Sign in with
Sign up | Sign in
Your question

Changing NTFS ACL using XCACLS.vbs not working

Last response: in Windows XP
Share
April 29, 2011 2:30:28 PM

I have an external drive mapped as E:

I have some folders on it that are shared on the network, all in a folder called JAM-Extra

I want to automate the sharing of these folders and allocating of access rights.

The sharing is fine using Net Share e.g. sharing the folder called Computing works fine

However, it sets up the share for Everyone to have Read, Change and Full Control.

I want to amend this so Everyone has Read only, and for User Group JAM-Test to have Read and Change

The script lines I am using are:

======
cscript.exe xcacls.vbs e:\jam-extra\computing\ /p everyone:r /f /s /t /e /L xcaclslog.txt
pause
cscript.exe xcacls.vbs e:\jam-extra\computing\ /g CLAIR_ALT\jam-test:m /f /s /t /e /L xcaclslog.txt
======

It seems to run fine, says it has completed successfully, yet the NTFS permissions haven't changed!

Can anyone see what I've done wrong?

Log file reads as follows:
=======
Starting XCACLS.VBS (Version: 5.2) Script at 29/04/2011 14:42:20

Startup directory:
"C:\Documents and Settings\Clair\Desktop\JAM Shares"

Arguments Used:
Filename = "e:\jam-extra\computing"
/F (All Files under current directory)
/S (All Sub Directories under current directory)
/T (Traverse Directories)
/E (Edit ACL leaving other users intact)
/P (Replace rights)
everyone:R
/L (File: "xcaclslog.txt")



**************************************************************************
Directory: E:\jam-extra\computing
Replacing rights for existing user "Everyone"
Replacing NTFS rights (R access for This Folder, Subfolders and Files) for "Everyone"
Completed successfully.
**************************************************************************


Operation Complete
Elapsed Time: 4.890625 seconds.

Ending Script at 29/04/2011 14:42:25


Starting XCACLS.VBS (Version: 5.2) Script at 29/04/2011 14:42:26

Startup directory:
"C:\Documents and Settings\Clair\Desktop\JAM Shares"

Arguments Used:
Filename = "e:\jam-extra\computing"
/F (All Files under current directory)
/S (All Sub Directories under current directory)
/T (Traverse Directories)
/E (Edit ACL leaving other users intact)
/G (Grant rights)
CLAIR_ALT\jam-test:M
/L (File: "xcaclslog.txt")



**************************************************************************
Directory: E:\jam-extra\computing
Granting NTFS rights (M access for This Folder, Subfolders and Files) for "CLAIR_ALT\jam-test"
Completed successfully.
**************************************************************************


Operation Complete
Elapsed Time: 4.875 seconds.

Ending Script at 29/04/2011 14:42:31


April 30, 2011 10:34:52 AM

Think I may have sussed it: Windows applies the most restrictive permissions based on combination of NTFS file permissions and Share permissions when determining access - need to go back in to work to check this so will confirm next week.
May 11, 2011 5:38:06 PM

You are correct. The share permission is checked first and if you are allowed through the share then the permissions on the directory/file are checked.
May 11, 2011 6:00:53 PM

Yep. Played about a bit more and now have it all set up and working just as I wanted it.

I ended up using a batch file with a series of "xcacls" commands to set the required access to the required user groups.

Then followed (in the same batch file) with a series of "Net Share" commands to set up the shared folders with NO sharing permission set, with default of Everyone has read/write/modify access.

All working perfectly.
!