Re: temporary permission

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/13/05 

Date: Tue, 12 Jul 2005 23:22:33 -0700

I would suggest always using the /e switch in most normal uses of
cacls so that one edits and modifies the existing permissions instead
of replacing them.

The solution you propose will not work in login script, as the script
runs as the user (who would not have the permissions to grant themselves
permissions). The logoff script might work depending on just what
permissions the user had on the target NTFS area.

A startup script would have the permissions to grant the account
access, but it would not necessarily know which account - and
anyway, why not just manually do the one-time grant.

One could manually add the permissions for the user and also
program up a small task to run at a set time later to remove them. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"Wong Tuck Wah" <WongTuckWah@discussions.microsoft.com> wrote in message
news:84186C94-25C7-4772-9910-8474DE9A3C43@microsoft.com...
> To have the permission remove after a certain time interval is not
available
> in native Windows OS, but if you only want them to remove when user logoff
is
> possible. How?
>
> To make this works, you need to be in AD environment so that GPO can be
> applied.
>
> 1. Create a script which looks like the following and make it as the logon
> script
>        echo y| cacls d:\<foldername> /t /g u1:c
>    (assume user is u1, permission can be r, w, c or f)
>
> 2. Create a script which looks like the following and make it as the
logoff
> script
>        cacls d:\<foldername> /e /r u1
>
> This 2 scripts will grant the user, u1, change permission to the folder
when
> he logon the system. Once he logoff, the other script will remove the
> permission set to him.
>
> HTH.
>
>
> "Kish Jogia" wrote:
>
> > Hi
> >
> > Is it possible to give someone temporary permission to a folder, which
will
> > expire after a set time period or when they log off.
> >
> > Many thanks for the help.
> > --
> >
> >     Kish
> >
> > E-Mail: kishjogia@yahoo.co.uk
> >
> >
> >

Relevant Pages

  • Re: assigning DB-user to server role
    ... You script seems to promise what we expected when we used the Enterprise ... > You should be able to grant object permissions to the roles only. ... > EXEC sp_addrole 'MyRole' ...
    (microsoft.public.sqlserver.security)
  • Re: cant get access to disk share when connecting from a remote s
    ... The systems are DUTs. ... for each of the drives within the system. ... Everything in the scripts work except the file permissions below the shares ... the shares on the DUTs manually, after they run my rename script, but I would ...
    (microsoft.public.windows.server.scripting)
  • Re: VBA Script to Read WMP 11 Database
    ... The script failed on the desktop when I downloaded WMP11, ... Just reviewing the bidding -- WMP 11 responds properly to commands in a VBS ... That's why the computer wouldn't let me manually change the permissions. ... Digital Media MVP: 2004-2007 ...
    (microsoft.public.windowsmedia)
  • Re: VBA Script to Read WMP 11 Database
    ... The script failed on the desktop when I downloaded WMP11, ... Just reviewing the bidding -- WMP 11 responds properly to commands in a VBS ... That's why the computer wouldn't let me manually change the permissions. ... The CREATOR OWNER is likely on windows to be one of the admin accounts ...
    (microsoft.public.windowsmedia)
  • Re: temporary permission
    ... Administrator's account. ... > The solution you propose will not work in login script, ... > runs as the user (who would not have the permissions to grant themselves ... The logoff script might work depending on just what ...
    (microsoft.public.security)