| wftcmack |
| (Fresh Scripter) |
| 2005-03-10 11:25 PM |
Check Folder Permissions
|
How do you check folder permissions
for example
i want to see if the user group "everyone" has change rights on the C:\Windows\TEMP directory.
I know how to add the rights i just dont' know how to check them if incase they already exist..
if someone could please show me an example that would be good.
| Sealeopard |
| (KiX Master) |
| 2005-03-11 01:04 AM |
|
Re: Check Folder Permissions
|
For example with CACLS.EXE or XCACLS.EXE. Search the BBS for details.
| wftcmack |
| (Fresh Scripter) |
| 2005-03-11 05:23 PM |
Re: Check Folder Permissions
|
Hello.
I tried searching all the posts.
I still havn't found an example that shows me how to check if the permissions for a user group already exists on a folder or file.
I understand cacls and xcacls and I can add permissions just fine.
But my problem is I don't want to run this part of the script everytime my users log into the network.
I only want the login script to add the permission to the workstation only when needed.
But honestly I have searched unless I'm searching with the wrong search criteria...?
NTDOC
|
| (KiX Master) |
| 2005-03-11 07:32 PM |
|
|
Re: Check Folder Permissions
|
A user that does not already have rights can't add rights during logon or after logon so any script like that would not work. You can write a remote Admin script to do it though.
Or please explain in a little more detail what the real problem is and perhaps we can suggest a better solution.
| Sealeopard |
| (KiX Master) |
| 2005-03-11 07:56 PM |
|
|
|
Re: Check Folder Permissions
|
And modifying rights implies that the user has those rights in the first place, namely FULL CONTROL.
| wftcmack |
| (Fresh Scripter) |
| 2005-03-11 08:18 PM |
Re: Check Folder Permissions
|
Here's the details of the problem.
Currently the workstations os image has the default settings on a folder for a usergroup called "everyone" set with the permissions "Read" on a specific folder. They need to have the permission "change" on this directory.
I've written a script that will execute another script as administrator using the RUNAS command during the login that will grant the user group change permission to that target folder.
My problem is that everytime the users log into the network my script will run everytime the login script is executed.
The permissions granting should only run once.
The granting permissions script shouldn't rerun itself everytime someone logs into the same machine over and over again when the folder has already been granted the rights to the users group.
This is why I'm trying to come up with a if statement that will check a folder to see if it already has the permissions given to a specific usergroup.
for example.
Folder = C:\windows\TEMP
If Folder permissions = group(Everyone) has change access then
skip
else
grant change access to the target folder to the user group named "everyone".
endif
That IF statement was to be intended as a english definition not as code, so please bare with me.
I hope this is enough details to get some help.
I've heard that its quite possible to check file and folder rights to see if the user or users group has already been given the access.
But I can't seem to find anything on the topic.
|
NTDOC
|
| (KiX Master) |
| 2005-03-11 08:30 PM |
|
|
|
Re: Check Folder Permissions
|
Well you say you change it with another script. What method? WMI, CACLS, other?
Most of those other tools also support reporting which you should be able to check with. Another easier thing to do would be to write an entry in the registry or create a flag file to show the change has already been done, and if you find the entry in the Registry or the flag file, then skip the file permission changes.
I assume you're aware, but if not, almost any solution used with RUNAS can be compromised and the account and password found by the user which can then be used in the future at their will for any other purpose they so chose.
| Les |
| (KiX Master) |
| 2005-03-11 08:46 PM |
|
Re: Check Folder Permissions
|
Just try to Open() a file for write and check @Error.
| wftcmack |
| (Fresh Scripter) |
| 2005-03-11 08:50 PM |
|
Re: Check Folder Permissions
|
well I'm using the CACLS method.
I understand that the admin password can be comprised.
But thats only from finding the original file correct?
how can you find it out if you run your code like this...
This is the command i'm using from the kix script thats being executed.
{
SHELL "cscript.exe " + @LDRIVE + "\scripts2\runas.vbs"
}
This is the code inside the runas.vbs file:
{
'////////////////////////////////////////////////////////////////////////////
' Explicit variable declaration and standard globals
Option Explicit
Dim g_sComputerName
Dim g_oShell, g_oFSO, g_oNet
' Set standard globals and create global objects
Set g_oShell = CreateObject("Wscript.Shell")
Set g_oFSO = CreateObject("Scripting.FileSystemObject")
Set g_oNet = CreateObject("WScript.Network")
g_sComputerName = g_oNet.ComputerName
' in this example the command prompt is being run as the administrator
' on the local computer.
g_oShell.Run "runas /user:" & "domain" & "\administrator ""cacls C:\windows\Temp /T /E /G everyone:C"""
Wscript.Sleep 500
' change YourPasswordHere to the local computer administrator account password
' the password must be in the quotation marks
g_oShell.SendKeys password & "{ENTER}"
}
I understand that if the file was to be reached and then opened or copied then yes the password could be comprised.
