bin\setacl.exe -on auto -ot shr -actn ace -ace "n:domain\usrone;p:full" -ace "n:domain\usrtwo;p:full"

[PsaltyDS]

OK, I was using the wrong syntax for shares. It's working now.

It was indeed setting *file* permissions correctly before, but not the share permissions, which is what I wanted.

Change from: \\server\share\bin\setacl.exe -on "%windir%\auto" -ot file -actn ace -ace "n:domain\usrone;p:full" -ace "n:domain\usrtwo;p:full"

Change to: \\server\share\bin\setacl.exe -on auto -ot shr -actn ace -ace "n:domain\usrone;p:full" -ace "n:domain\usrtwo;p:full"

Here, I'll loan you a "Doh!" ===>

Don't worry, I have LOTS of them!

[KSum]

OK, I was using the wrong syntax for shares. It's working now.

If it helps any, this thread was most timely. I was looking to write a script to batch permissions over various servers and may not have found such a simple solution without this thread. So I am here to thank you for having an error...

Karl