Page 1 of 1 1
Topic Options
#135257 - 2005-03-10 11:25 PM Check Folder Permissions
wftcmack Offline
Fresh Scripter

Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
How do you check folder permissions
for example
i want to see if the user group "everyone" has change rights on the C:\Windows\TEMP directory.

I know how to add the rights i just dont' know how to check them if incase they already exist..
if someone could please show me an example that would be good.

Top
#135258 - 2005-03-11 01:04 AM Re: Check Folder Permissions
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11163
Loc: Boston, MA, USA
For example with CACLS.EXE or XCACLS.EXE. Search the BBS for details.
_________________________
There are two types of vessels, submarines and targets.

Top
#135259 - 2005-03-11 05:23 PM Re: Check Folder Permissions
wftcmack Offline
Fresh Scripter

Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
Hello.

I tried searching all the posts.

I still havn't found an example that shows me how to check if the permissions for a user group already exists on a folder or file.

I understand cacls and xcacls and I can add permissions just fine.
But my problem is I don't want to run this part of the script everytime my users log into the network.

I only want the login script to add the permission to the workstation only when needed.

But honestly I have searched unless I'm searching with the wrong search criteria...?


Top
#135260 - 2005-03-11 07:32 PM Re: Check Folder Permissions
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11616
Loc: CA
A user that does not already have rights can't add rights during logon or after logon so any script like that would not work. You can write a remote Admin script to do it though.

Or please explain in a little more detail what the real problem is and perhaps we can suggest a better solution.

Top
#135261 - 2005-03-11 07:56 PM Re: Check Folder Permissions
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11163
Loc: Boston, MA, USA
And modifying rights implies that the user has those rights in the first place, namely FULL CONTROL.
_________________________
There are two types of vessels, submarines and targets.

Top
#135262 - 2005-03-11 08:18 PM Re: Check Folder Permissions
wftcmack Offline
Fresh Scripter

Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
Here's the details of the problem.
Currently the workstations os image has the default settings on a folder for a usergroup called "everyone" set with the permissions "Read" on a specific folder. They need to have the permission "change" on this directory.
I've written a script that will execute another script as administrator using the RUNAS command during the login that will grant the user group change permission to that target folder.

My problem is that everytime the users log into the network my script will run everytime the login script is executed.
The permissions granting should only run once.
The granting permissions script shouldn't rerun itself everytime someone logs into the same machine over and over again when the folder has already been granted the rights to the users group.

This is why I'm trying to come up with a if statement that will check a folder to see if it already has the permissions given to a specific usergroup.

for example.
Folder = C:\windows\TEMP
If Folder permissions = group(Everyone) has change access then
skip
else
grant change access to the target folder to the user group named "everyone".
endif

That IF statement was to be intended as a english definition not as code, so please bare with me.

I hope this is enough details to get some help.
I've heard that its quite possible to check file and folder rights to see if the user or users group has already been given the access.
But I can't seem to find anything on the topic.

Top
#135263 - 2005-03-11 08:30 PM Re: Check Folder Permissions
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11616
Loc: CA
Well you say you change it with another script. What method? WMI, CACLS, other?

Most of those other tools also support reporting which you should be able to check with. Another easier thing to do would be to write an entry in the registry or create a flag file to show the change has already been done, and if you find the entry in the Registry or the flag file, then skip the file permission changes.

I assume you're aware, but if not, almost any solution used with RUNAS can be compromised and the account and password found by the user which can then be used in the future at their will for any other purpose they so chose.

Top
#135264 - 2005-03-11 08:46 PM Re: Check Folder Permissions
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Just try to Open() a file for write and check @Error.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#135265 - 2005-03-11 08:50 PM Re: Check Folder Permissions
wftcmack Offline
Fresh Scripter

Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
well I'm using the CACLS method.
I understand that the admin password can be comprised.
But thats only from finding the original file correct?

how can you find it out if you run your code like this...
This is the command i'm using from the kix script thats being executed.
{
SHELL "cscript.exe " + @LDRIVE + "\scripts2\runas.vbs"
}

This is the code inside the runas.vbs file:
{
'////////////////////////////////////////////////////////////////////////////


' Explicit variable declaration and standard globals
Option Explicit
Dim g_sComputerName
Dim g_oShell, g_oFSO, g_oNet

' Set standard globals and create global objects
Set g_oShell = CreateObject("Wscript.Shell")
Set g_oFSO = CreateObject("Scripting.FileSystemObject")
Set g_oNet = CreateObject("WScript.Network")

g_sComputerName = g_oNet.ComputerName

' in this example the command prompt is being run as the administrator
' on the local computer.
g_oShell.Run "runas /user:" & "domain" & "\administrator ""cacls C:\windows\Temp /T /E /G everyone:C"""
Wscript.Sleep 500

' change YourPasswordHere to the local computer administrator account password
' the password must be in the quotation marks
g_oShell.SendKeys password & "{ENTER}"
}

I understand that if the file was to be reached and then opened or copied then yes the password could be comprised.
But having the application run it the way it is I don't see how the password could be comprised when its all self contained.

