Easiest way I have found is to delete the temp directory and recreate
it, problem is if the user only has read access he can't delete
it, is there any way of getting the permissions in the temp folder
(everyone full control) to get replicated to all its sub
folders as a standard user, from within the batch file.

Currently the only way I can delete this files is to login as admin,
take ownership of all the files then change the permissions on them,
then delete them. There must be an easier way of achieving this
outcome?

Pete

i posted this on another newgroup before i found kixtart, using kixtart is this possible? i didn't get a response from the other newsgroup

Yes, but takes some work to get it done.

I assume you are talking about Windows NT or 2000 workstations.

You will need to install the SU program.

Bryce has some code and you can search this board for more help if wanted.

Bryce Home Page

SU Code Stuff

quote:

---

SU for Windows NT v2.99 Jun 4 1997 10:01:43
(c) Copyright 1995, 1996, 1997 by Scott Field (sfield@microsoft.com)

Usage: su <User> "[cmdline]" [domain] [[Winsta\]Desktop] [options]
-cb do not create new console (do not use with redirected passwords)
-dn do not switch to new desktop if one was specified
-e disables environment preparation (Inherit parent environment)
-g force GUI option prompting with supplied commandline arguments
-l disables loading of the user registry hive (use .Default)
-v verbose output to stdout
-w do not wait on child (registry hive will remain loaded)

One of the following logon types may be specified. Default is interactive.
-b batch, target user needs SeBatchLogonRight
-i interactive, target user needs SeInteractiveLogonRight
-s service, target user needs SeServiceLogonRight
-n network, target user needs SeNetworkLogonRight (WinNT 4.0 only)

Not specifying a cmdline invokes the default command processor (%comspec%)
Not specifying a domain causes account lookup in the following order:
Well-known, built-in, local accounts, primary domain, trusted domains
Specifying . as the domain limits the LogonUser search to the local machine
Not specifying Winsta\Desktop launches child on current Winsta\Desktop
Winsta0\Default is the user default interactive Windowstation and desktop

---

well.
I recommend that you first create admin user. that you can set disabled when not needed (for security)
then do su call (syntax above) for xcopy.
place them in the bat/cmd file.
use bat2exec (found by clicking this bat2exec - at home.wanadoo.nl) which translates bat files to exe's so syntax can't be seen.
after that use secure21 (found also on the same site secure21.zip)
it crypts the exe file.
this crypted exe can then be used in normal logonscripts.

We've encountered this problom so many times that we've decided to go about it in another way, we run scripts from a central point connecting to c$ of a workstation (under an admin context ofcorse) to do this kind of administration. SU is useful but requires a plaintext password so it's a definate NO-NO.

You could even trigger the execution from a loginscript. For example - we have a script that constantly checks an administration pop-account on the email server and executes scripts depending on what mail was received [the good thing about this is that we can execute the most basic jobs with an SMS message from home... *grin*]

Hope this helps.

Ramon

long time not seen around here !
What's the haps ?
You were busy with FuenteSoft ??

Jochen

_________________________

otherwise right answer, even I use it in my inventories. (I do not inventory win9x machines due they are history - it means valueless)

Lonkero: I assumed it was NT because this case was about rights (NTFS). We also recognize the problem on win9x clients but management seems hell-bent on keeping support (it's their favorite OS since we can't control it that well.. )

PS: Anyone see my topic about printers?

[ 24 July 2001: Message edited by: Fuentez ]

if i used the bat2exe and then encryted users would not be able to see the password etc anyhow would they?

Pete

btw, just came to mind that probably the files that users generate by using this soft are deletable by this same user. so can't you do a logoff/shutdown script that deletes them?

"Paranoia" is my middle name around here...
(or at least I used to be. Glad to see the
hardcores are still around, greets to all)

PS: The Netlogon is hardly inaccessible, Lonkero (talk about the first place to look), although you could probably change the default rights to "everyone execute only" if you convert all script-files... hmmm.

the files are created by a PDM database and the files have get set so only the pdm-user can read/write to them

the pdm is messy tho and sometimes doesn't delete the files

Pete

but do you say that you have user that uses PDM and his/her rights are there or did you mean that PDM has username created for it and it's name is pdm-user?

if that is just some user that is logged in to the machine logoff script is best for you.

Just a thought... I've never used SU but wonder if you could run it under the PDM user priviledge and just shell out and use deltree (DOS command) the files away. Keep temp, just delete everything beneath. That way you need not be concerned with changing file/folder permissions. Also since it doesn't have administrator rights, you have no big security hole.

basically it's a large oracle database that has it's only file system (to store information in a vault)

what happens is you open the GUI interface and double click on a file you wish to open, this checks (locks out) the file to you
copies it a directoy it creates under the temp dir, the file and the directory created has read access only for the user that runs the pdm fs (file serice). about 20% of the time these files and directories do not get deleted, so all i want to do is delete them all

as they only have read access to the account that runs the pdm service the user does not have access to delete them or change the persmissons on them based on the permissions from the temp dir (everyone all/all)

so i thought the only way to do this is to claim ownership of them and then change persmissions

can anyone else think of another way?

Pete

If you dribble out the information, one needs to make assumptions. One such assumption is that the user doesn't have admin rights.

To answer your fist question, the command-line tool you need is XCACLS from the reskit. With it you can change ownership and permissions. The caveat though is that you need admin rights to use it. If your users are logging in with admin rights, then no problem, else you need SU.

If you don't want to go the SU route, then run an admin script as an admin user. Within the script you need to test whether the temp files are there (easy with if exist). Then you need to test whether the application is running via TLIST (reskit). If conditions are right, delete.

Personally, I would check user permissions in the logon script and if OK and files exist, then delete else write to a log that admin script can pickup. I guess it really depends on how many machines you're talking about vs. how much effort to do it cheap-and-dirty. SU could be more elegant but much more work up front.

Hope this helps.

1) 90% of users don't have admin access
2) HD of machines are removed and placed in safe at night (can't run scripts during the night to delete temp dirs)
3) i need a way in which a normal user can take ownership and then delete some directories and files

reading all the posts has been very usefull and i think the route i'll take is as follows

write a batch file (called from the login script) that
uses SU to run XCACLS so that the user can claim permission to delete
delete the temp folder
create a new temp folder

this batch file will be converted to an encrypted exe file using bat2exe and secure21

this should mean that users won't even know they are running SU etc and as it's encrypted they will have a hard time finding any passwords

does this sound like a good method?

Pete

Just a thought. That WAITFOR util's got my gears turning...

Pete

chihu7casd,