Cacls, Windows 7, full permissions, local names

9.9k views Asked by At

I need to grant full access permissions on folder using (deprecated on win7) Cacls. It seems to me that i have to use with cacls localized usernames and groupnames. E.g.:

cacls foldername /T /E /C /G Users:F

This gave me error "No mapping between account names and security IDs was done". And next command works fine (users in russian = Пользователи).

cacls foldername /T /E /C /G Пользователи:F

How can i grant full permissions on folder regardless of the system language?

2

There are 2 answers

8
wmz On BEST ANSWER

Use xcacls instead as described here and use SIDs instead of names (you will find well known sids here)

If you for some reason are stuck with cacls, then google: cacls sidwill bring you some workarounds how to do reverse mapping from sid to name and then supply this to cacls

Edit: could not resist to learn some new tricks... this simple script will give you actual name of 'Users' (S-1-5-32-545) group on a given PC:

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set objAccount = objWMIService.Get ("Win32_SID.SID='S-1-5-32-545'")
    Wscript.Echo objAccount.AccountName

Put it into a file with vbs extension (Let's assume usersName.vbs).

Now run:

echo Y|for /f "delims=" %i in ('cscript -Nologo usersName.vbs') do cacls foldername /G "%i":F

Done :-)

Edit: corrected to work if name has space in (added delims=). Please also note that echo Y at the start works if you use English version of the tool.

0
isidroco On

This code will find and localize Yes/No letters and USERS(or any SID) and execute CACLS in desired directory, solving original question, and without external utilities (generates a 2 line vbs script on TEMP dir deleted after use with CSRCIPT).

@echo off
  rem https://learn.microsoft.com/en-US/windows-server/identity/ad-ds/manage/understand-security-identifiers
  rem SIDs:  S-1-5-32-545 Users;  S-1-1-0 Everybody;  S-1-5-32-544 Administrators
  rem   S-1-5-7 no logon;  S-1-5-11 Authenticated Users;  S-1-5-18 System;  S-1-5-10 Self

set userSID=S-1-5-32-545&  rem USERS sid
set dirName=%TEMP%\TEST

  rem https://stackoverflow.com/questions/20892882/set-errorlevel-in-windows-batch-file/77643084#77643084
  rem try setting errorlevel 1 doesn't work on win9x: verify other 2>nul
  REM set errorlevel 1, to check next command
<nul find ""
  REM enableExtensions/delayedExp to get !varNm! value on execution
setlocal enableextensions enabledelayedexpansion
if NOT ERRORLEVEL 1 goto :WinNew
  echo *** OLD OS: Can't enableextensions ***
  ver
  goto :FIN
:WinNew

  REM Get local language Yes/No/All letters {to answer prompts}
  REM https://www.dostips.com/forum/viewtopic.php?p=63518#p63518
set PromptLine=
  rem create dummy file [in w9x]: echo x >"%TEMP%\yesnoall#.tmp" >nul
copy /y nul "%TEMP%\yesnoall#.tmp" >nul
  rem capture overwrite prompt after "#" ie: ".tmp? [Sí/No/Todos]:"
for /f "tokens=2* delims=#" %%A in ( '^<nul copy /-y nul "%TEMP%\yesnoall#.tmp"'
  ) do set PromptLine=%%A
  rem remove dummy file
del "%TEMP%\yesnoall#.tmp"
  rem For testing complicated case [russian], uncomment next line
rem set PromptLine=.tmp [Yes (a?)/No (b??)/All (c??)]:
  rem remove spaces for russian
set PromptLine=%PromptLine: =%
  rem parse simple case get: A,B,C else complicated case with brackets and parenthesis: A,C,E
for /f "tokens=2-7 delims=[(/)]" %%A in ( "%PromptLine%"
  ) do if "%%~E" == "" ( set lang_yes=%%A& set lang_no=%%B& set lang_all=%%C
  ) else ( set lang_yes=%%A& set lang_no=%%C& set lang_all=%%E
)
  rem Extract first char
set lang_y=%lang_yes:~0,1%& set lang_n=%lang_no:~0,1%& set lang_a=%lang_all:~0,1%
  rem Display results
echo %lang_yes%, %lang_no%, %lang_all%
echo %lang_y%, %lang_n%, %lang_a%


  rem https://superuser.com/questions/1176622/regardless-of-windows-language-how-can-i-make-the-icacls-command-set-a-folder-t
  rem generate temp sid2user.VBS script to get local language userSID name
( echo\Set objWMIService = GetObject("winmgmts:\\.\root\cimv2"^)
  echo\Wscript.Echo objWMIService.Get("Win32_SID.SID='%userSID%'" ^).AccountName
) > "%TEMP%\sid2user.vbs"
  rem set lang_user to userSID local language name
for /F "delims=" %%i in ('cscript -Nologo "%TEMP%\sid2user.vbs"') do set lang_user=%%i
  rem remove temp vbs file
del "%TEMP%\sid2user.vbs"
echo "%lang_user%":F

  rem set permissions in local language
echo %lang_y%| cacls "%dirName%" /t /l /c /G "%lang_user%":F

:FIN
pause