0

Due to new domain migration, I need to find a script listing all NTFS permissions of groups and add a new permissions of the new group for some folders (these folders either CIFs or NFS).

Some folders have different groups and different permissions. such as pc\admin groups, now i need to add TA\admin groups to the same folder without deleting or wipe out the old permissions and groups. I found a script but not listing any current permissions and groups:

Ginger
  • 11
  • 1
  • 3
  • thank you for your script but this can be run as vbs or PowerShell? Do you think one script can do list all NTFS permissions and then add additional group for full access or RW access permissions? That would be a complicated script. I even don't know where to add servername and share names. – Ginger Oct 02 '13 at 20:12
  • 1
    Then I suppose you need to hire someone to do the work. It certainly can be done in one script, but writing it in its entirety is leagues beyond the scope of SO. You could use my script [`AuditACLs.vbs`](http://www.planetcobalt.net/sdb/auditacls.shtml) as a starting point and add code for [granting permissions](http://stackoverflow.com/a/13341479/1630171) to it. – Ansgar Wiechers Oct 03 '13 at 08:02

1 Answers1

1

You can use the icacls command to display or modify permissions on any given file or folder. For adding a missing group to a folder, something like this should work:

Set sh  = CreateObject("WScript.Shell")

fldr  = "C:\some\folder"
group = "TA\admin"

rc = sh.Run("%COMSPEC% /c icacls """ & fldr & """ | find /i """ & group _
  & """", 0, True)
If rc <> 0 Then sh.Run "icacls """ & fldr & """ /grant " & group & ":F"

For listing the permissions on a folder tree something like ntfsacls or AuditACLs.vbs might be a better choice, though.

icacls usage example:

icacls "C:\some\folder" /grant FOO\bar:(OI)(CI)RX Administrators:(OI)(CI)F

This will grant the group "bar" of the domain "FOO" read/execute permissions and the local group "Administrators" full access to the folder "C:\some\folder" and all of its subfolders that are configured to inherit permissions from their parent.

To run this command from VBScript with variables for the folder and groups you'd do this:

fldr = "C:\some\folder"
groupA = "FOO\bar"
groupB = "Administrators"

Set sh = CreateObject("WScript.Shell")

sh.Run "icacls """ & fldr & """ /grant " & groupA & ":(CI)(OI)RX " _
  & groupB & ":(CI)(OI)F"
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
  • Thank you for your script.This is vbs or power shell. – Ginger Oct 02 '13 at 20:09
  • """ is the place to place folder name or server name or group name. I just need one example with server or folder name in the vbs. Thanks!! – Ginger Oct 03 '13 at 17:46
  • Ansgar: your script is working but it is not populate the permission to the first sub folder and second sub-folders. – Ginger Oct 03 '13 at 17:56
  • Change `F` to `(OI)(CI)F` to make the permissions inheritable. – Ansgar Wiechers Oct 03 '13 at 18:17
  • It works after change to----If rc <> 0 Then sh.Run "icacls """ & fldr & """ /grant " & group & ":(OI)(CI)F" but how to add mutiple groups at the same times , not one group at one time. – Ginger Oct 03 '13 at 20:19
  • well, I see a lot of information but none of talking about multiple entries.. I need to enter more groups and strings to test by myself since none of forum talking about multiple group entries. . – Ginger Oct 03 '13 at 20:59
  • `ICACLS name [/grant[:r] Sid:perm[...]] ...`. The `[...]` means you can add more identifier:permission pairs after the first one: `icacls folder /grant userA:M groupB:RX Administrators:F` – Ansgar Wiechers Oct 04 '13 at 11:08
  • you are much helpful than others in other forums. Thanks a lot. – Ginger Oct 04 '13 at 16:32
  • Did I do correctly? It didn't work when I add more groups using the same pattern: sh.Run "icacls """ & fldr & """ /grant " & groupA & ":(CI)(OI)RX " _ & groupB & ":(CI)(OI)F" _ & groupC & ":(CI)(OI)F" _ " & groupD & ":(CI)(OI)RX" – Ginger Oct 04 '13 at 17:39
  • The `_` is a line continuation character. You put it at the end of a line when you want to continue an instruction on the next line. Only then. Only there. Also, there's a spurious double quote before the `& groupD`. – Ansgar Wiechers Oct 04 '13 at 18:13
  • yes, I did try that but just won't work but it works fine after deleted my add-on. does it need to be on next line? How about adding more folders: c:\folder1; c:\fodler2, C:\folder3 and excute the same permission – Ginger Oct 04 '13 at 19:58
  • How about actually trying things yourself before asking a question? `icacls` takes a single file or folder name, so you need to run the command for each folder. – Ansgar Wiechers Oct 04 '13 at 21:44
  • Thank you, you are right but I did try it , not working . I thought you know much better than I do. Thanks a lot. – Ginger Oct 04 '13 at 21:51
  • "Not working" is an insufficient problem description. Also, >10 comments means either your question seriously needs clarification or you're moving the target. I suggest you update your question with the code you're currently using and explain how *exactly* it's "not working" (i.e. how the results you get are different from the results you expected). – Ansgar Wiechers Oct 04 '13 at 21:56
  • Set sh = CreateObject("WScript.Shell") fldr = "d:\folder1" groupA = "win\xxxxxx" groupB = "Administrators" groupC = "domain\userA" groupD = "domain\userB" Set sh = CreateObject("WScript.Shell") sh.Run "icacls """ & fldr & """ /grant " & groupA & ":(CI)(OI)RX " _ & groupB & ":(CI)(OI)F" _ " & groupC & ":(CI)(OI)RX" _ " & groupD & ":F" – Ginger Oct 04 '13 at 22:30
  • Which part of "update your **question**" wasn't clear enough? Code posted in comments is next to useless, because it can't be formatted properly. – Ansgar Wiechers Oct 05 '13 at 07:02
  • I just wonder why it didn't work even I used the exactly same pattern as you did. I could not add permissions when I add two more groups but it worked fine after I removed 3rd and 4th groups so I wonder icacls tool cannot handle more than two groups, maybe. Thanks! – Ginger Oct 05 '13 at 17:58