How to change ownership and give full permissions to a user on a folder (VBScript)
Hi all,
Some time ago we faced an issue where a customer renamed users in their domain, but their profile folders didn't get renamed. So they wanted to automate the following process which worked for them when doing it manually: take ownership of a user's profile folder with an administrator, give full permissions to that admin on the folder, rename it, and give full permissions back to that user.
The following VBScript sample shows how to give ownership to a user on a folder, how to give full permissions to a user on a folder, and how to rename the folder. For that it will use WMI to manipulate the Security Descriptor of the folder:
'=======================================================================
' PARAMETERS
'-----------------------------------------------------------------------
'
' Documents and settings path
strDocsSetsPath = "C:\Documents and Settings\"
' Original user name
strOriginalUserName = "OriginalNameOfUser"
' Original user domain
strOriginalDomainName = "DomainOfUser"
' Target user name
strTargetUserName = "NewNameOfUser"
'=======================================================================
' CONSTANTS
'-----------------------------------------------------------------------
'
' Rights granted or denied to a trustee.
'
const FILE_READ_DATA = &H000001
const FILE_LIST_DIRECTORY = &H000001
const FILE_WRITE_DATA = &H000002
const FILE_ADD_FILE = &H000002
const FILE_APPEND_DATA = &H000004
const FILE_ADD_SUBDIRECTORY = &H000004
const FILE_READ_EA = &H000008
const FILE_WRITE_EA = &H000010
const FILE_EXECUTE = &H000020
const FILE_TRAVERSE = &H000020
const FILE_DELETE_CHILD = &H000040
const FILE_READ_ATTRIBUTES = &H000080
const FILE_WRITE_ATTRIBUTES = &H000100
const DELETE = &H010000
const READ_CONTROL = &H020000
const WRITE_DAC = &H040000
const WRITE_OWNER = &H080000
const SYNCHRONIZE = &H100000
' Win32_ACE.AccessMask (the following values are the sum of several
' values in the "Rights granted or denied to a trustee" list).
'
const ACCESS_MASK_FULL = &H1F01FF
const ACCESS_MASK_CHANGE = &H1301BF
const ACCESS_MASK_READ = &H1200A9
' Inheritance of the ACE.
'
const OBJECT_INHERIT_ACE = &H1
const CONTAINER_INHERIT_ACE = &H2
' Win32_ACE.AceFlags (the following values are the sum of several
' values in the "Inheritance of the ACE" list).
'
const ACE_FLAGS_INHERIT = &H3
' Win32_ACE.AceType.
'
const ACE_TYPE_ALLOW = &H0
const ACE_TYPE_DENY = &H1
' Win32_SecurityDescriptor.ControlFlags.
'
const SE_DACL_PRESENT = &H4
const SE_DACL_AUTO_INHERITED = &H400
'=======================================================================
' MAIN
'-----------------------------------------------------------------------
'
wscript.Echo _
"----------------------------------------------------------------------"
' Get computer info
'
Set objNet = CreateObject("WScript.NetWork")
strComputerName = objNet.ComputerName
wscript.Echo "Machine : '" & strComputerName & "'."
wscript.Echo
' Get info from admin user and machine running the script
'
wscript.Echo _
"----------------------------------------------------------------------"
wscript.Echo "INFO OF THE ADMIN USER RUNNING THE SCRIPT"
wscript.Echo _
"----------------------------------------------------------------------"
strAdminName = objNet.UserName
strAdminDomain = objNet.UserDomain
strAdmin = strAdminDomain & "\" & strAdminName
wscript.Echo "Admin user name : '" & strAdmin & "'"
wscript.Echo
Set objNet = Nothing
' Show parameters info
'
wscript.Echo _
"----------------------------------------------------------------------"
wscript.Echo "PARAMETERS PASSED TO THE SCRIPT"
wscript.Echo _
"----------------------------------------------------------------------"
strOriginalUser = strOriginalDomainName & "\" & strOriginalUserName
wscript.Echo "Original user name: '" & strOriginalUser & "'"
strTargetUser = strOriginalDomainName & "\" & strTargetUserName
wscript.Echo "Target user name : '" & strOriginalDomainName & "\" & strTargetUserName & "'"
strOriginalPath = strDocsSetsPath & strOriginalUserName
wscript.Echo "Original path : '" & strOriginalPath & "'"
strTargetPath = strDocsSetsPath & strTargetUserName
wscript.Echo "Target path : '" & strTargetPath & "'"
wscript.Echo
wscript.Echo _
"----------------------------------------------------------------------"
' Connect to target machine.