But having the application run it the way it is I don't see how the password could be comprised when its all self contained.
| wftcmack |
| (Fresh Scripter) |
| 2005-03-11 08:53 PM |
|
Re: Check Folder Permissions
|
Thanks Les for the idea.
I never thought about that approach.
To check for an error.
I'll post with my results but i'd assume there's got to be a way to check if permissions exist.
I'm sure this must have been a common problem for people.
| Les |
| (KiX Master) |
| 2005-03-11 09:16 PM |
|
Re: Check Folder Permissions
|
PFFT!
You would not want me on your network cuz I would have grabbed admin rights real easy!
Your script is in plain text on a public share that anyone can see. Not to mention that you use the same password for local admin on all the computers. Once I have the password, I can hack to any computer and insert a KeyLogger and then sit back and watch the passwords get collected.
If I was your CSO you would be looking for a new job.
|
Allen
|
| (KiX Supporter) |
| 2005-03-11 11:27 PM |
|
Re: Check Folder Permissions
|
wftcmack,
This is a real basic udf to check permissions using cacls.exe. I've not done extensive testing but in my limited testing it worked.
Code:
break on
if CheckPermissions("Everyone","C",@scriptdir + "\kix32.exe")=0
? "Has Proper Permissions"
else
? "Not proper Permissions"
endif
function CheckPermissions($user,$permission,$object)
dim $counter,$perms
$CheckPermissions=1
$perms=wshpipe('%comspec% /c cacls "' + $object + '"',1)
$counter=0
while $counter<=ubound($perms) and $CheckPermissions=1
if instr($perms[$counter],$object)
if trim(split($perms[$counter],$object)[1])=$user + ":" + $permission
$CheckPermissions=0
endif
else
if trim($perms[$counter])=$user + ":" + $permission
$CheckPermissions=0
endif
endif
$counter=$counter+1
loop
endfunction
Function WshPipe($ShellCMD, OPTIONAL $NoEcho)
Dim $oExec, $Output
$oExec = CreateObject("WScript.Shell").Exec($ShellCMD)
If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf
$Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll
If Not $NoEcho $Output Endif
$WshPipe=Split(Join(Split($Output,CHR(13)),''),CHR(10))
Exit($oExec.ExitCode)
EndFunction
| Sealeopard |
| (KiX Master) |
| 2005-03-12 01:56 PM |
|
|
|
Re: Check Folder Permissions
|
Set up an admin script that schedules a task via Task Scheduler on the remote computer. The remte script will run under admin privs and properly adjust the permissions. Otherwise, set up a properly configured .INF file that applies the required permissions via GPO. See for example http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebg_dsp_txtx.asp
| desquinn |
| (Fresh Scripter) |
| 2005-03-12 11:21 PM |
|
Re: Check Folder Permissions
|
or alternatively just do it as a script that runs from an admin workstation. A for loop that runs thorugh a netdom list of the domain members and then does an xcacls command on them.
do it a couple of times and then add the permissions check in the logon script to write the computername to a file and then run the perms script against that list.
Better to use the GPO method but if you cant then this is a way more secure process.
HTH
| Sealeopard |
| (KiX Master) |
| 2005-03-13 01:25 AM |
|
|
|
Re: Check Folder Permissions
|
AFAIK, XCACLS does not support the setting of ACLs on remote computers.
| Kdyer |
| (KiX Supporter) |
| 2005-03-13 06:31 AM |
|
|
Re: Check Folder Permissions
|
But, you might be able to get them set using XCALS remotely using PSEXEC or REMOTEXEC..
Kent
|
NTDOC
|
| (KiX Master) |
| 2005-03-13 09:49 AM |
|
|
|
Re: Check Folder Permissions
|
This tool should work just fine.
SubInACL (SubInACL.exe)
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB14&Number=121194
| desquinn |
| (Fresh Scripter) |
| 2005-03-13 03:16 PM |
|
Re: Check Folder Permissions
|
Code:
xcacls \\192.0.0.2\c$\testcacls.txt /G users:RC
works fine
| wftcmack |
| (Fresh Scripter) |
| 2005-03-17 06:41 PM |
|
Re: Check Folder Permissions
|
Thanks for the help everyone.