none
Script Permissão Server 2008 RRS feed

  • Pergunta

  • Bom Dia, Estou usando um script para aplicar permissões em algumas pastas por grupo do AD... no 2003 funciona perfeitamente porem agora preciso implantar no 2008 mais não esta funcionando. O comando cacls funciona, o que nõ esta funcionando é a parte dos grupos, alguem poderia dar uma olhada por favor.

     

    On Error Resume Next

    Set Permissao = WScript.CreateObject("WScript.Shell")
    set objNetwork= CreateObject("WScript.Network")

    strDom = objNetwork.UserDomain
    strUser = objNetwork.UserName
    Set objUser = GetObject("WinNT://" & strDom & "/" & strUser &  ",user")

    i=0
    For Each objGroup In objUser.Groups

        Select Case objGroup.Name
           
     Case "Administrativo"
     Permissao.Run "cacls %USERPROFILE%\Desktop /P %USERNAME%:F /E"
     objNetwork.MapNetworkDrive "Z:", "\\Gr8-srv-ad\Administrativo"
     objNetwork.MapNetworkDrive "S:", "\\Gr8-srv-ad\Scanner"
     Permissao.Run "cacls %USERPROFILE% /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Desktop /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Documents /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Downloads /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Pictures /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Music /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Videos /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Saved Games /P %USERNAME%:R /E"
     Permissao.Run "cacls %USERPROFILE%\Links /P %USERNAME%:R /E"
     
     
        End Select

    Next

    segunda-feira, 22 de agosto de 2011 15:09

Respostas

  • Edson não consegui usar o teu, mais resolvi com esse logo baixo:

    Const Permissao    = "cn=permissao"
    Const TesteGrupo    = "cn=testegrupo"
    set CALS = CreateObject("Wscript.Shell")
    Set wshNetwork = CreateObject("WScript.Network")
    Set oDrives = WshNetwork.EnumNetworkDrives
    Set ADSysInfo = CreateObject("ADSystemInfo")
    Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)
    strGroups = LCase(CurrentUser.MemberOf)

    If InStr(strGroups, Permissao) Then
    CALS.Run "cacls ""%userprofile%\Desktop"" /P %username%:R /E"
    End if

    If InStr(strGroups, TesteGrupo) Then
    CALS.Run "cacls ""%userprofile%\Desktop"" /P %username%:R /E"
    End if

    • Marcado como Resposta Ronaldo Aires terça-feira, 23 de agosto de 2011 14:22
    terça-feira, 23 de agosto de 2011 14:22

Todas as Respostas

  • Cara tente usar o icacls pois tem mais recursos no 2008...

    ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
        stores the DACLs for the files and folders that match the name
        into aclfile for later use with /restore. Note that SACLs,
        owner, or integrity labels are not saved.

    ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
                     [/C] [/L] [/Q]
        applies the stored DACLs to files in directory.

    ICACLS name /setowner user [/T] [/C] [/L] [/Q]
        changes the owner of all matching names. This option does not
        force a change of ownership; use the takeown.exe utility for
        that purpose.

    ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
        finds all matching names that contain an ACL
        explicitly mentioning Sid.

    ICACLS name /verify [/T] [/C] [/L] [/Q]
        finds all files whose ACL is not in canonical form or whose
        lengths are inconsistent with ACE counts.

    ICACLS name /reset [/T] [/C] [/L] [/Q]
        replaces ACLs with default inherited ACLs for all matching files.

    ICACLS name [/grant[:r] Sid:perm[...]]
           [/deny Sid:perm [...]]
           [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
           [/setintegritylevel Level:policy[...]]

        /grant[:r] Sid:perm grants the specified user access rights. With :r,
            the permissions replace any previouly granted explicit permissions.
            Without :r, the permissions are added to any previously granted
            explicit permissions.

        /deny Sid:perm explicitly denies the specified user access rights.
            An explicit deny ACE is added for the stated permissions and
            the same permissions in any explicit grant are removed.

        /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
            :g, it removes all occurrences of granted rights to that Sid. With
            :d, it removes all occurrences of denied rights to that Sid.

