Running icacls in script not working correctly with /grant

This topic contains 1 reply, has 2 voices, and was last updated by  Max Kozlov 2 years, 4 months ago.

  • Author
    Posts
  • #27950

    Dan
    Participant

    I have a script that will be used to reset permissions and I am having a problem only with one icacls command. Everything else works like a charm, this one just doesn't: &$cmdSetUserFullPerms which is set as $cmdSetUserFullPerms = "icacls " + '"' + $usershareParent + '"' + " /grant " + '"' + $username + '"' + ":F"

    I've played around a few times and can't get it to work. Below is the entire script:

    
    ############################################
    # Reset Permissions
    ############################################
    
    # Test for subinacl application
    if (-not (test-path c:\ResetSharePermissions\subinacl.exe))
        {
            [System.Windows.Forms.MessageBox]::Show("ERROR: Missing 'C:\ResetSharePermissions\subinacl.exe'
                    Install file and rerun script")
        }
    else
        {
            $subinaclExists = "yes"
        }
    # Test for usernames.csv file
    if (-not (test-path c:\ResetSharePermissions\usernames.csv))
        {
            [System.Windows.Forms.MessageBox]::Show("ERROR: Missing 'C:\ResetSharePermissions\usernames.csv'
                    Add missing file and rerun script")
        }
    else
        {
            $usernamesExists = "yes"
        }
    # --------------------------------------------------
    
    #Validate two files exist and run script
    if ($usernamesExists -eq "yes" -And $subinaclExists -eq "yes")
        {
            # **BEGIN PROCESSING**
            # --------------------------------------------------
            # Prompt for share path
            $sharepath = Read-Host -Prompt "Input path name
                ex: c:\users\ or \\servername\share\subfolder\
                Ensure to include \ at the end of your path."
            # Create variable to test for last backslash '\' in share path
            $a=$sharepath
            $a=$a.substring($a.length -1, 1)
            # Add missing backslash from end of path
            if ($a -ne "\")
                {
                    $sharepath = $sharepath + "\"
                }
    
            # --------------------------------------------------
            # Get current Date-Time
            $dte = get-date -f yyyy-MM-dd_HHmm
            "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
            "****Starting to reset permissions: " + $dte >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
            "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
            "****Inputed Share Path: " + $sharepath   >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
    
            # Import csv of users using usernames (***NOTE: Usernames must match folder names for this to work***)
            $list = Import-Csv C:\ResetSharePermissions\usernames.csv
    
            # --------------------------------------------------
            # Loop through each username in csv
            foreach ($entry in $list)
                {
                    # Set new variables
                    $dte = get-date -f yyyy-MM-dd_HHmm
                    "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Processing user '" + $($entry.username) + "' starting at: " + $dte  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    $username = $($entry.username)
                    $usershareParent = "$sharepath$($entry.username)"
                    $cmdSetUserFullPerms = "icacls " + '"' + $usershareParent + '"' + " /grant " + '"' + $username + '"' + ":F"
                    $usershareParent = '"' + $usershareParent + '"'
                    $usershareSubfolder1 = "$sharepath$($entry.username)\*.*"
                    $usershareSubfolder1 = '"' + $usershareSubfolder1 + '"'
                    $usershareSubfolder2 = "$sharepath$($entry.username)\*"
                    $usershareSubfolder2 = '"' + $usershareSubfolder2 + '"'
                    "sharepath $sharepath"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "username $username"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "usershareparent $usershareparent" >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "usersharesubfolder1 $usersharesubfolder1" >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "usersharesubfolder2 $usersharesubfolder2" >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    # Add '> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Set Administrators as owner for parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & 'C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe' /file $usershareParent /setowner=Administrators  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Set Administrators as owner on subfolders"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & 'C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe' /subdirectories $usershareSubfolder1 /setowner=Administrators  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Remove inheritance on all subfolders"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & icacls $usershareSubfolder2 /inheritance:r /T  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Remove inheritance on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & icacls $usershareParent /inheritance:r /T  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Grant Administrators Full permissions on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & icacls $usershareParent /grant Administrators:F /t /c /Q  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Grant SYSTEM Full permissions on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & icacls $usershareParent /grant SYSTEM:F /t /c /Q  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Grant " + $username + " Full permissions on parent folder"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "COMMMAND:  " + $cmdSetUserFullPerms >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    &$cmdSetUserFullPerms  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    #& icacls "z:\test1" /grant test1:F /t /c /Q >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Set inheritance on all subfolders"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    & icacls $usershareSubfolder2 /inheritance:e /T  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "-------------------------------------------------------"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    "****Processing Complete for user " + $username + " ending at " + $dte  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
                    #> 
                    #End of user processing loop
                }
        # **END PROCESSING**
        }
    "*******************************************************"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
    "****SHARE PERMISSIONS SCRIPT COMPLETED"  >> "c:\ResetSharePermissions\ResetSharePermissions.log" 2>&1
    #Rename log file
    cd c:\ResetSharePermissions
    rename-item ResetSharePermissions.log -newname ("ResetSharePermissions_" + $dte + ".log")
    

    I can run: icacls "z:\test1" /grant test1:F /t /c /Q and it works just fine but the icacls line with /inheritance runs fine in the script.

    This is what I get as an error:

    The term 'icacls "z:\test1" /grant "test1":F' is not recognized as the name of a cmdlet, function, script file, or operable program. Check th
    e spelling of the name, or if a path was included, verify that the path is correct and try again.
    At \\chartwellfile\View_UserData\administrator\desktop\ResetSharePermissions.ps1:100 char:18
    + & <&1 + CategoryInfo : ObjectNotFound: (icacls "z:\test1" /grant "test1":F:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Thank you, Dan

  • #27961

    Max Kozlov
    Participant

    you get quoting error somewhere. it's a common problem with external commands

    I suggest you rework external command execution to this way.
    (May be need some quote fixing)

    $arguments = $usershareParent, "/grant", "$username:F "
    # arguments array

    and use it as
    & icacls $arguments

    and, please, use boolean $true instead of string 'yes' 🙂

    $subinaclExists = $true
    $usernamesExists = $true
    if ($subinaclExists -and $usernamesExists) { ... }

    also, you can instead of (or with) messagebox use error thowing. and then you do not need this variables at all

    if (...) {
    throw 'error'
    }
    do-something

You must be logged in to reply to this topic.