#135257 - 2005-03-10 11:25 PM
Check Folder Permissions
|
wftcmack
Fresh Scripter
Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
|
How do you check folder permissions for example i want to see if the user group "everyone" has change rights on the C:\Windows\TEMP directory.
I know how to add the rights i just dont' know how to check them if incase they already exist.. if someone could please show me an example that would be good.
|
Top
|
|
|
|
#135259 - 2005-03-11 05:23 PM
Re: Check Folder Permissions
|
wftcmack
Fresh Scripter
Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
|
Hello.
I tried searching all the posts.
I still havn't found an example that shows me how to check if the permissions for a user group already exists on a folder or file.
I understand cacls and xcacls and I can add permissions just fine. But my problem is I don't want to run this part of the script everytime my users log into the network.
I only want the login script to add the permission to the workstation only when needed.
But honestly I have searched unless I'm searching with the wrong search criteria...?
|
Top
|
|
|
|
#135262 - 2005-03-11 08:18 PM
Re: Check Folder Permissions
|
wftcmack
Fresh Scripter
Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
|
Here's the details of the problem. Currently the workstations os image has the default settings on a folder for a usergroup called "everyone" set with the permissions "Read" on a specific folder. They need to have the permission "change" on this directory. I've written a script that will execute another script as administrator using the RUNAS command during the login that will grant the user group change permission to that target folder.
My problem is that everytime the users log into the network my script will run everytime the login script is executed. The permissions granting should only run once. The granting permissions script shouldn't rerun itself everytime someone logs into the same machine over and over again when the folder has already been granted the rights to the users group.
This is why I'm trying to come up with a if statement that will check a folder to see if it already has the permissions given to a specific usergroup.
for example. Folder = C:\windows\TEMP If Folder permissions = group(Everyone) has change access then skip else grant change access to the target folder to the user group named "everyone". endif
That IF statement was to be intended as a english definition not as code, so please bare with me.
I hope this is enough details to get some help. I've heard that its quite possible to check file and folder rights to see if the user or users group has already been given the access. But I can't seem to find anything on the topic.
|
Top
|
|
|
|
#135265 - 2005-03-11 08:50 PM
Re: Check Folder Permissions
|
wftcmack
Fresh Scripter
Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
|
well I'm using the CACLS method. I understand that the admin password can be comprised. But thats only from finding the original file correct?
how can you find it out if you run your code like this... This is the command i'm using from the kix script thats being executed. { SHELL "cscript.exe " + @LDRIVE + "\scripts2\runas.vbs" }
This is the code inside the runas.vbs file: { '////////////////////////////////////////////////////////////////////////////
' Explicit variable declaration and standard globals Option Explicit Dim g_sComputerName Dim g_oShell, g_oFSO, g_oNet
' Set standard globals and create global objects Set g_oShell = CreateObject("Wscript.Shell") Set g_oFSO = CreateObject("Scripting.FileSystemObject") Set g_oNet = CreateObject("WScript.Network")
g_sComputerName = g_oNet.ComputerName
' in this example the command prompt is being run as the administrator ' on the local computer. g_oShell.Run "runas /user:" & "domain" & "\administrator ""cacls C:\windows\Temp /T /E /G everyone:C""" Wscript.Sleep 500
' change YourPasswordHere to the local computer administrator account password ' the password must be in the quotation marks g_oShell.SendKeys password & "{ENTER}" }
I understand that if the file was to be reached and then opened or copied then yes the password could be comprised. But having the application run it the way it is I don't see how the password could be comprised when its all self contained.
|
Top
|
|
|
|
#135266 - 2005-03-11 08:53 PM
Re: Check Folder Permissions
|
wftcmack
Fresh Scripter
Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
|
Thanks Les for the idea.
I never thought about that approach. To check for an error.
I'll post with my results but i'd assume there's got to be a way to check if permissions exist. I'm sure this must have been a common problem for people.
|
Top
|
|
|
|
#135268 - 2005-03-11 11:27 PM
Re: Check Folder Permissions
|
Allen
KiX Supporter
Registered: 2003-04-19
Posts: 4545
Loc: USA
|
wftcmack,
This is a real basic udf to check permissions using cacls.exe. I've not done extensive testing but in my limited testing it worked.
Code:
break on
if CheckPermissions("Everyone","C",@scriptdir + "\kix32.exe")=0
? "Has Proper Permissions"
else
? "Not proper Permissions"
endif
function CheckPermissions($user,$permission,$object)
dim $counter,$perms
$CheckPermissions=1
$perms=wshpipe('%comspec% /c cacls "' + $object + '"',1)
$counter=0
while $counter<=ubound($perms) and $CheckPermissions=1
if instr($perms[$counter],$object)
if trim(split($perms[$counter],$object)[1])=$user + ":" + $permission
$CheckPermissions=0
endif
else
if trim($perms[$counter])=$user + ":" + $permission
$CheckPermissions=0
endif
endif
$counter=$counter+1
loop
endfunction
Function WshPipe($ShellCMD, OPTIONAL $NoEcho)
Dim $oExec, $Output
$oExec = CreateObject("WScript.Shell").Exec($ShellCMD)
If Not VarType($oExec)=9 $WshPipe="WScript.Shell Exec Unsupported" Exit 10 EndIf
$Output = $oExec.StdOut.ReadAll + $oExec.StdErr.ReadAll
If Not $NoEcho $Output Endif
$WshPipe=Split(Join(Split($Output,CHR(13)),''),CHR(10))
Exit($oExec.ExitCode)
EndFunction
|
Top
|
|
|
|
#135270 - 2005-03-12 11:21 PM
Re: Check Folder Permissions
|
desquinn
Fresh Scripter
Registered: 2005-02-23
Posts: 16
|
or alternatively just do it as a script that runs from an admin workstation. A for loop that runs thorugh a netdom list of the domain members and then does an xcacls command on them.
do it a couple of times and then add the permissions check in the logon script to write the computername to a file and then run the perms script against that list.
Better to use the GPO method but if you cant then this is a way more secure process.
HTH
|
Top
|
|
|
|
#135272 - 2005-03-13 06:31 AM
Re: Check Folder Permissions
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
But, you might be able to get them set using XCALS remotely using PSEXEC or REMOTEXEC..
Kent
|
Top
|
|
|
|
#135273 - 2005-03-13 09:49 AM
Re: Check Folder Permissions
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11623
Loc: CA
|
|
Top
|
|
|
|
#135274 - 2005-03-13 03:16 PM
Re: Check Folder Permissions
|
desquinn
Fresh Scripter
Registered: 2005-02-23
Posts: 16
|
Code:
xcacls \\192.0.0.2\c$\testcacls.txt /G users:RC
works fine
|
Top
|
|
|
|
#135275 - 2005-03-17 06:41 PM
Re: Check Folder Permissions
|
wftcmack
Fresh Scripter
Registered: 2005-03-10
Posts: 6
Loc: BC, Canada
|
Thanks for the help everyone.
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 557 anonymous users online.
|
|
|