NDog
I have followed the advice on https://ss64.com/nt/subinacl.html
List permissions to log file:
subinacl /noverbose /nostatistic /outputlog=my.log /subdirectories "\\games00\c$\windows\system32\grouppolicy" /display
Restore Permissions:
subinacl /nostatistic /playfile my.log
I have this file now (my.log)
Code: Select all
================================================
+File \\games00\c$\windows\system32\GroupPolicy
================================================
/control=0x1400
/owner =games00\administrator
/primary group =games00\none
/audit ace count =0
/perm. ace count =2
/pace =games00\administrator Type=0x1 Flags=0x3 AccessMask=0x20089
/pace =games00\vadal Type=0x0 Flags=0x3 AccessMask=0x1200a9
This is waaay over my head, I still cant fully comprehend the for /f command but if you can help me either manipulate this log file to export across different folders, or just make more effecient use of the subinacl program, that would be much appreciated.
Thanks!!!
cmd, vbs, ps, bash
autoit, python, swift
----------------------------
#2 02 Jun 2006 19:17
Simon Sheppard
What is it you are trying to change?
permissions?
owner?
Are you trying to apply user/group permissions from one machine to files stored on another?
are the machines in a domain
----------------------------
#3 02 Jun 2006 22:21
NDog
Thank you for the reply
Well the specifics for me using subinacl is I wish to
a) delete all owners/permissions on the folder
b) create 2 users (owners i think) on the folder: 'administrator' and 'vadal'
c) the 'administrator' user needs permissions set to: deny read
d) the 'vadal' user needs permissions set to: accept read & execute, accept list folders, accept read
I dont neccessarily need to apply user/group permissions from one machine to another, however those are the specific uaser/permissions I wish to apply across all the machines
Yes I want to export these settings accross my network, we dont use domain controller for this specific network, its the gaming network, our other networks have domain controller, however this is a project I have been working on, and this is the only thing I havent worked out yet.
You might be curious, as I am editting security for the GroupPolicy folder, firstly I am the administrator, so I know all the passwords and am setting up and deploying this personally, however this is an unothordox way of applying grouppolicies to only apply to the 'vadal' account which is the default user who sits down at our machines, we apply grouppolicies to that profile to obviously restrict their actions, while the 'administrator' has his grouppolices set to deny read, which means when we logon, we dont get (load) group policy restrictions.
Simple explanation if you were curious wink
Nathan
cmd, vbs, ps, bash
autoit, python, swift
----------------------------
#4 03 Jun 2006 21:54
Simon Sheppard
OK I think the best command for that would be XCACLS
https://ss64.com/nt/xcalcs.html
/P will replace the owner
/R User will revoke access
/G User will grant access
you can use the %computername% variable like so
XCACLS "C:\Folder Name" /G %computername%\your_user_account:F
I find it's usually easier to run several XCACLS commends to set each of the properties you need, rather than one monster command.
----------------------------
#5 04 Jun 2006 12:18
NDog
Ah dont worry, I would rather use subinacl and import the log file settings, that is way faster.
Heres my current script, a big biggish, but it does the job properly, and FAST hehe, I can seem to manage for /f command yet sad lol
Code: Select all
SET FIRSTPC=whateveritscalled
SET UPDATELOG=%FIRSTPC%update.log
ECHO ================================================ >>%UPDATELOG%
ECHO +File \\%FIRSTPC%\c$\windows\system32\GroupPolicy >>%UPDATELOG%
ECHO ================================================ >>%UPDATELOG%
ECHO /control=0x1400 >>%UPDATELOG%
ECHO /owner=%FIRSTPC%\administrator >>%UPDATELOG%
ECHO /primary group=%FIRSTPC%\none >>%UPDATELOG%
ECHO /audit ace count=0 >>%UPDATELOG%
ECHO /perm. ace count=2 >>%UPDATELOG%
ECHO /pace=%FIRSTPC%\administrator Type=0x1 Flags=0x3 AccessMask=0x20089 >>%UPDATELOG%
ECHO /pace=%FIRSTPC%\vadal Type=0x0 Flags=0x3 AccessMask=0x1200a9 >>%UPDATELOG%
subinacl /nostatistic /playfile %UPDATELOG%
A big thank you, and ss64.com is my fav site!!! smile
cmd, vbs, ps, bash
autoit, python, swift
----------------------------
#6 28 Jul 2006 23:01
pand0ra
Create a batch file with the junk listed below. You will also need a file caleed hostnames.txt with the list of hosts in it.
Code: Select all
---------------------------------------------------------------------------------------------------
:START
FOR /F "Tokens=1" %%a in (hostnames.txt) Do (
IF "%%a" == "END" GOTO END
rem List permissions to log file:
CALL subinacl /noverbose /nostatistic /outputlog=my.log /subdirectories \\%%a\c$\windows\system32\grouppolicy /display
rem Restore Permissions:
CALL subinacl /nostatistic /playfile my.log \%%a
)
:END