Changing file permissions using vbscript



SunRace
07-09-2005, 11:51 PM
Hello,

I am creating a txt file using following script when the user logs in. Now
what I want to do is take ownership of that file and deny access to all users
expect one group - this group will have read access to the file. I want
domain administrators to have full rights to the file.

----------------
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objNet = CreateObject("WScript.NetWork")

If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
objNet.UserName + ".txt") Then

strPath = "\\advad02\Profiles\Notepads\owner\"
strFileName = objNet.UserName + ".txt"
strFullName = objFSO.BuildPath(strPath, strFileName)
Set objFile = objFSO.CreateTextFile(strFullName)
objFile.Close

End if

----------------

Roger Abell
07-09-2005, 11:51 PM
You, or rather the context your script will run in, may only
take ownership of a file if you have the permission to take
ownership, such as by having Full Control.
The file will be defined with the permissions that are effective
for new files in the location where it is created. Usually the
defining account will already be the owner.
If the file is defined with permissions that allow the context
of the script to do so, then shelling out to exec of cacls is one
most frequently used way to set permissions. There are others,
such as by use of WMI objects, AdsSecurity.dll, and third
party controls.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"SunRace" <SunRace@discussions.microsoft.com> wrote in message
news:CC9AA7DD-B2D8-468D-9275-AA941902B864@microsoft.com...
> Hello,
>
> I am creating a txt file using following script when the user logs in. Now
> what I want to do is take ownership of that file and deny access to all
users
> expect one group - this group will have read access to the file. I want
> domain administrators to have full rights to the file.
>
> ----------------
> Set objFSO = CreateObject("Scripting.FileSystemObject")
> Set objNet = CreateObject("WScript.NetWork")
>
> If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> objNet.UserName + ".txt") Then
>
> strPath = "\\advad02\Profiles\Notepads\owner\"
> strFileName = objNet.UserName + ".txt"
> strFullName = objFSO.BuildPath(strPath, strFileName)
> Set objFile = objFSO.CreateTextFile(strFullName)
> objFile.Close
>
> End if
>
> ----------------
>

SunRace
07-09-2005, 11:51 PM
Hello,

Thanks...But have worked it out like this already...

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objNet = CreateObject("WScript.NetWork")
Set oShell = CreateObject("WScript.Shell")

If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
objNet.UserName + ".txt") Then

strPath = "\\advad02\Profiles\Notepads\owner\"
strFileName = objNet.UserName + ".txt"
strFullName = objFSO.BuildPath(strPath, strFileName)
Set objFile = objFSO.CreateTextFile(strFullName)
objFile.Close
oShell.Run
"\\x.y.com\SysVol\x.y.com\Policies\{2C1D3653-722E-47FD-AD5E-5ADA49D8E56F}\User\Scripts\Logon\Rights.bat", 0, True
End if

Batch -

echo y|cacls \\advad02\profiles\notepads\owner\%username%.txt /p %username%:F
cacls \\advad02\profiles\notepads\owner\%username%.txt /E /p NotepadCheck:R


"Roger Abell" wrote:

> You, or rather the context your script will run in, may only
> take ownership of a file if you have the permission to take
> ownership, such as by having Full Control.
> The file will be defined with the permissions that are effective
> for new files in the location where it is created. Usually the
> defining account will already be the owner.
> If the file is defined with permissions that allow the context
> of the script to do so, then shelling out to exec of cacls is one
> most frequently used way to set permissions. There are others,
> such as by use of WMI objects, AdsSecurity.dll, and third
> party controls.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> news:CC9AA7DD-B2D8-468D-9275-AA941902B864@microsoft.com...
> > Hello,
> >
> > I am creating a txt file using following script when the user logs in. Now
> > what I want to do is take ownership of that file and deny access to all
> users
> > expect one group - this group will have read access to the file. I want
> > domain administrators to have full rights to the file.
> >
> > ----------------
> > Set objFSO = CreateObject("Scripting.FileSystemObject")
> > Set objNet = CreateObject("WScript.NetWork")
> >
> > If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> > objNet.UserName + ".txt") Then
> >
> > strPath = "\\advad02\Profiles\Notepads\owner\"
> > strFileName = objNet.UserName + ".txt"
> > strFullName = objFSO.BuildPath(strPath, strFileName)
> > Set objFile = objFSO.CreateTextFile(strFullName)
> > objFile.Close
> >
> > End if
> >
> > ----------------
> >
>
>
>