Top
#135266 - 2005-03-11 08:53 PM Re: Check Folder Permissions
wftcmack Offline
Fresh Scripter

Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
Thanks Les for the idea.

I never thought about that approach.
To check for an error.

I'll post with my results but i'd assume there's got to be a way to check if permissions exist.
I'm sure this must have been a common problem for people.

Top
#135267 - 2005-03-11 09:16 PM Re: Check Folder Permissions
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
PFFT!
You would not want me on your network cuz I would have grabbed admin rights real easy!

Your script is in plain text on a public share that anyone can see. Not to mention that you use the same password for local admin on all the computers. Once I have the password, I can hack to any computer and insert a KeyLogger and then sit back and watch the passwords get collected.

If I was your CSO you would be looking for a new job.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#135268 - 2005-03-11 11:27 PM Re: Check Folder Permissions
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4532
Loc: USA
wftcmack,

This is a real basic udf to check permissions using cacls.exe. I've not done extensive testing but in my limited testing it worked.

Code:
 

break on

if CheckPermissions("Everyone","C",@scriptdir + "\kix32.exe")=0
? "Has Proper Permissions"
else
? "Not proper Permissions"
endif

function CheckPermissions($user,$permission,$object)
dim $counter,$perms
$CheckPermissions=1
$perms=wshpipe('%comspec% /c cacls "' + $object + '"',1)
$counter=0
while $counter<=ubound($perms) and $CheckPermissions=1
if instr($perms[$counter],$object)
if trim(split($perms[$counter],$object)[1])=$user + ":" + $permission
$CheckPermissions=0
endif
else
if trim($perms[$counter])=$user + ":" + $permission
$CheckPermissions=0
endif
endif
$counter=$counter+1
loop
endfunction


Function WshPipe($ShellCMD, OPTIONAL $NoEcho)
Dim $oExec, $Output
$oExec = CreateObject("WScript.Shell").Exec($ShellCMD)
If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf
$Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll
If Not $NoEcho $Output Endif
$WshPipe=Split(Join(Split($Output,CHR(13)),''),CHR(10))
Exit($oExec.ExitCode)
EndFunction


Top
#135269 - 2005-03-12 01:56 PM Re: Check Folder Permissions
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11163
Loc: Boston, MA, USA
Set up an admin script that schedules a task via Task Scheduler on the remote computer. The remte script will run under admin privs and properly adjust the permissions. Otherwise, set up a properly configured .INF file that applies the required permissions via GPO. See for example http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebg_dsp_txtx.asp
_________________________
There are two types of vessels, submarines and targets.

Top
#135270 - 2005-03-12 11:21 PM Re: Check Folder Permissions
desquinn Offline
Fresh Scripter

Registered: 2005-02-23
Posts: 16
or alternatively just do it as a script that runs from an admin workstation. A for loop that runs thorugh a netdom list of the domain members and then does an xcacls command on them.

do it a couple of times and then add the permissions check in the logon script to write the computername to a file and then run the perms script against that list.

Better to use the GPO method but if you cant then this is a way more secure process.

HTH

Top
#135271 - 2005-03-13 01:25 AM Re: Check Folder Permissions
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11163
Loc: Boston, MA, USA
AFAIK, XCACLS does not support the setting of ACLs on remote computers.
_________________________
There are two types of vessels, submarines and targets.

Top
#135272 - 2005-03-13 06:31 AM Re: Check Folder Permissions
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
But, you might be able to get them set using XCALS remotely using PSEXEC or REMOTEXEC..

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#135273 - 2005-03-13 09:49 AM Re: Check Folder Permissions
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11616
Loc: CA
This tool should work just fine.

SubInACL (SubInACL.exe)
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB14&Number=121194

Top
#135274 - 2005-03-13 03:16 PM Re: Check Folder Permissions
desquinn Offline
Fresh Scripter

Registered: 2005-02-23
Posts: 16
Code:
xcacls \\192.0.0.2\c$\testcacls.txt /G users:RC  



works fine

Top
#135275 - 2005-03-17 06:41 PM Re: Check Folder Permissions
wftcmack Offline
Fresh Scripter

Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
Thanks for the help everyone.

Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 258 anonymous users online.
Newest Members
Kelly001, MichaelK72, Janneman, standardbruker, maikoenig2001
17773 Registered Users

Generated in 0.043 seconds in which 0.013 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org