locked
icacls remote against %temp% folder RRS feed

  • Question

  • Hi

    I have a bat file that is copied to users profile temp directory which I remotely execute to gather support diagnostic info

    On some machines it does not launch. I remoted onto same machine and tried to launch manually from the temp folder but still would not launch and i seen error "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item."

    I copied the bat to the user desktop and it ran just fine.

    Its the same antivirus on each machine and I cant see why it would work on some and not others.

    There are no restrictions on running bat files

    It seems to not want to run from the users c:\users\%username%\appdata\local\temp directory.

    I researched that there is some glitch with the temp folder where we need to click |security| > advanced   > " [  ] include inheritable permissions from this objects parent"    to get the user permissions to run programs from their temp folder.    Doing this from the GUI on each machine however is not an option.

    I want to use icacls remotely against the users machine to apply that setting, truth be told i got confused and want to make sure this is done right, want to give the logged on user full rights on their temp file and check the setting to include inheritable permissions.

    I'm thinking below is correct but I cant find the exact example i need and want to make sure it covers all that

    icacls.exe  \\server1\c$\users\user1\appdata\local\temp /Grant "domain1\user1":(OI)(CI)F

    Let me know

    Thanks for reading


    confuseis


    • Edited by confuseis Sunday, June 12, 2016 1:50 PM
    Sunday, June 12, 2016 1:48 PM

Answers

  • Have you tried this?

    This is not a scripting question.  It is also something that would best be done by Group Policy.

    A user cannot be denied access to the temp folder so I suspect your analysis is wrong.

    If you need a batch file to execute for all users you should place it i "Public Documents" and not in the users temp folder.


    \_(ツ)_/

    • Marked as answer by confuseis Thursday, June 16, 2016 8:50 PM
    Sunday, June 12, 2016 3:16 PM

All replies

  • Have you tried this?

    This is not a scripting question.  It is also something that would best be done by Group Policy.

    A user cannot be denied access to the temp folder so I suspect your analysis is wrong.

    If you need a batch file to execute for all users you should place it i "Public Documents" and not in the users temp folder.


    \_(ツ)_/

    • Marked as answer by confuseis Thursday, June 16, 2016 8:50 PM
    Sunday, June 12, 2016 3:16 PM
  • I have seen that this issue exists 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1acff9e0-101a-4a0d-93e5-cd3230fbeefa/unable-to-execute-files-in-the-temporary-directory-setup-aborted-error-5-access-is-denied?forum=w7itprogeneral

    I have a script that will remotely execute the bat against the users hostname but noticed that o some machines the script didn't get the result back.   I was planning on remotely modifyinh the permissions but your right this is not the path of least resistance.

    I noticed that there is a padlock icon on some machines user profiles and not on others.

    Rather than have the script execute the bat from the Temp directory and wrestle with remotely tweaking permissions I will instead remotely execute from the public folder as I see it has no padlock on its icon and is far less hassle.

    Ill learn the remote permissions thing at a later date

    Thanks

    Confuseis


    confuseis

    Thursday, June 16, 2016 8:50 PM