execute as domainadmin

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 5 months ago.

  • Author
    Posts
  • #6200

    by Hybo_ICT at 2012-10-25 04:03:54

    Hello,

    I wrote a ps script that creates a folderstructure to store all data in it. Obviously I put some security groups on it to avoid some access.

    When I let a user execute the script, the script is not executing. When I execute the script as domainadmin, everything works fine.

    Can someone let me now how to change the script so that a simple user can execute the script without errors.

    Best regards,

    Philippe

    #region Initialiseren van de variabelen
    [String] $sPath = "path to server"
    [String] $sClient = Read-Host -Prompt 'Client'
    [String] $sCity = Read-Host -Prompt 'City'
    [String] $sType = Read-Host -Prompt 'Type'
    [String] $sCode = Read-Host -Prompt 'Code'

    [String] $sType2 = $sType.ToUpper()
    $sFoldercode = $sClient2 + "_" + $sCity2 + "_" + $sType2 + "_" + $sCode
    $sFullPath = $sPath + "\" + $sFoldercode

    if ($sClient.Length -cge "30")
    {
    $sClient2 = $sClient.Substring(0,30)
    }
    else
    {
    $sClient2 = $sClient
    }

    if ($sCity.Length -cge "9")
    {
    $sCity2 = $sCity.Substring(0,9)
    }
    else
    {
    $sCity2 = $sCity
    }

    $colRights_FC = [System.Security.AccessControl.FileSystemRights]"Read, Write, ListDirectory, modify, readandexecute, DeleteSubdirectoriesAndFiles, ExecuteFile"
    $colRights_RO = [System.Security.AccessControl.FileSystemRights]"Read, ListDirectory"

    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
    $InheritanceFlag2 = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $InheritanceFlag3 = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
    $PropagationFlag2 = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit
    $PropagationFlag3 = [System.Security.AccessControl.PropagationFlags]::None

    $objType =[System.Security.AccessControl.AccessControlType]::Allow
    #endregion

    $FileExists = Test-Path $sFullPath
    If ($FileExists -eq $true)
    {
    Write-Host -ForegroundColor Red -BackgroundColor Black "Sorry, the folder already exists."
    Start-Sleep -Seconds "7"
    }
    Else
    {
    #start creating folders
    New-Item "$sPath\$sFoldercode" -type directory
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ("Hyboma\LO_DOSS_WOKL_RO", $colRights_RO, $InheritanceFlag, $PropagationFlag, $objType)
    $objACL = Get-ACL "$sPath\$sFoldercode"
    $objACL.AddAccessRule($objACE)
    Set-ACL "$sPath\$sFoldercode" $objACL

    $objACE2 = New-Object System.Security.AccessControl.FileSystemAccessRule ("Hyboma\LO_DOSS_WOKL_FC", $colRights_FC, $InheritanceFlag, $PropagationFlag, $objType)
    $objACL2 = Get-ACL "$sPath\$sFoldercode"
    $objACL.AddAccessRule($objACE2)
    Set-ACL "$sPath\$sFoldercode" $objACL

    by Klaas at 2012-10-25 04:16:27

    [quote="Hybo_ICT"]When I let a user execute the script, the script is not executing.[/quote]
    What do you mean? Do you receive an error? What is the message?

    Have you changed the executionpolicy?
    Has the user the required NTFS rights on the "path to server"?

    by Hybo_ICT at 2012-10-25 04:23:00

    Yes, the user can reach the path of the server. However, the user that creates the folderstructure may not see all the folders below. That's why it needs to be created by a domainadmin-account. Any advice?

    by dsf3g at 2012-11-11 11:24:40

    The user account under which this script runs needs to have modify NTFS permissions to the parent directory. It will then be able to create the subfolders it needs. If the script also ACLs the child directories then the user account will need FULL permissions.

You must be logged in to reply to this topic.