You are not logged in.

#1 15 Mar 2007 16:33

jduff
Member
Registered: 04 Mar 2007
Posts: 9

List Users with Write Permission, Temporarily Change Permissions

I need to temporarily remove write permissions on a particular drive letter for ALL users.

I think I have to do the following:
    1 - List all users that currently have write permissions on the drive.
    2 - Remove write permission for each of these users. (Use cacls command?)
    3 - <Do whatever else I need to do.>
    4 - Restore write permission for each of the users. (Use cacls command again?)

Can this be done with a batch command script, or do I need to write an exe where I can get access to Windows libraries that will help me with step 1 above? If the script is possible, what command do I use to get the list of users with write permissions?

jduff

Offline

#2 15 Mar 2007 19:01

jduff
Member
Registered: 04 Mar 2007
Posts: 9

Re: List Users with Write Permission, Temporarily Change Permissions

I've gotten part way there using cacls to list the users and permissions. However, I'm having trouble parsing the cacls text output to pick up just the usernames.

Code below DOES NOT YET WORK!!!

setlocal enabledelayedexpansion
set myDir=C:\foo

REM * STEP 1 - Create temp files that contain the list of users:
REM *   Make one file for full control users.
REM *   Make one file for write users.
REM *   Make one file for change users.

cacls "%myDir%" | FIND ":F" > users_FullControl.txt
cacls "%myDir%" | FIND ":W" > users_Write.txt
cacls "%myDir%" | FIND ":C" > users_Change.txt

REM * STEP 2 - Iterator over the list of full control users changing to R permission
for /f %%v in (users_FullControl.txt) do (
    REM * HELP - How do I pick out the user name?
    REM * User name preceeds the :F at the end of the line.
    REM * User name is preceeded by /
    echo If I could correctly parse out the username into the v variable, I would execute: cacls "!myDir!" /E /G %%v:R
)
REM * Repeat for write (:W) users.
REM * Repeat for change (:C) users.

REM * STEP 3 - Do whatever I want to do.

REM * STEP 4 - Put permissions back:
REM * Repeat full control users for loop changing permissions back to full control.
REM * Repeat write users for loop changing permissions back to write.
REM * Repeat change control users for loop changing permissions back to change.

endlocal

jduff

Offline

#3 15 Mar 2007 19:32

bluesxman
Member
From: UK
Registered: 29 Dec 2006
Posts: 1,129

Re: List Users with Write Permission, Temporarily Change Permissions

You need to give "for" some options, so that it'll appropriately modify the data it's getting from the file.

If you just want the user name in "%%v" then give it some of this action:

for /f "usebackq delims=\: tokens=2" %%v in ("users_FullControl.txt") do (

cmd | *sh | ruby | chef

Offline

#4 16 Mar 2007 13:24

jduff
Member
Registered: 04 Mar 2007
Posts: 9

Re: List Users with Write Permission, Temporarily Change Permissions

Yes, I see! ...This new code almost works. I have a problem on the first line of output from the cacls command which begins with the myDir string. For example:

C:\foo BUILTIN\Administrators:F
       NT AUTHORITY\SYSTEM:F
       WESTERLY\jduff:F

I need to remove the myDir value from the front of the string before the tokens approach you've suggested will work. I've tried code like the following, but I haven't yet been successful.

setlocal enabledelayedexpansion

set newLine=%oldLine:%myDir%=%
set newLine=%oldLine:!myDir!=%

Once I get this right, I think I will have what I need. I'll publish the entire script when I finally get it working.

jduff

Offline

#5 19 Mar 2007 18:55

bluesxman
Member
From: UK
Registered: 29 Dec 2006
Posts: 1,129

Re: List Users with Write Permission, Temporarily Change Permissions

Hmm it's a little more tricky than I first thought.  Consider this:

Z:\>for /f "usebackq delims=\: tokens=2" %v in (`cacls z:\`) do @echo %v
 BUILTIN
SYSTEM
(OI)(CI)(IO)F
Users
Users
Users
R

Z:\>cacls z:\
z:\ BUILTIN\Administrators:(OI)(CI)F
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    CREATOR OWNER:(OI)(CI)(IO)F
    BUILTIN\Users:(OI)(CI)R
    BUILTIN\Users:(CI)(special access:)
                      FILE_APPEND_DATA

    BUILTIN\Users:(CI)(IO)(special access:)
                          FILE_WRITE_DATA

    Everyone:R

As you can see, it's picking out a few things I probably wouldn't want it to.  I'll have a think and come back to you.

Last edited by bluesxman (19 Mar 2007 18:56)


cmd | *sh | ruby | chef

Offline

#6 19 Mar 2007 19:50

Simon Sheppard
Admin
Registered: 27 Aug 2005
Posts: 1,130
Website

Re: List Users with Write Permission, Temporarily Change Permissions

Offline

Board footer

Powered by