'
wscript.Echo "Connecting to WMI..."
set objWMIService = GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" _
& strComputerName & "\root\cimv2")
wscript.Echo "Connected!"
wscript.Echo
' Give Full Control to the folder and its contents to the ADMIN. Make
' her the owner, too.
wscript.Echo "Accessing security settings for '" & strOriginalPath & "'..."
set objRootSecSetting = objWMIService.Get( _
"Win32_LogicalFileSecuritySetting.path='" & strOriginalPath & "'")
wscript.Echo "Creating Full Trust ACE for '" & strAdmin & "'..."
set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.AccessMask = ACCESS_MASK_FULL
objAce.AceFlags = ACE_FLAGS_INHERIT
objAce.AceType = ACE_TYPE_ALLOW
set objAdminTrustee = GetTrustee(strAdminDomain, strAdminName)
objAce.Trustee = objAdminTrustee
wscript.Echo "Creating new SD..."
set objSecurityDescriptor = objWMIService.Get( _
"Win32_SecurityDescriptor").SpawnInstance_()
wscript.Echo "Adding ACE to SD.DACL..."
objSecurityDescriptor.DACL = Array(objAce)
objSecurityDescriptor.ControlFlags = SE_DACL_PRESENT
wscript.Echo "Setting '" & strAdmin & "' as SD.Owner..."
objSecurityDescriptor.Owner = objAdminTrustee
wscript.Echo "Setting SD for '" & strOriginalPath & "'..."
RetVal = objRootSecSetting.SetSecurityDescriptor(objSecurityDescriptor)
wscript.Echo CStr(RetVal)
Set objAdminTrustee = Nothing
Set objAce = Nothing
set objSecurityDescriptor = Nothing
set objRootSecSetting = Nothing
wscript.Echo
wscript.Echo "'" & strAdmin & "' has FULL TRUST access now"
wscript.Echo "'" & strAdmin & "' is the OWNER now"
wscript.Echo
wscript.Echo _
"----------------------------------------------------------------------"
' Rename the folder.
'
wscript.Echo "Renaming '" & strOriginalPath & "' to '" & strTargetPath & "'..."
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.MoveFolder strOriginalPath, strTargetPath
wscript.Echo "Folder renamed!"
wscript.Echo
Set objFSO = Nothing
wscript.Echo _
"----------------------------------------------------------------------"
' Give Full Control to the folder and its contents to the USER. Make her
' the owner, too.
wscript.Echo "Accessing security settings for '" & strTargetPath & "'..."
set objRootSecSetting = objWMIService.Get( _
"Win32_LogicalFileSecuritySetting.path='" & strTargetPath & "'")
wscript.Echo "Creating Full Trust ACE for '" & strTargetUser & "'..."
set objAce = objWMIService.Get("Win32_Ace").SpawnInstance_()
objAce.AccessMask = ACCESS_MASK_FULL
objAce.AceFlags = ACE_FLAGS_INHERIT
objAce.AceType = ACE_TYPE_ALLOW
set objTargetUserTrustee = GetTrustee(strOriginalDomainName, strTargetUserName)
objAce.Trustee = objTargetUserTrustee
wscript.Echo "Creating new SD..."
set objSecurityDescriptor = objWMIService.Get( _
"Win32_SecurityDescriptor").SpawnInstance_()
wscript.Echo "Adding ACE to SD.DACL..."
objSecurityDescriptor.DACL = Array(objAce)
objSecurityDescriptor.ControlFlags = SE_DACL_PRESENT
wscript.Echo "Setting '" & strTargetUser & "' as SD.Owner..."
objSecurityDescriptor.Owner = objTargetUserTrustee
wscript.Echo "Setting SD for '" & strTargetPath & "'..."
RetVal = objRootSecSetting.SetSecurityDescriptor(objSecurityDescriptor)
wscript.Echo CStr(RetVal)
set objTargetUserTrustee = Nothing
Set objAce = Nothing
set objSecurityDescriptor = Nothing
set objRootSecSetting = Nothing
wscript.Echo
wscript.Echo "'" & strTargetUser & "' has FULL TRUST access now"
wscript.Echo "'" & strTargetUser & "' is the OWNER now"
wscript.Echo
wscript.Echo _
"----------------------------------------------------------------------"
' We are done!
'
set objWMIService = Nothing
wscript.Echo "Done!"
'=======================================================================
' HELPER FUNCTIONS
'-----------------------------------------------------------------------
' Get trustee for "domain\name" account
'
function GetTrustee(strDomain, strName)
' Get account
'
set objAccount = objWMIService.Get( _
"Win32_Account.Name='" & strName & _
"',Domain='" & strDomain & "'")
' Get account's SID
'
Set objAccountSID = objWMIService.Get( _
"Win32_SID.SID='" & objAccount.SID &"'")
' Get account's trustee
'
set objTrustee = objWMIService.Get( _
"Win32_Trustee").SpawnInstance_()
objTrustee.Domain = strDomain
objTrustee.Name = strName
objTrustee.SID = objAccountSID.BinaryRepresentation
' Return trustee
'
set GetTrustee = objTrustee
end function
I hope this helps.
Regards,
Alex (Alejandro Campos Magencio)