Modifying permissions with XCACLS.vbs

Giganews Newsgroups
Subject: Modifying permissions with XCACLS.vbs
Posted by:  Adam Sandler (corn…
Date: Thu, 7 Feb 2008


I have a question about running XCACLS.vbs.  I'm trying to change
folder permissions but I'm not using the built-in security groups - I
want to use domain groups; specifically domain admins and domain

I read online that if one uses SID# in place if a group name then that
should work.

I call XCACLS. from a batch file.  A sample of my existing (and
currently working as expected) file looks  like this:
cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /G Administrators:F

cscript xcacls.vbs "C:\WINDOWS\regedit.exe" /E /G SYSTEM:F

Additionally, I read that the domain SID can be found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList.  I also read the SIDs for domain admins and domain users

SID: S-1-5-domain-512
Name: Domain Admins

SID: S-1-5-domain-513
Name: Domain Users

So, armed with this information I took the two lines above and tried
to do this:

cscript xcacls.vbs "C:\Temp" /G

cscript xcacls.vbs "C:\Temp" /E /G

It didn't work.  While I didn't get a script engine error or anything,
when I checked the permissions on that folder, all the entries were
gone - it was a blank display.

How can I modify the permissions to use domain admins and users?
Suggestions are greatly appreciated.