If your company’s share folders are anything like most companies I’ve worked for, the folder permissions are in disarray. I’m currently working on a project to fix access to these shares and also set up ABE (more about this in a future blog). There are not many free tools for setting NTFS permissions and if you change folder permissions with several folders deep across a WAN, it could take hours and hang the session (even pegging the processor at 100% in the process). You could write a script, but setting permissions with something like VB script is complicated. So, what’s the solution? I used a combination of shell scripting and a tool from the resource kit, xcacls.vbs. This is not to be confused with xcacls.exe which came with the 2000 resource kit. The executable version does not work well with Windows Server 2003 — it adds the ACEs in an incorrect order. Microsoft now recommends using xcacls.vbs instead. Here is the script that I wrote to standardize the user’s root home directory across about a hundred servers.
@echo off REM define the input file REM (This is a text file with a line delimited list of machine names.) REM Add to command line parameter. Example: changeperms.cmd inputlist.txt set sharelist=%1
:MAIN REM This is the part of the script that will perform the looping for /f "tokens=*" %%i in (%sharelist%) do @set share=%%i&& call :UPDATE REM This will end the script and keep it from re-looping the last line Goto :EOF
:UPDATE Echo Updating %SHARE% REM This is the core of the script that sets permissions REM XCACLS.vbs can be found in the Server 2003 Resource Kit xcacls.vbs "%Share%" /P Everyone:L BUILTIN\Administrators:F /I Remove /L Logfile.txt REM Loop to next computer in list GOTO :EOF
To download XCACLS.vbs and to acquire syntax help. Go here.
One of the most common need for a script is to perform iterative looping. In other words, looping through a list to initiate some action against the items in that list. For example, have you ever wanted to simply test a list of machines to see if they are alive? Or, check for admin access on a series of machines? This is easily done with command shell scripting. I will demonstrate a simple way to create a “template” for future iterative looping and all you will have to do in the future is change the command!
@echo off REM define the input file REM This is a text file with a line delimited list. REM You will type the input file name after the command file. REM For example: Ping-servers.cmd serverlist.txt set serverlist=%1
:MAIN REM This is the core of the script that will perform the looping for /f "tokens=1" %%i in (%serverlist%) do @set server=%%i&& call :TEST REM This will end the script and keep it from re-looping the last line Goto :EOF
:TEST REM Echo the server that you are pinging to the screen REM echo Pinging %server% REM Perform the ping and echo results REM If unsuccessful, it will jump to the next line. ping %server% -n 1|findstr /i "reply from" >NUL&& ECHO %Server%,Alive&& GOTO :EOF REM execute the next line if server was unable to be pinged echo %server%,Dead! REM End action against the current computer in the list loop to next machine. Goto :EOF
When reusing this script, it is easy to modify it for other purposes. Say, for example, that you want to test to see if you have administrator access to these servers instead of pinging them. (Of course, you could easily do both in the same script, but for simplicity of this article, I will show you how to modify it for a single action.)
To test for admin access, you can simply change the :TEST routine. Change the line:
ping %server% -n 1|findstr /i "reply from" >NUL&& ECHO %Server%, Alive&& GOTO :EOF
dir \\%server%\c$|findstr /i "DIR">NUL&&Echo %server%,Admin Access&&GOTO:EOF
Of course, this is only one way of checking for admin access and there are also other command line tools that you can use from the various toolkits. This one is just a simple example of commands that are already pre-installed with the Windows OS and can be used on multiple platforms such as NT, 2000, 2003, XP, and Vista.
There are many uses for this template. I’ve used the template to search for files older than a certain time period, change registry keys, queried NetBIOS names without relying on DNS or WINS, and copied a set of files remotely. Anything that can be done with standard command line tools can be automated this way to perform actions on a list of computers with very little effort.
If you have other ideas for the iterative looping with command shell, comments are much appreciated!
- Over 10 years of computer experience.
- Top computer cerifications from Microsoft, Cisco, and CompTIA: Including MCSE, CCNA, and Security+
- IT experience with small, medium, and large entrprises.
- Wide area of expertise to support Microsoft Windows, Linux, Unix, Mac, and various types of networking equipment.
- Website design and development.
How do I get help?
Contact us at firstname.lastname@example.org