xcacls scripting help

[hjahmad]

Im using xcacls.vbs to set permissions to folders. its all working well except for the /G user:Spec parameter.
just want to make sure, Spec is for 'Folder and Subfolders Only'. while Perm is just 'Files only'.
I need Spec but when i use it it still sets as 'Files Only'
i have been using this site as a ref: http://support.microsoft.com/kb/825751

please check my work
cscript xcacls.vbs "C:\DELL" /E /G Users:Spec;6

all the correct permissions are set except for the inheritance, it should be for "Folders and Subfolders Only"
what am i missing?

While im here, are there any other commands other than Perm and Spec, that can do "Subfolders and files only". i havent come across that iin all my searches.

thanks

 

[canivari]

Im using xcacls.vbs to set permissions to folders. its all working well except for the /G user:Spec parameter.
just want to make sure, Spec is for 'Folder and Subfolders Only'. while Perm is just 'Files only'.
I need Spec but when i use it it still sets as 'Files Only'
i have been using this site as a ref: http://support.microsoft.com/kb/825751

please check my work
cscript xcacls.vbs "C:\DELL" /E /G Users:Spec;6

all the correct permissions are set except for the inheritance, it should be for "Folders and Subfolders Only"
what am i missing?

While im here, are there any other commands other than Perm and Spec, that can do "Subfolders and files only". i havent come across that iin all my searches.

thanks

Is this drive formatted in FAT32 or NTFS?
What kind of Windows are you running?

 

[hjahmad]

NTFS
Windows XP Pro Sp3

 

[canivari]

NTFS
Windows XP Pro Sp3

I never used this cscript called xcacls.vbs.
I just do it manually.
I know that you have two types of permissions (not using simple file sharing !) that you need to work out for the permissions in a file or folder.
The first is the basic share it self and this one i usually put share with everybody and let everybody have full acess.
The other permission is the NTFS permission and this one
is the master of these two and here you can actually set the permissions
to the users that you really need.
Because if you set all the permission in the sharing option and dont
have the NTFS permitions set, you never gonna be able to share the file it self.
So, the best wy of doing it is to share everything with everybody and let them
have all the permissions and just set the NTFS permissions correctly or else
it gonna by a mess.
The first thing to acess the NTFS permission is to disable the simple file saring and to do that open a folder (any) and click on tools and choose folder options, then in the new small window that opens click in the view tab
and scroll down until you see the "Use simple file sharing (Recomended)
and untick it.Click in apply and ok.Now you should be able to control the NTFS permissions manually and the sharing permisssons.
To acess the sharing and NTFS permission just need right click in the file or folder and choose properties and then choose the apropriate shares in the sharing tab and after that one click in the security tab to set the NTFS permitions.
Hope that helps

 

[hjahmad]

thanks, Ive done all that already. we have been doing it all manually but we have 500 plus files and folders that need it done when we build a new machine and that becomes very tedious. so i am creacting the script to do it. Setting the permissions for the files is easy enough, its the folders which give the trouble.
I can get the permissions for the folders to be (This Folder, Subfolders, and Files) and (Files Only) and (This Folder Only).
but i need to be able to set them as (Subfolders and Files Only) and (This Folder and Subfolders). Those are the two that i really need.
If anyone knows how to do this using xcacls (check the link in original post), that would be great. i can also post what i have to get me those 3 initial results if anyone is willing to play around with it and figure it out.
Thanks

 

[canivari]

thanks, Ive done all that already. we have been doing it all manually but we have 500 plus files and folders that need it done when we build a new machine and that becomes very tedious. so i am creacting the script to do it. Setting the permissions for the files is easy enough, its the folders which give the trouble.
I can get the permissions for the folders to be (This Folder, Subfolders, and Files) and (Files Only) and (This Folder Only).
but i need to be able to set them as (Subfolders and Files Only) and (This Folder and Subfolders). Those are the two that i really need.
If anyone knows how to do this using xcacls (check the link in original post), that would be great. i can also post what i have to get me those 3 initial results if anyone is willing to play around with it and figure it out.
Thanks

Why dont you just use A central server with all the files and set the active directory once with all permissions once?

 

[hjahmad]

Why dont you just use A central server with all the files and set the active directory once with all permissions once?

Not Allowed

 

[canivari]

Not Allowed

I am sorry to ear(read) that.
I think that you gonna spend more time creating the script and coding
the permissions it self for each File and Folder than using a Database with all
permissions set just once.
What about backups? How do you gonna manage the backups
in the machines?

 

[hjahmad]

I am sorry to ear(read) that.
I think that you gonna spend more time creating the script and coding
the permissions it self for each File and Folder than using a Database with all
permissions set just once.
What about backups? How do you gonna manage the backups
in the machines?

not sure, i guess its not my job to worry about that. haha
well there are about 500+ objects that need permission changes. 95% of them are just files so i can use cacls on them. but the others are folders and i guess we could change them manually but it would be much easier if i could get the xcacls working on them, and it would eliminate any possible human errors too.
what do you mean by using at database for this.

 

[canivari]

not sure, i guess its not my job to worry about that. haha
well there are about 500+ objects that need permission changes. 95% of them are just files so i can use cacls on them. but the others are folders and i guess we could change them manually but it would be much easier if i could get the xcacls working on them, and it would eliminate any possible human errors too.
what do you mean by using at database for this.