        /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
            ACE to all matching files.  The level is to be specified as one
            of:
                L[ow]
                M[edium]
                H[igh]
            Inheritance options for the integrity ACE may precede the level
            and are applied only to directories.

        /inheritance:e|d|r
            e - enables inheritance
            d - disables inheritance and copy the ACEs
            r - remove all inherited ACEs


    Note:
        Sids may be in either numerical or friendly name form. If a numerical
        form is given, affix a * to the start of the SID.

        /T indicates that this operation is performed on all matching
            files/directories below the directories specified in the name.

        /C indicates that this operation will continue on all file errors.
            Error messages will still be displayed.

        /L indicates that this operation is performed on a symbolic link
           itself versus its target.

        /Q indicates that icacls should supress success messages.

        ICACLS preserves the canonical ordering of ACE entries:
                Explicit denials
                Explicit grants
                Inherited denials
                Inherited grants

        perm is a permission mask and can be specified in one of two forms:
            a sequence of simple rights:
                    N - no access
                    F - full access
                    M - modify access
                    RX - read and execute access
                    R - read-only access
                    W - write-only access
                    D - delete access
            a comma-separated list in parentheses of specific rights:
                    DE - delete
                    RC - read control
                    WDAC - write DAC
                    WO - write owner
                    S - synchronize
                    AS - access system security
                    MA - maximum allowed
                    GR - generic read
                    GW - generic write
                    GE - generic execute
                    GA - generic all
                    RD - read data/list directory
                    WD - write data/add file
                    AD - append data/add subdirectory
                    REA - read extended attributes
                    WEA - write extended attributes
                    X - execute/traverse
                    DC - delete child
                    RA - read attributes
                    WA - write attributes
            inheritance rights may precede either form and are applied
            only to directories:
                    (OI) - object inherit
                    (CI) - container inherit
                    (IO) - inherit only
                    (NP) - don't propagate inherit
                    (I) - permission inherited from parent container

    Examples:

            icacls c:\windows\* /save AclFile /T
            - Will save the ACLs for all files under c:\windows
              and its subdirectories to AclFile.

            icacls c:\windows\ /restore AclFile
            - Will restore the Acls for every file within
              AclFile that exists in c:\windows and its subdirectories.

            icacls file /grant Administrator:(D,WDAC)
            - Will grant the user Administrator Delete and Write DAC
              permissions to file.

            icacls file /grant *S-1-1-0:(D,WDAC)
            - Will grant the user defined by sid S-1-1-0 Delete and
              Write DAC permissions to file.

    Abraços


    Edson Matias Fagundes Junior - (Nioks)
    MCP, MCTS: 2008, MCTS:MBS
    Se a resposta for valida por favor vote como útil.
    segunda-feira, 22 de agosto de 2011 15:29
  • Cara tente usar o icacls pois tem mais recursos no 2008...

    ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
        stores the DACLs for the files and folders that match the name
        into aclfile for later use with /restore. Note that SACLs,
        owner, or integrity labels are not saved.

    ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
                     [/C] [/L] [/Q]
        applies the stored DACLs to files in directory.

    ICACLS name /setowner user [/T] [/C] [/L] [/Q]
        changes the owner of all matching names. This option does not
        force a change of ownership; use the takeown.exe utility for
        that purpose.

    ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
        finds all matching names that contain an ACL
        explicitly mentioning Sid.

    ICACLS name /verify [/T] [/C] [/L] [/Q]
        finds all files whose ACL is not in canonical form or whose
        lengths are inconsistent with ACE counts.

    ICACLS name /reset [/T] [/C] [/L] [/Q]
        replaces ACLs with default inherited ACLs for all matching files.

    ICACLS name [/grant[:r] Sid:perm[...]]
           [/deny Sid:perm [...]]
           [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
           [/setintegritylevel Level:policy[...]]

        /grant[:r] Sid:perm grants the specified user access rights. With :r,
            the permissions replace any previouly granted explicit permissions.
            Without :r, the permissions are added to any previously granted
            explicit permissions.

        /deny Sid:perm explicitly denies the specified user access rights.
            An explicit deny ACE is added for the stated permissions and
            the same permissions in any explicit grant are removed.

        /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
            :g, it removes all occurrences of granted rights to that Sid. With
            :d, it removes all occurrences of denied rights to that Sid.

        /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
            ACE to all matching files.  The level is to be specified as one
            of:
                L[ow]
                M[edium]
                H[igh]
            Inheritance options for the integrity ACE may precede the level
            and are applied only to directories.

        /inheritance:e|d|r
            e - enables inheritance
            d - disables inheritance and copy the ACEs
            r - remove all inherited ACEs


    Note:
        Sids may be in either numerical or friendly name form. If a numerical
        form is given, affix a * to the start of the SID.

        /T indicates that this operation is performed on all matching
            files/directories below the directories specified in the name.

        /C indicates that this operation will continue on all file errors.
            Error messages will still be displayed.

        /L indicates that this operation is performed on a symbolic link
           itself versus its target.

        /Q indicates that icacls should supress success messages.

        ICACLS preserves the canonical ordering of ACE entries:
                Explicit denials
                Explicit grants
                Inherited denials
                Inherited grants

        perm is a permission mask and can be specified in one of two forms:
            a sequence of simple rights:
                    N - no access
                    F - full access
                    M - modify access
                    RX - read and execute access
                    R - read-only access
                    W - write-only access
                    D - delete access
            a comma-separated list in parentheses of specific rights:
                    DE - delete
                    RC - read control
                    WDAC - write DAC
                    WO - write owner
                    S - synchronize
                    AS - access system security
                    MA - maximum allowed
                    GR - generic read
                    GW - generic write
                    GE - generic execute
                    GA - generic all
                    RD - read data/list directory
                    WD - write data/add file
                    AD - append data/add subdirectory
                    REA - read extended attributes
                    WEA - write extended attributes
                    X - execute/traverse
                    DC - delete child
                    RA - read attributes
                    WA - write attributes
            inheritance rights may precede either form and are applied
            only to directories:
                    (OI) - object inherit
                    (CI) - container inherit
                    (IO) - inherit only
                    (NP) - don't propagate inherit
                    (I) - permission inherited from parent container

    Examples:

            icacls c:\windows\* /save AclFile /T
            - Will save the ACLs for all files under c:\windows
              and its subdirectories to AclFile.

            icacls c:\windows\ /restore AclFile
            - Will restore the Acls for every file within
              AclFile that exists in c:\windows and its subdirectories.

            icacls file /grant Administrator:(D,WDAC)
            - Will grant the user Administrator Delete and Write DAC
              permissions to file.

            icacls file /grant *S-1-1-0:(D,WDAC)
            - Will grant the user defined by sid S-1-1-0 Delete and
              Write DAC permissions to file.

    Abraços


    Edson Matias Fagundes Junior - (Nioks)
    MCP, MCTS: 2008, MCTS:MBS
    Se a resposta for valida por favor vote como útil.


    Meu Problema não é com o cacls, e sim com a parte de grupos do script

     

    strDom = objNetwork.UserDomain
    strUser = objNetwork.UserName
    Set objUser = GetObject("WinNT://" & strDom & "/" & strUser & ",user")

    i=0
    For Each objGroup In objUser.Groups

    Select Case objGroup.Name

    Case "Administrativo"

    segunda-feira, 22 de agosto de 2011 16:51
  • Desculpe confundi suas 2 threads.

    Esta dando algum erro?

    Caso sim nos envie por favor?

     

    Abraços


    Edson Matias Fagundes Junior - (Nioks)
    MCP, MCTS: 2008, MCTS:MBS
    Se a resposta for valida por favor vote como útil.
    segunda-feira, 22 de agosto de 2011 17:35
  • Não da erro nenhum, ele simplesmente não faz a verificação nos grupos para aplicar a cacls... eu acho que o caminho do ldap do 2003 para o 2008 muda mais não encontrei nada que me ajudase.
    segunda-feira, 22 de agosto de 2011 17:47
  •  Ronaldo tente usar esse scritp a baixo ele funcinou para mim.

