Modifying permissions with XCACLS.vbs

  • Thread starter Thread starter Adam Sandler
  • Start date Start date
A

Adam Sandler

Hello,

I have a question about running XCACLS.vbs. I'm trying to change
folder permissions but I'm not using the built-in security groups - I
want to use domain groups specifically domain admins and domain
users.

I read online that if one uses SID# in place if a group name then that
should work.

I call XCACLS. from a batch file. A sample of my existing (and
currently working as expected) file looks like this:
cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /G Administrators:F

cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /E /G SYSTEM:F

Additionally, I read that the domain SID can be found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList. I also read the SIDs for domain admins and domain users
are:

SID: S-1-5-domain-512
Name: Domain Admins

SID: S-1-5-domain-513
Name: Domain Users

So, armed with this information I took the two lines above and tried
to do this:

cscript xcacls.vbs "C:\Temp" /G
SID#S-1-5-21-131504274-120818031-269197707-1108-512:F

cscript xcacls.vbs "C:\Temp" /E /G
SID#S-1-5-21-131504274-120818031-269197707-1108-513:F

It didn't work. While I didn't get a script engine error or anything,
when I checked the permissions on that folder, all the entries were
gone - it was a blank display.

How can I modify the permissions to use domain admins and users?
Suggestions are greatly appreciated.

Thanks!
 
Hi Adam

I think you may be taking the long road, as instead of resorting to
naming principals with SIDs you can just quote their display name
if it contain spaces. For example
xcacls.vbs c:\temp /g "yourdomain\domain admins":f
of course replacing "yourdomain" and notice also that the target
folder/file does not need to be quoted if it contains no whitespace.

Roger

"Adam Sandler" <corn29@excite.com> wrote in message
news:594f3914-ac75-46d6-9981-587aed8af678@c23g2000hsa.googlegroups.com...
> Hello,
>
> I have a question about running XCACLS.vbs. I'm trying to change
> folder permissions but I'm not using the built-in security groups - I
> want to use domain groups specifically domain admins and domain
> users.
>
> I read online that if one uses SID# in place if a group name then that
> should work.
>
> I call XCACLS. from a batch file. A sample of my existing (and
> currently working as expected) file looks like this:
> cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /G Administrators:F
>
> cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /E /G SYSTEM:F
>
> Additionally, I read that the domain SID can be found in
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
> \ProfileList. I also read the SIDs for domain admins and domain users
> are:
>
> SID: S-1-5-domain-512
> Name: Domain Admins
>
> SID: S-1-5-domain-513
> Name: Domain Users
>
> So, armed with this information I took the two lines above and tried
> to do this:
>
> cscript xcacls.vbs "C:\Temp" /G
> SID#S-1-5-21-131504274-120818031-269197707-1108-512:F
>
> cscript xcacls.vbs "C:\Temp" /E /G
> SID#S-1-5-21-131504274-120818031-269197707-1108-513:F
>
> It didn't work. While I didn't get a script engine error or anything,
> when I checked the permissions on that folder, all the entries were
> gone - it was a blank display.
>
> How can I modify the permissions to use domain admins and users?
> Suggestions are greatly appreciated.
>
> Thanks!
>
>
>
>
>
>
>
>
>
 
Back
Top