Re: Modifying permissions with XCACLS.vbs

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Thu, 7 Feb 2008 22:41:07 -0700

---

Hi Adam

I think you may be taking the long road, as instead of resorting to
naming principals with SIDs you can just quote their display name
if it contain spaces. For example
xcacls.vbs c:\temp /g "yourdomain\domain admins":f
of course replacing "yourdomain" and notice also that the target
folder/file does not need to be quoted if it contains no whitespace.

Roger

"Adam Sandler" <corn29@xxxxxxxxxx> wrote in message
news:594f3914-ac75-46d6-9981-587aed8af678@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hello,

I have a question about running XCACLS.vbs. I'm trying to change
folder permissions but I'm not using the built-in security groups - I
want to use domain groups; specifically domain admins and domain
users.

I read online that if one uses SID# in place if a group name then that
should work.

I call XCACLS. from a batch file. A sample of my existing (and
currently working as expected) file looks like this:
cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /G Administrators:F

cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /E /G SYSTEM:F

Additionally, I read that the domain SID can be found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList. I also read the SIDs for domain admins and domain users
are:

SID: S-1-5-domain-512
Name: Domain Admins

SID: S-1-5-domain-513
Name: Domain Users

So, armed with this information I took the two lines above and tried
to do this:

cscript xcacls.vbs "C:\Temp" /G
SID#S-1-5-21-131504274-120818031-269197707-1108-512:F

cscript xcacls.vbs "C:\Temp" /E /G
SID#S-1-5-21-131504274-120818031-269197707-1108-513:F

It didn't work. While I didn't get a script engine error or anything,
when I checked the permissions on that folder, all the entries were
gone - it was a blank display.

How can I modify the permissions to use domain admins and users?
Suggestions are greatly appreciated.

Thanks!

.

---

• References:
  • Modifying permissions with XCACLS.vbs
    • From: Adam Sandler

• Prev by Date: Modifying permissions with XCACLS.vbs
• Next by Date: Re: icacls misreports BUILTIN\Users:(RX) on C:\
• Previous by thread: Modifying permissions with XCACLS.vbs
• Next by thread: Re: icacls misreports BUILTIN\Users:(RX) on C:\
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: ADMTv2 and Built-In groups, again... ... using notepad (BTW, can I do a comment at the end of the line? ... Domain Admins, Enterprise Admins, Domain Users, etc. do indeed have a unique ... SIDs? ... (microsoft.public.windows.server.migration) Re: Rebuild File Server ... domain computer and domain users were used for NTFS permissions then there ... If rebuilding from scratch the user sids will be different. ... issue if you restore ntfs permissions as they were with the former sids. ... (microsoft.public.windows.server.general) Viewing SIDs ... Does anyone know of a utility that will display the SIDs ... in the ACL for a file or folder? ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2008-02