How to Set File Permissions
With the CACLS Commands
A VBScript CACLS Tutorial for Setting File Permissions
CACLS is a command-line program to make bulk changes to a folder's permissions. I would go so far as to say that it only makes sense to use CACLS in a VBScript. Let us begin with a reminder of the
manual, Windows Explorer method, for editing Access Control Lists (ACL). If you right click a folder and then select the Security tab you can examine and modify the NTFS permissions.
Topics for
VBScript CACLS Command
This page gives you examples of CACLS scripts, if you need a quick refresher on the switches, chick out this CACLS Commands page.
Our mission is to create home directories for users, then assign permissions with CACLS commands. The typical structure on a file server would be a shared folder called home, then each user has their own
folder as a
sub-directory under home.
If you create users home folders with the Active Directory Users and Computers then you can invoke the %username% variable, which not only creates a folder named after the
user, but also sets the permission to username full control.
The problem arises if you bulk create users with CSVDE or VBScript, in such cases I find that %username% does not work, so we need an
alternative method to create the home folders and set the permissions - a job for CACLS.
As ever the secret of scripting is to build up in stages. Stage 1: Introduction to CACLS. Simple example to set folder permission to
Administrators full control. Stage 2: Create the users (sub) folders. Assumption we have the usernames in a spreadsheet. Stage 3: Set the permissions on each user's folder to username: f and
administrators: f. (f= full control)
The purpose of this script is to set a folder's permissions to Administrators = full control. No one else has any permissions. The folder is called 'user', the path is \\server\home\user.
What the script does is mimic right clicking a folder
called 'user' and then setting the Security tab so that the only entry is Administrators full control. Compare the diagrams before (left) and after (right) running the VBscript.
Prerequisites
You must have a server with a shared folder. This is a script that will execute equally well on a Windows server or an XP machine. Should you get permission errors, I recommend that you logon as
administrator.
Instructions for Creating your Cacls VBScript
Copy and paste the example script below into notepad or a VBScript editor.
Change the value for strHomeFolder, especially the server name.
Save the file with a .vbs extension, for example: Cacls.vbs
Double click Cacls.vbs and check the permissions with Windows Explorer for strHomeFolder.
Sample Script to Set CACLS permissions
' Cacls.vbs ' Example VBScript to set Administrators permissions with Cacls ' Version 2.1 - September 2010 ' ---------------------------------------------------------'
Option Explicit Dim strHomeFolder, strHome, strUser Dim intRunError, objShell, objFSO
strHomeFolder = "\\grand\home\user"
Set objShell = CreateObject("Wscript.Shell") Set objFSO =
CreateObject("Scripting.FileSystemObject") If objFSO.FolderExists(strHomeFolder) Then ' Assign user permission to home folder. intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _ &
strHomeFolder & " /t /c /g Administrators:F ", 2, True) If intRunError <> 0 Then Wscript.Echo "Error assigning permissions for user " _ & strUser & " to home folder " & strHomeFolder End If End
If
WScript.Quit
' End of Cacls example VBScript
VBScript Tutorial - Learning Points
Note 1: The heart of the script is: cacls & strHomeFolder & " /t /c /g Administrators:F
strHomeFolder is the path we want to change the permissions. /t means trash the existing permissions. Remove all permissions and add those specified by /g. /g Administrators:F Sets the new
permissions for only Administrators with full control. (/c Tells the script to continue if there is an error).
You could add an ACL permission for the user with /g Administrators:F user:F.
However, to keep it simple we just added one entry in the above script.
Note 2: The rest of the script is VBScript. We need to create a file object, objFSO.
Note 3: Cacls normally runs at the
cmd prompt, therefore, the script creates a shell object objShell. Run invokes comspec rather than cmd.exe. objShell.Run("%COMSPEC% /c Echo Y.
Note 4: The cacls
utility does not provide the /y option that answers automatically with Y for Yes to the ARE YOU SURE? Y/N prompt. However, you can use the echo command to pipe the character Y as input to the prompt
when you are running cacls in a batch file. Use the following syntax to automatically answer Y:
I thank Mathew D. for researching the above reason for the Cacls Echo Y switch.
Note
6: Finally, the script contains error-correcting code in case the folder does not exist.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Here is a purely personal view of how to understand the CACLS syntax. Begin by dividing the CACLS command into three parts thus:
CACLS 1) folder name 2) replace, edit or revoke entries 3) grant user permission
Example: cacls c:\home /t /g guyt:F
1)
cacls c:\home - this is the path to the folder whose permissions you wish to change.
2)
/t - replace (with guyt's permissions). Note, /t wipes out everyone else's permissions. An alternative would be /e meaning edit or append permissions.
3)
/g guyt:f - Think of /g as standing for Grant. In this instance, the command grants guyt full control. An alternative would be :r (read). Note the colon: incidentally, with cacls there isn't a comma in sight.
Cacls is a command-line utility, which manipulates folder and file permissions.
It is particularly suited to scripting, Cacls is ideal for bulk changes to folder permissions, for example users home folders. If you want to a script which will
actually create the users home folders, see here.
If you like this page then please share it with your friends
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, Solarwinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