Roger Abell
07-09-2005, 11:51 PM
Which is pretty much what I was indicating as a commonly used
way, shelling to cacls, except that you really do not need to have
the bat file stored in the login scripts as you can just directly do
the cacls executions from the script that makes the new file.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"SunRace" <SunRace@discussions.microsoft.com> wrote in message
news:4E2F464F-128B-4698-BC5E-CD1688DB4D2A@microsoft.com...
> Hello,
>
> Thanks...But have worked it out like this already...
>
> Set objFSO = CreateObject("Scripting.FileSystemObject")
> Set objNet = CreateObject("WScript.NetWork")
> Set oShell = CreateObject("WScript.Shell")
>
> If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> objNet.UserName + ".txt") Then
>
> strPath = "\\advad02\Profiles\Notepads\owner\"
> strFileName = objNet.UserName + ".txt"
> strFullName = objFSO.BuildPath(strPath, strFileName)
> Set objFile = objFSO.CreateTextFile(strFullName)
> objFile.Close
> oShell.Run
>
"\\x.y.com\SysVol\x.y.com\Policies\{2C1D3653-722E-47FD-AD5E-5ADA49D8E56F}\Us
er\Scripts\Logon\Rights.bat", 0, True
> End if
>
> Batch -
>
> echo y|cacls \\advad02\profiles\notepads\owner\%username%.txt /p
%username%:F
> cacls \\advad02\profiles\notepads\owner\%username%.txt /E /p
NotepadCheck:R
>
>
> "Roger Abell" wrote:
>
> > You, or rather the context your script will run in, may only
> > take ownership of a file if you have the permission to take
> > ownership, such as by having Full Control.
> > The file will be defined with the permissions that are effective
> > for new files in the location where it is created. Usually the
> > defining account will already be the owner.
> > If the file is defined with permissions that allow the context
> > of the script to do so, then shelling out to exec of cacls is one
> > most frequently used way to set permissions. There are others,
> > such as by use of WMI objects, AdsSecurity.dll, and third
> > party controls.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> > news:CC9AA7DD-B2D8-468D-9275-AA941902B864@microsoft.com...
> > > Hello,
> > >
> > > I am creating a txt file using following script when the user logs in.
Now
> > > what I want to do is take ownership of that file and deny access to
all
> > users
> > > expect one group - this group will have read access to the file. I
want
> > > domain administrators to have full rights to the file.
> > >
> > > ----------------
> > > Set objFSO = CreateObject("Scripting.FileSystemObject")
> > > Set objNet = CreateObject("WScript.NetWork")
> > >
> > > If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> > > objNet.UserName + ".txt") Then
> > >
> > > strPath = "\\advad02\Profiles\Notepads\owner\"
> > > strFileName = objNet.UserName + ".txt"
> > > strFullName = objFSO.BuildPath(strPath, strFileName)
> > > Set objFile = objFSO.CreateTextFile(strFullName)
> > > objFile.Close
> > >
> > > End if
> > >
> > > ----------------
> > >
> >
> >
> >

SunRace
07-09-2005, 11:51 PM
Yes thats what I wanted to know...is there is any site where in I can read
about it...will be a great help....

"Roger Abell" wrote:

> Which is pretty much what I was indicating as a commonly used
> way, shelling to cacls, except that you really do not need to have
> the bat file stored in the login scripts as you can just directly do
> the cacls executions from the script that makes the new file.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> news:4E2F464F-128B-4698-BC5E-CD1688DB4D2A@microsoft.com...
> > Hello,
> >
> > Thanks...But have worked it out like this already...
> >
> > Set objFSO = CreateObject("Scripting.FileSystemObject")
> > Set objNet = CreateObject("WScript.NetWork")
> > Set oShell = CreateObject("WScript.Shell")
> >
> > If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> > objNet.UserName + ".txt") Then
> >
> > strPath = "\\advad02\Profiles\Notepads\owner\"
> > strFileName = objNet.UserName + ".txt"
> > strFullName = objFSO.BuildPath(strPath, strFileName)
> > Set objFile = objFSO.CreateTextFile(strFullName)
> > objFile.Close
> > oShell.Run
> >
> "\\x.y.com\SysVol\x.y.com\Policies\{2C1D3653-722E-47FD-AD5E-5ADA49D8E56F}\Us
> er\Scripts\Logon\Rights.bat", 0, True
> > End if
> >
> > Batch -
> >
> > echo y|cacls \\advad02\profiles\notepads\owner\%username%.txt /p
> %username%:F
> > cacls \\advad02\profiles\notepads\owner\%username%.txt /E /p
> NotepadCheck:R
> >
> >
> > "Roger Abell" wrote:
> >
> > > You, or rather the context your script will run in, may only
> > > take ownership of a file if you have the permission to take
> > > ownership, such as by having Full Control.
> > > The file will be defined with the permissions that are effective
> > > for new files in the location where it is created. Usually the
> > > defining account will already be the owner.
> > > If the file is defined with permissions that allow the context
> > > of the script to do so, then shelling out to exec of cacls is one
> > > most frequently used way to set permissions. There are others,
> > > such as by use of WMI objects, AdsSecurity.dll, and third
> > > party controls.
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> > > news:CC9AA7DD-B2D8-468D-9275-AA941902B864@microsoft.com...
> > > > Hello,
> > > >
> > > > I am creating a txt file using following script when the user logs in.
> Now
> > > > what I want to do is take ownership of that file and deny access to
> all
> > > users
> > > > expect one group - this group will have read access to the file. I
> want
> > > > domain administrators to have full rights to the file.
> > > >
> > > > ----------------
> > > > Set objFSO = CreateObject("Scripting.FileSystemObject")
> > > > Set objNet = CreateObject("WScript.NetWork")
> > > >
> > > > If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> > > > objNet.UserName + ".txt") Then
> > > >
> > > > strPath = "\\advad02\Profiles\Notepads\owner\"
> > > > strFileName = objNet.UserName + ".txt"
> > > > strFullName = objFSO.BuildPath(strPath, strFileName)
> > > > Set objFile = objFSO.CreateTextFile(strFullName)
> > > > objFile.Close
> > > >
> > > > End if
> > > >
> > > > ----------------
> > > >
> > >
> > >
> > >
>
>
>

