General discussion

Locked

Access Control in Win XP Pro

By sfath ·
Is there a way to set, Access Control privledges for folders without being logged in as an Admin? All users are on a domain and do not have individual priv. on folders other than their My Documents plus sub folders. I would like to give access to a different folder on the C:\ drive. The users are remote and I don't want them to have Admin. priv. Is there a way to create a script file or bat file to run as Admin and allow access?

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by wcp In reply to Access Control in Win XP ...

Log in as Administrator or account with administrative right. Open Command Prompt , navigate to the folder you want users to access, and run the following command.

CACLS *.* /T /E /G everyone:F

The above command grants (G) Everyone group (everyone) Full Control (F) on all files in the current directory (*.*) and all subfolders (T).
If you want certain users, create a group for them use it instead of everyone. You may also give them other than Full Control permission.

For more detail of CACLS, run ?CACLS /?? without the quotes or Windows XP Help and Support.

Collapse -

by sfath In reply to

I used this command previously but it is not what I'm looking for. Thanks for your help.

Collapse -

by Joseph Moore In reply to Access Control in Win XP ...

Well, one way I can think of is to run XCACLS in addition with the RUNAS command. Kinda complex, but this will work.
For example, let's say that you want to give user BOB Full Control access to C:\FOLDER1 on his local machine, and not let anyone else have rights to this folder. Even if FOLDER1 exists currently. You want to change the permissions on this folder.
Now, since BOB does not currently have FC rights to the folder (nor is BOB in a group that has FC rights), BOB can't kick everyone out AND add himself. He wouldn't have the rights to remove everyone out first, let alone add himself.
But your Domain Administrator account DOES currently have FC rights.
So, you could send BOB the following BAT file, and it will get this all like how you want:

@echo off
cls
ECHO Changing Permissions on FOLDER1 for you, %USERNAME%
RUNAS /env /user:YOURDOMAIN\Administrator "XCACLS.EXE C:\FOLDER1 /T /C /G YOURDOMAIN\BOB:F /Y"
EXIT

Now, when BOB runs this BAT file (probably by double-clicking it, a prompt will come up:
"Enter the password for YOURDOMAIN\Administrator"
And BOB will have to type in the password.

Collapse -

by Joseph Moore In reply to

There is NO WAY to script the password used by RUNAS, nor can you set it in a variable that can be used by RUNAS. This password prompt is an "interactive" prompt and you just can't set the password elsewhere in the BAT file and have it called for this interactive prompt. It MUST be typed in by BOB. So, BOB will have to know what your password is.
This is the drawback to using RUNAS. The password for powerful accounts gets released.
Now, one way around this is you set up a new account (call it INSTALL) and make that account a member of your Domain Admins group. Set the password to be something easy for you to tell users like BOB.
Then when BOB runs the file, tell BOB to call you BEFORE he runs the file.
Then when BOB calls you and runs the file, you can tell BOB what the password is. BOB types in the password, RUNAS completes, and life is good.
XCACLS replaces the ACLs on the folder (and files in the folder) with the new permissions of BOB having Full Control access, and no one else (including Administrators) has rights.
So, BOB has his locked-down folder, and you didn't have to sit at his workstation.

Of course, after BOB uses it and gets everything set, you would want to change the password for the INSTALL account, so BOB doesn't go using that account for nefarious reasons! But, that is the paranoid side of me talking!

I tested this BAT file on my XP Pro box, and it works just fine! Watch the BAT file fly!!!
Yes, I have way too much time on my hands!

hope this helps

Collapse -

by Joseph Moore In reply to

Thanks, D.R., for the compliment. I appreciate it! :-)

Collapse -

by sfath In reply to

Thank you for all your help. I guess what I need to accomplish is impossible.

Collapse -

by CG IT In reply to Access Control in Win XP ...

These are the things that make me say Joe Moore knows more about Windows [whatever flavor] than Microsoft itself knows.

Collapse -

by CG IT In reply to

Ever read one of those Microsoft Technet bulletins and scratch your head wondering if the secretary that types em up just adds crap here and there as a joke? Joe Moore ought to write a book on what he knows. I would buy it.

Collapse -

by sfath In reply to

Poster rated this answer.

Collapse -

by igotspamed In reply to Access Control in Win XP ...

set your setting on a 2k+ station, copy your security db and replace it on the other system. theyre all the same size so you can do it with binary and not have to worry about your ntfs.

Back to Windows Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums