在 vbscript 中使用 icacls 更改子文件夹的所有者 [英] changing owner of subfolders using icacls in a vbscript

问题描述

我有一个拥有 700 多个用户的网络，我想创建一个脚本，该脚本可以将主文件夹的所有者更改为域管理员，将子文件夹的所有者更改为用户自己.

I have a network with over 700 users and I want to create a script that could change the owner of the home folders to domain admins and the sub-folders to the users themselves.

这是我在大学的帮助下可以创建的，但由于某种原因这不起作用.任何人都可以请帮助我.谢谢.

This is what I could create with the help of my colleges, but this doesn't work for some reason. Can anyone help me please. Thanks.

Set objFSO  = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile("G:\Userhome\userdirlist.txt", 1)

Set oShell  = WScript.CreateObject("WSCript.shell")

Do Until objFile.AtEndOfStream

    struserfolder = objFile.ReadLine

    oshell.run ("icacls G:\userhome\"+ struserfolder +"\*.*  /setowner domainname\" + "struserfolder" + " /t")
    oshell.run ("icacls G:\userhome\"+ struserfolder +"\*.*  /setowner domainname\Domain Admins")
Loop

推荐答案

您使用 string "struserfolder" 当您可能打算使用 变量 struser 文件夹.改变这个:

You use the string "struserfolder" when you probably mean to use the variable struserfolder. Change this:

oshell.run ("icacls G:\userhome\"+ struserfolder +"\*.* /setowner domainname\" _
  + "struserfolder" + " /t")

进入这个:

oshell.run "icacls G:\userhome\"+ struserfolder +"\*.* /setowner domainname\" _
  + struserfolder + " /t"

此外，您必须用空格引用参数.缺少引号可能会阻止第二个命令工作，因为 icacls 尝试将所有者设置为 domainname\Domain 而不是 domainname\Domain Admins.应该这样做:

Also, you must quote arguments with spaces. Lack of quotes is probably what prevents the second command from working, because icacls tries to set the owner to domainname\Domain instead of domainname\Domain Admins. This should do:

oshell.run "icacls G:\userhome\" + struserfolder _
  + "\*.* /setowner ""domainname\Domain Admins"""

顺便说一句，您为什么要尝试更改所有者两次?任何对象都只能有一个所有者，如果您将域管理员组设为文件夹中顶级对象的所有者，您将不会获得任何收益.

BTW, why are you trying to change the owner twice? Any object can have just one owner, and you don't gain anything if you make the domain admins group the owner of just the top-level objects in the folder.

如果您想授予域管理员访问用户主目录的权限，请将所有者更改为本地管理员组(域管理员自动成为该组的成员)并将文件夹的完全控制权授予管理员、SYSTEM 和用户.然后沿目录树向下传播更改的权限:

If you want to give domain admins access to the users' home directories, change the owner to the local administrators group (domain admins are automatically members of that group) and grant full control on the folder to Administrators, SYSTEM and the user. Then propagate the changed permissions down the directory tree:

path = Chr(34) & "G:\userhome\" & struserfolder & Chr(34)

oshell.run "icacls " & path & " /setowner Administrators /t /c"
oshell.run "icacls " & path & " /grant Administrators:(OI)(CI)F " _
  & "SYSTEM:(OI)(CI)F domainname\" & struserfolder & ":(OI)(CI)F"
oshell.run "icacls " & path & " /reset /t /c"

<小时>

Run 方法返回已执行命令的退出状态，当事情没有按预期工作时，它可能会给你一些提示:

---

The Run method returns the exit status of the executed command, which may give you some pointers when things don't work as expected:

rc = oshell.run("icacls " & path & " /setowner Administrators /t /c", 0, True)
WScript.Echo "icacls returned with exit code " & rc & "."

一个问题可能是默认情况下 Run 是异步的(参数 bWaitOnReturn 默认为 False)，即调用立即返回，而命令(icacls) 仍在后台运行.这可能会导致后续命令尝试更改尚未取得所有权的对象的权限.

One issue might be that by default Run is asynchronous (parameter bWaitOnReturn defaults to False), i.e. the call returns immediately while the command (icacls) is still running in the background. This may lead to situations where subsequent commands try to change permissions on objects where ownership hasn't been taken yet.

通常比返回码更有帮助的是命令的输出.但是，您执行命令的方式，命令窗口不会显示，即使显示，它也会在命令完成后自动关闭.不过，您可以强制命令窗口可见并在命令完成后保持打开状态.

Even more helpful than the return code is ususally the output of the command. However, the way you execute the commands, the command window isn't displayed, and even if it were, it would automatically close as soon as the command finishes. You can force the command window to become visible and stay open after the command finishes, though.

oshell.run "%COMSPEC% /k icacls " & path & " /setowner Administrators /t /c" _
  , 1, True

当然，您通常不希望在生产中使用它，但在调试脚本时它非常有用.

Of course you don't normally want this in production, but it's quite useful when debugging a script.

另一种选择是完全避免 Run 并通过 Exec 方法.这样您就可以访问 StdOut 和创建进程的 StdErr:

Another option would be to avoid Run entirely and run the commands via the Exec method. That way you have access to the StdOut and StdErr of the created process:

Set icacls = oshell.Exec("icacls " & path & " /setowner Administrators /t /c")
Do While icacls.Status = 0
  WScript.Sleep 100
Loop
WScript.Echo "icacls returned with exit code " & icacls.ExitCode & "."
WScript.Echo icacls.StdOut.ReadAll & icacls.StdErr.ReadAll

这篇关于在 vbscript 中使用 icacls 更改子文件夹的所有者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！