A VBScript Tutorial for Setting File Permissions with CACLS
CACLS is a command-line program to make bulk changes to a folder's permissions. I would go so far as to say that it only makes sense to use CACLS in a VBScript. Let us begin with a reminder of the
manual, Windows Explorer method, for editing Access Control Lists (ACL). If you right click a folder and then select the Security tab you can examine and modify the NTFS permissions.
Topics for
Scripting with the CACLS Command
This page gives you examples of CACLS scripts, if you need a quick refresher on the switches, chick out this CACLS Commands page.
Our mission is to create home directories for users, then assign permissions with CACLS commands. The typical structure on a file server would be a shared folder called home, then each user has their own
folder as a
sub-directory under home.
If you create users home folders with the Active Directory Users and Computers then you can invoke the %username% variable, which not only creates a folder named after the
user, but also sets the permission to username full control.
The problem arises if you bulk create users with CSVDE or VBScript, in such cases I find that %username% does not work, so we need an
alternative method to create the home folders and set the permissions - a job for CACLS.
As ever the secret of scripting is to build up in stages. Stage 1: Introduction to CACLS. Simple example to set folder permission to
Administrators full control. Stage 2: Create the users (sub) folders. Assumption we have the usernames in a spreadsheet. Stage 3: Set the permissions on each user's folder to username: f and
administrators: f. (f= full control)
The purpose of this script is to set a folder's permissions to Administrators = full control. No one else has any permissions. The folder is called 'user', the path is \\server\home\user.
What the script does is mimic right clicking a folder
called 'user' and then setting the Security tab so that the only entry is Administrators full control. Compare the diagrams before (left) and after (right) running the VBscript.
Prerequisites
You must have a server with a shared folder. This is a script that will execute equally well on a Windows server or an XP machine. Should you get permission errors, I recommend that you logon as
administrator.
Instructions for Creating your Cacls VBScript
Copy and paste the example script below into notepad or a VBScript editor.
Change the value for strHomeFolder, especially the server name.
Save the file with a .vbs extension, for example: Cacls.vbs
Double click Cacls.vbs and check the permissions with Windows Explorer for strHomeFolder.
Sample Script to Set CACLS permissions
' Cacls.vbs ' Example VBScript to set Administrators permissions with Cacls ' Version 2.1 - September 2005 ' ---------------------------------------------------------'
Option Explicit Dim strHomeFolder, strHome, strUser Dim intRunError, objShell, objFSO
strHomeFolder = "\\grand\home\user"
Set objShell = CreateObject("Wscript.Shell") Set objFSO =
CreateObject("Scripting.FileSystemObject") If objFSO.FolderExists(strHomeFolder) Then ' Assign user permission to home folder. intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " _ &
strHomeFolder & " /t /c /g Administrators:F ", 2, True) If intRunError <> 0 Then Wscript.Echo "Error assigning permissions for user " _ & strUser & " to home folder " & strHomeFolder End If End
If
WScript.Quit
' End of Cacls example VBScript
VBScript Tutorial - Learning Points
Note 1: The heart of the script is: cacls & strHomeFolder & " /t /c /g Administrators:F
strHomeFolder is the path we want to change the permissions. /t means trash the existing permissions. Remove all permissions and add those specified by /g. /g Administrators:F Sets the new
permissions for only Administrators with full control. (/c Tells the script to continue if there is an error).
You could add an ACL permission for the user with /g Administrators:F user:F.
However, to keep it simple we just added one entry in the above script.
Note 2: The rest of the script is VBScript. We need to create a file object, objFSO.
Note 3: Cacls normally runs at the
cmd prompt, therefore, the script creates a shell object objShell. Run invokes comspec rather than cmd.exe. objShell.Run("%COMSPEC% /c Echo Y.
Note 4: The cacls
utility does not provide the /y option that answers automatically with Y for Yes to the ARE YOU SURE? Y/N prompt. However, you can use the echo command to pipe the character Y as input to the prompt
when you are running cacls in a batch file. Use the following syntax to automatically answer Y:
I thank Mathew D. for researching the above reason for the Cacls Echo Y switch.
Note
6: Finally, the script contains error-correcting code in case the folder does not exist.
Cacls is a command-line utility, which manipulates folder and file permissions.
It is particularly suited to scripting, Cacls is ideal for bulk changes to folder permissions, for example users home folders. If you want to a script which will
actually create the users home folders, see here.
Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
Download my eBook:
Introduction to VBScript - only $6.25
