Script help - Set permissions on Users directory

opethdisciple · 14 Jun 2016 at 12:54

This is my weakness. My scripting skills.

We have a problem with our cloud backup solution in that it is giving us errors because the permissions on the Users directory on our DC are corrupt.

The users folders and files have lost their ownership. So we as domain admins cannot browse the directories or set any permissions through the GUI.

I'm trying to fix this and found a script that supposedly can do it:

REM usage: fix_perms.bat <username>
REM Recursively assign ownership to Administrators. Answer prompts with "Y".
takeown /R /A /F %1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
cacls %1 /T /E /P "Administrators":F
cacls %1 /T /E /P SYSTEM:F
cacls %1 /T /E /P %1:F
REM Set owner back to UserName
subinacl.exe /noverbose /subdirectories %1\*.* /setowner=%1

It more or less works expect subinacl.exe doesn't work as we are running a x64 Windows Server and as far as I understand subinacl.exe is a 32 bit command line tool. (I've tried installing it in to system32 already)

So, my manager has recommended I look at icacls to get the job done.

Anyone give me some pointers how to do what the subinacl is trying to do using icacls?

opethdisciple · 14 Jun 2016 at 13:02

The %1 means variable? In other words script.bat henry (henry is the %1?)

Little_Crow · 14 Jun 2016 at 13:14

opethdisciple said:
The %1 means variable? In other words script.bat henry (henry is the %1?)

Exactly right.

We've used a free Helge Klein tool called SetACL for this sort of thing - after giving up on cacls and icacls.
It allowed us to set nicely granular rights we required (Like not giving users admin rights to their home directory and no execute rights), and we still use it now for scripted creation of home directories and shares.

iaind · 14 Jun 2016 at 14:21

Corrupt permissions on a domain controller? Promote a new one and blow that one away

opethdisciple · 14 Jun 2016 at 14:40

iaind said:
Corrupt permissions on a domain controller? Promote a new one and blow that one away

We only have one really which is the main DC.

opethdisciple · 14 Jun 2016 at 14:42

opethdisciple said:
subinacl.exe /noverbose /subdirectories %1\*.* /setowner=%1

As for the last comand I am currently at:

icacls.exe F:\Users\1% /setowner domain\%1

But now I think I need to apply this command recursively so it applies to sub directories.

I may even have to set inheritance as well?

Anyone know How to use icals recursively?

opethdisciple · 14 Jun 2016 at 15:02

I think we've sused it:

REM usage: fix_perms.bat <username>
REM Recursively assign ownership to Administrators. Answer prompts with "Y".
takeown /R /A /F %1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
/grant:r DOMAIN\Administrators

OI)(CI)F /t
/grant:r DOMAIN\%1

OI)(CI)F /t
/grant:r DOMAIN\SYSTEM

OI)(CI)F /t
REM Set owner back to UserName
icacls.exe F:\Users\%1 /setowner DOMAIN\%1 /t

The

is actually : ( without spaces.

Little_Crow · 14 Jun 2016 at 15:58

It sounds like you're having quite a time in your new job.

Courses are fine, but nothing compares to the knowledge and confidence you gain from unpicking and fixing someone elses terrible decisions.

nutcase · 14 Jun 2016 at 18:06

Little_Crow said:
It sounds like you're having quite a time in your new job.

Courses are fine, but nothing compares to the knowledge and confidence you gain from unpicking and fixing someone elses terrible decisions.

Truth

Gzero · 14 Jun 2016 at 18:34

opethdisciple said:
We only have one really which is the main DC.

Well now you have a reason for two. Your 'main' DC has just suffered from file corruption, either through hardware or some daft inheritance setup. What happens when the AD datastore goes? Yes, no one can authenticate, nevermind access their files.