    'Obtain fqdn of domain
    Set oRoot = GetObject("LDAP://rootDSE")
    Set oDomain = GetObject("LDAP://" & oRoot.Get("defaultNamingContext"))
    fqDomain = oRoot.Get("defaultNamingContext")
    
    'Obtain netbios username, computername and domainname
    Set objNetwork = CreateObject("Wscript.Network")
    currentDomain = objNetwork.UserDomain
    currentUser = objNetwork.UserName
    strComputerName = objNetwork.ComputerName
    
    '
    '------------------------------------------------- Main Program
    '
    
    'Find user DistingishedName and bind to user object to find nested group memberships
    uCN = findDN
    Set objUser=GetObject("LDAP://" & uCN) 
    
    
    If IsMember("Administradores") Then
     MsgBox "User is a member of the domain admins group...."
     'Perform required functions here.
    End If
    
    '
    '------------------------------------------------- Functions
    '
    
    Function IsMember(grpName) 'Function to find groups to which user is a *DIRECT* member of.
     If IsEmpty(grpList) Then
     Set grpList = CreateObject("Scripting.Dictionary")
     grpList.CompareMode = TextCompare
    
     Set colGroups = objUser.Groups
     For Each objGroup in colGroups
     If NOT CBool(grpList.Exists(objGroup.CN)) Then
     grpList.Add objGroup.CN, "-"
     GetNested(objGroup)
     End If
     Next
     End If
     IsMember = CBool(grpList.Exists(grpName))
    End Function
    
    Function GetNested(objGroup) 'New Recursive Nested Group Membership Function.
     On Error Resume Next
     colMembers = objGroup.GetEx("memberOf")
     For Each strMember in colMembers
     If NOT strMember = "" Then
     strPath = "LDAP://" & strMember
     Set objNestedGroup = GetObject(strPath)
     If NOT CBool(grpList.Exists(objNestedGroup.CN)) Then
     grpList.Add objNestedGroup.CN, "-"
     GetNested(objNestedGroup)
     End If
     End If
     Next
    End Function
    
    
    Function findDN 'Funtion to find DistinguishedName of User Object using sAMAccountName
     Set objConnection = CreateObject("ADODB.Connection")
     objConnection.Open "Provider=ADsDSOObject;"
    
     Set objCommand = CreateObject("ADODB.Command")
     objCommand.ActiveConnection = objConnection
    
     objCommand.CommandText = _
     "<LDAP://" & fqDomain & ">;(&(objectCategory=" & "User" & ")" & _
     "(samAccountName=" & currentUser & "));samAccountName,distinguishedName;subtree"
    
     Set objRecordSet = objCommand.Execute
    
     If objRecordset.RecordCount = 0 Then
     WScript.Quit(0)
     Else
     findDN = objRecordSet.Fields("distinguishedName").Value
     objConnection.Close
     End If
    End Function

    Ref. http://cb-net.co.uk/index.php?option=com_content&view=article&id=31:vbscript-find-user-group-memberships-nested-groups&catid=10:vbscript&Itemid=8

    Abraços

     


    Edson Matias Fagundes Junior - (Nioks)
    MCP, MCTS: 2008, MCTS:MBS
    Se a resposta for valida por favor vote como útil.

    segunda-feira, 22 de agosto de 2011 22:38
  • Edson não consegui usar o teu, mais resolvi com esse logo baixo:

    Const Permissao    = "cn=permissao"
    Const TesteGrupo    = "cn=testegrupo"
    set CALS = CreateObject("Wscript.Shell")
    Set wshNetwork = CreateObject("WScript.Network")
    Set oDrives = WshNetwork.EnumNetworkDrives
    Set ADSysInfo = CreateObject("ADSystemInfo")
    Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)
    strGroups = LCase(CurrentUser.MemberOf)

    If InStr(strGroups, Permissao) Then
    CALS.Run "cacls ""%userprofile%\Desktop"" /P %username%:R /E"
    End if

    If InStr(strGroups, TesteGrupo) Then
    CALS.Run "cacls ""%userprofile%\Desktop"" /P %username%:R /E"
    End if

    • Marcado como Resposta Ronaldo Aires terça-feira, 23 de agosto de 2011 14:22
    terça-feira, 23 de agosto de 2011 14:22