How many computers are we talking here to change NTFS permissions in files?
And many files in each?
The "database" it means just one ACL to be adjusted to the needs running active directory.

 

[hjahmad]

i don tknow the number of machines. all new machines that need to be setup for the given security measures. it takes about 4 hours to reconfigure a machine, with the majority of the time just setting up the permissions for these files.
yeah the database would be nice, but these are all standalone machines, no network connectivity of anyking

 

[canivari]

i don tknow the number of machines. all new machines that need to be setup for the given security measures. it takes about 4 hours to reconfigure a machine, with the majority of the time just setting up the permissions for these files.
yeah the database would be nice, but these are all standalone machines, no network connectivity of anyking

Are all the machines gonna be with the same files on them?
If yes to this anwser,why dont just Replicate the HDDs?

 

[hjahmad]

yes the files are the same since they are windows system files
no we cant image the hard drives cause all the machines are different

 

[canivari]

yes the files are the same since they are windows system files
no we cant image the hard drives cause all the machines are different

Of course you can deploy an image from one diferent computer to others..
Have you ever heard about nlite and sysprep.exe from microsoft?
The nlite is an open source program that helps you creating automated
instalations from Windows (so you dont need to do anything during the instalation of windows).
And sysprep,
It cames in XP CDs in a folder called DEPLOY that reseal the windows again so it can be created an image to deploy to other computers (no matter what hardware is diffrent)
To do this:
Create an automated instalation with nlite
copy an entire XP CD to a empty folder in your desktop,
Burn the changes that you made to that XP instalation in to a CD,
Install the windows XP in a machine using that CD,
Dont install any drivers (very important!!)and dont update windows either at least for now
Install all the programs that you gonna need in the computers and update them.
Give all the permitions that you need in the files and folders.
Run the sysprep.exe and choose Pnp, Pre-activated, Mini-setup and choose Shutdown in the end.
After the shutdown of the machine, take the HDD out and conect it
to another computer (for example yours) and atach to 1 or more blank HDDs from the other computers.
Download a copy of Active@ Disk Image
install it in your machine and open the program.
Choose the option to create a RAW image (disc-to-disc)
in this case choose your disk that you installed the windows and the target one of the blank HDDs that you have.
Let him finish the copy and do the rest for the other ones.
After cloning the HDD to all others,conect the HDDs in the computers
and start them so they gonna ask you for drivers and updates from microsoft and thats it.
Imagine the hours that you gonna save replicating the HDDs...
Hope that helps

 

[hjahmad]

yeah i think one of the guys i work with had tried that using acronis. i think it worked to some extent but also not all our machines are sonys or dells. we have some proprietary hardware machines which the HDs can not be removed or reformatted. if they are changed or damaged in anyway, they need to be sent back to the machine manufacturer for around $700 per 80 drive. and we dont want to spend that money. so for those machines, i am trying to get this script to go.
just for my own curiosity though, what is Active@ Disk Image?
thanks
ps, anyone got any ideas on the scripting?

 

[canivari]

yeah i think one of the guys i work with had tried that using acronis. i think it worked to some extent but also not all our machines are sonys or dells. we have some proprietary hardware machines which the HDs can not be removed or reformatted. if they are changed or damaged in anyway, they need to be sent back to the machine manufacturer for around $700 per 80 drive. and we dont want to spend that money. so for those machines, i am trying to get this script to go.
just for my own curiosity though, what is Active@ Disk Image?
thanks
ps, anyone got any ideas on the scripting?

Take a look in Active@ Disk Image here:

http://www.disk-image.net/

 

[hjahmad]

maybe there is a way to use a flash drive to import all the computers settings onto a computer? without hd replication or imaging?

 

[canivari]

maybe there is a way to use a flash drive to import all the computers settings onto a computer? without hd replication or imaging?

Yes..i think so..
You can get an USB external case for the HDDs and download a copy of live XP..create 2 partitions in a disk (in one put the live xp to boot and the second partition to have the image from the source disk.
You could boot from live xp,install the Active@ Disk Image and transfer
the image from the other partition to the HDD inside of the computer..
Well to respond to your earlier anwser..yes there is two ways of doing it (one with AD) and the other you could try Files and settings transfer wizard that comes with XP.
To acess that select start,
-run
-migwiz.exe
-hit enter
-choose the files that you want to backup and copy them to a PEN (remember that the pen got to be formatted in NTFS or else you will
lose NTFS permisions!)
Install normally a new computer with XP and run the migwiz.exe again in there and import the files.
Hope that helps

 

[hjahmad]

i might use that for myself, but i meant something that could just send and change the settings of an already installed xp system without having to do any of this kind of stuff.
kinda like doing a transfer of settings when getting a new computer or something. but with every little thing. permissions, accounts, security, etc.

 

[canivari]

i might use that for myself, but i meant something that could just send and change the settings of an already installed xp system without having to do any of this kind of stuff.
kinda like doing a transfer of settings when getting a new computer or something. but with every little thing. permissions, accounts, security, etc.

Well the files and permissions (that are atached with the files it self, yes its possible) but user accounts and security dont think so..At least that i know of.