Modifying permissions with XCACLS.vbs

A

Adam Sandler

Hello,

I have a question about running XCACLS.vbs. I'm trying to change
folder permissions but I'm not using the built-in security groups - I
want to use domain groups specifically domain admins and domain
users.

I read online that if one uses SID# in place if a group name then that
should work.

I call XCACLS. from a batch file. A sample of my existing (and
currently working as expected) file looks like this:
cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /G Administrators:F

cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /E /G SYSTEM:F

Additionally, I read that the domain SID can be found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList. I also read the SIDs for domain admins and domain users
are:

SID: S-1-5-domain-512
Name: Domain Admins

SID: S-1-5-domain-513
Name: Domain Users

So, armed with this information I took the two lines above and tried
to do this:

cscript xcacls.vbs "C:\Temp" /G
SID#S-1-5-21-131504274-120818031-269197707-1108-512:F

cscript xcacls.vbs "C:\Temp" /E /G
SID#S-1-5-21-131504274-120818031-269197707-1108-513:F

It didn't work. While I didn't get a script engine error or anything,
when I checked the permissions on that folder, all the entries were
gone - it was a blank display.

How can I modify the permissions to use domain admins and users?
Suggestions are greatly appreciated.

Thanks!
 
R

Roger Abell [MVP]

Hi Adam

I think you may be taking the long road, as instead of resorting to
naming principals with SIDs you can just quote their display name
if it contain spaces. For example
xcacls.vbs c:\temp /g "yourdomain\domain admins":f
of course replacing "yourdomain" and notice also that the target
folder/file does not need to be quoted if it contains no whitespace.

Roger

"Adam Sandler" <corn29@excite.com> wrote in message
news:594f3914-ac75-46d6-9981-587aed8af678@c23g2000hsa.googlegroups.com...
> Hello,
>
> I have a question about running XCACLS.vbs. I'm trying to change
> folder permissions but I'm not using the built-in security groups - I
> want to use domain groups specifically domain admins and domain
> users.
>
> I read online that if one uses SID# in place if a group name then that
> should work.
>
> I call XCACLS. from a batch file. A sample of my existing (and
> currently working as expected) file looks like this:
> cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /G Administrators:F
>
> cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /E /G SYSTEM:F
>
> Additionally, I read that the domain SID can be found in
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
> \ProfileList. I also read the SIDs for domain admins and domain users
> are:
>
> SID: S-1-5-domain-512
> Name: Domain Admins
>
> SID: S-1-5-domain-513
> Name: Domain Users
>
> So, armed with this information I took the two lines above and tried
> to do this:
>
> cscript xcacls.vbs "C:\Temp" /G
> SID#S-1-5-21-131504274-120818031-269197707-1108-512:F
>
> cscript xcacls.vbs "C:\Temp" /E /G
> SID#S-1-5-21-131504274-120818031-269197707-1108-513:F
>
> It didn't work. While I didn't get a script engine error or anything,
> when I checked the permissions on that folder, all the entries were
> gone - it was a blank display.
>
> How can I modify the permissions to use domain admins and users?
> Suggestions are greatly appreciated.
>
> Thanks!
>
>
>
>
>
>
>
>
>
 
You must log in or register to reply here.

Similar threads

T
Need help with OneDrive sync issues.
Replies
0
Views
30
Tanish Samarawickrema
T
P
What should I do for getting back my files after getting the error we can't sign into your account?
Replies
0
Views
225
Piyush Vish
P
A
Windows 10 : User account status degraded ?
Replies
0
Views
242
Anis Mula
A
H
DistributedCOM Event 10016 spammed so much my computer crashes?
Replies
0
Views
2K
Haalstrem
H
D
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.Ws
Replies
0
Views
370
donaldnew
D
Back
Top Bottom