Roger Abell
07-09-2005, 11:51 PM
Post over to the NG microsoft.public.windows.server.scripting
as this gets asked and answered there all of the time. Basically,
much as you have used Run method on instance of WScript.Shell
object, you can shell out to execute the cacls application directly
by use of the Exec method instead of the Run method.
Check out the example under the Exec Method link at
http://msdn.microsoft.com/library/en-us/script56/html/wsoriWshShellObjectPropMeth.asp

--
Roger
"SunRace" <SunRace@discussions.microsoft.com> wrote in message
news:BEB23E54-3B63-4055-A34D-47826A498F81@microsoft.com...
> Yes thats what I wanted to know...is there is any site where in I can read
> about it...will be a great help....
>
> "Roger Abell" wrote:
>
> > Which is pretty much what I was indicating as a commonly used
> > way, shelling to cacls, except that you really do not need to have
> > the bat file stored in the login scripts as you can just directly do
> > the cacls executions from the script that makes the new file.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> > news:4E2F464F-128B-4698-BC5E-CD1688DB4D2A@microsoft.com...
> > > Hello,
> > >
> > > Thanks...But have worked it out like this already...
> > >
> > > Set objFSO = CreateObject("Scripting.FileSystemObject")
> > > Set objNet = CreateObject("WScript.NetWork")
> > > Set oShell = CreateObject("WScript.Shell")
> > >
> > > If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> > > objNet.UserName + ".txt") Then
> > >
> > > strPath = "\\advad02\Profiles\Notepads\owner\"
> > > strFileName = objNet.UserName + ".txt"
> > > strFullName = objFSO.BuildPath(strPath, strFileName)
> > > Set objFile = objFSO.CreateTextFile(strFullName)
> > > objFile.Close
> > > oShell.Run
> > >
> >
"\\x.y.com\SysVol\x.y.com\Policies\{2C1D3653-722E-47FD-AD5E-5ADA49D8E56F}\Us
> > er\Scripts\Logon\Rights.bat", 0, True
> > > End if
> > >
> > > Batch -
> > >
> > > echo y|cacls \\advad02\profiles\notepads\owner\%username%.txt /p
> > %username%:F
> > > cacls \\advad02\profiles\notepads\owner\%username%.txt /E /p
> > NotepadCheck:R
> > >
> > >
> > > "Roger Abell" wrote:
> > >
> > > > You, or rather the context your script will run in, may only
> > > > take ownership of a file if you have the permission to take
> > > > ownership, such as by having Full Control.
> > > > The file will be defined with the permissions that are effective
> > > > for new files in the location where it is created. Usually the
> > > > defining account will already be the owner.
> > > > If the file is defined with permissions that allow the context
> > > > of the script to do so, then shelling out to exec of cacls is one
> > > > most frequently used way to set permissions. There are others,
> > > > such as by use of WMI objects, AdsSecurity.dll, and third
> > > > party controls.
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> > > > news:CC9AA7DD-B2D8-468D-9275-AA941902B864@microsoft.com...
> > > > > Hello,
> > > > >
> > > > > I am creating a txt file using following script when the user logs
in.
> > Now
> > > > > what I want to do is take ownership of that file and deny access
to
> > all
> > > > users
> > > > > expect one group - this group will have read access to the file. I
> > want
> > > > > domain administrators to have full rights to the file.
> > > > >
> > > > > ----------------
> > > > > Set objFSO = CreateObject("Scripting.FileSystemObject")
> > > > > Set objNet = CreateObject("WScript.NetWork")
> > > > >
> > > > > If NOT objFSO.FileExists("\\advad02\Profiles\Notepads\owner\" +
> > > > > objNet.UserName + ".txt") Then
> > > > >
> > > > > strPath = "\\advad02\Profiles\Notepads\owner\"
> > > > > strFileName = objNet.UserName + ".txt"
> > > > > strFullName = objFSO.BuildPath(strPath, strFileName)
> > > > > Set objFile = objFSO.CreateTextFile(strFullName)
> > > > > objFile.Close
> > > > >
> > > > > End if
> > > > >
> > > > > ----------------
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >


Changing file permissions using vbscript