Faster way to remove permissions

[DBB2010]

i am fully aware of how to manually remove permissions but i was wondering if there's an easier, faster, and most importantly, less interactive way to remove permissions on an entire drive.

i work for a small shop and am expected to keep between 3 and 6 computers on my bench at all times, depending on the services. a lot of the time, systems will come in where the customer decides not to fix it but would like their hard drives placed in external enclosures instead, leaving me with the task of removing these permissions.

i'd like to be able to streamline this process, any ideas?

 

[KSoD]

What OS are you running? You best bet would be to create a Group Policy. But that isnt going to work depending on which OS your running.

 

[DBB2010]

What OS are you running? You best bet would be to create a Group Policy. But that isnt going to work depending on which OS your running.

what i'd like to do is mount these customers' hdds to virtual machines on windows 7 ultimate using windows virtual pc. my plan was to dedicate a specified amount of memory and a core of the proc to each of three VMs and leave a core for the host system itself. then run the permission removal process on each VM.

 

[drougier]

If I am not wrong, the NTFS permission can be removed by copying the files and folders into a FAT32 volume.
All permissions are a property of the NTFS file system and FAT32 doesn't support it...
Tell me if I am wrong

 

[KSoD]

You have to explain a bit more what your trying to accomplish. Are you trying to remove permissions for them to access your system? Or are you trying to give your system the rights to control and modify their files?

If it is the latter then you have no choice but to go with the long method. The reason being is that their system should have full control and your should not. Ever. The simple fact is that no matter what, you can just use a drive from another system that already has files and profiles setup on it and plug it in and be able to access it without first getting the rights to do so. It isnt possible.

 

[Osiris]

Read this

How to use Xcacls.vbs to modify NTFS permissions

and then read this on how to modify permissions.

How to use Xcacls.exe to modify NTFS permissions

 

[Crowface]

Not sure what you want to do... but take a look at cacls (built in windows tool). It might help.

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm]
       [/R user [...]] [/P user:perm [...]] [/D user [...]]
   filename      Displays ACLs.
   /T            Changes ACLs of specified files in
                 the current directory and all subdirectories.
   /L            Work on the Symbolic Link itself versus the target
   /M            Changes ACLs of volumes mounted to a directory
   /S            Displays the SDDL string for the DACL.
   /S:SDDL       Replaces the ACLs with those specified in the SDDL string
                 (not valid with /E, /G, /R, /P, or /D).
   /E            Edit ACL instead of replacing it.
   /C            Continue on access denied errors.
   /G user:perm  Grant specified user access rights.
                 Perm can be: R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /R user       Revoke specified user's access rights (only valid with /E).
   /P user:perm  Replace specified user's access rights.
                 Perm can be: N  None
                              R  Read
                              W  Write
                              C  Change (write)
                              F  Full control
   /D user       Deny specified user access.
Wildcards can be used to specify more than one file in a command.
You can specify more than one user in a command.

Abbreviations:
   CI - Container Inherit.
        The ACE will be inherited by directories.
   OI - Object Inherit.
        The ACE will be inherited by files.
   IO - Inherit Only.
        The ACE does not apply to the current file/directory.
   ID - Inherited.
        The ACE was inherited from the parent directory's ACL.

So, set up a test directory:

mkdir test

Make some garbage files

echo 1 > test1.txt
echo 2 > test2.txt
echo 3 > test3.txt

View current file ACLs

cacls *

Change them accordingly

cacls * /E /T /R Username

View the new ACLs

cacls *

It worked fine for me, took a little trial and error. After it works on this test directory, just cd into the c:\ drive and run it there.

 

[Apokalipse]

i am fully aware of how to manually remove permissions but i was wondering if there's an easier, faster, and most importantly, less interactive way to remove permissions on an entire drive.

i work for a small shop and am expected to keep between 3 and 6 computers on my bench at all times, depending on the services. a lot of the time, systems will come in where the customer decides not to fix it but would like their hard drives placed in external enclosures instead, leaving me with the task of removing these permissions.

i'd like to be able to streamline this process, any ideas?

I think you can do it via command line.
And that leaves the possibility of making a batch script to do it automatically (using for loops if necessary), and/or add it to the right-click context menu via the registry.

*edit*
cmd.exe /c Q: && FOR /R %%X IN (".") DO takeown /a /f "%%X*" && FOR /R %%X IN (".") DO icacls "%%X" /remove:d /grant administrators:F
where Q: is the drive letter you want to change permissions of

This should remove deny permissions and grant administrators full control in all directories and subdirectories on the drive.

 

[DBB2010]

okay, so i've been pretty busy lately but i had a chance to skim over the posts and i'm really excited to see some of your answers because they seem like solid solutions. i'm going to look a little more deeply asap and get back to you all. i just didn't want to leave you hanging for the time being. thank you SO much and you'll hear from me soon.

I think you can do it via command line.
And that leaves the possibility of making a batch script to do it automatically (using for loops if necessary), and/or add it to the right-click context menu via the registry.

*edit*
cmd.exe /c Q: && FOR /R %%X IN (".") DO takeown /a /f "%%X*" && FOR /R %%X IN (".") DO icacls "%%X" /remove:d /grant administrators:F
where Q: is the drive letter you want to change permissions of

This should remove deny permissions and grant administrators full control in all directories and subdirectories on the drive.

i'll admit that the syntax used here is over my head and i need to do just a little reading before i can break this down the way i should be able to, but, where it says "/grant administrators:F", could that be changed to everyone? and how can i integrate this into the right-click menu i see in My Computer making Q whichever drive i click on? the drive letter assigned would probably change depending on if the customer's hdd has a recovery partition or something similar.

by the way, thanks for your input.

 

[Apokalipse]

i'll admit that the syntax used here is over my head and i need to do just a little reading before i can break this down the way i should be able to

Basically, it's this:
* cmd.exe /c - runs command prompt silently
* Q: - change current drive to Q:
* && - when the previous command is done, run the command just after this
* takeown /a /f "%%X*" - give administrators ownership of the file/folder stored in variable "%%X"
in order to set permissions, you need to be the owner (or one of the owners) of the file/folder you're trying to set permissions on
* icacls "%%X" /remove:d /grant administrators:F - remove deny permissions and give administrators full control

* FOR /R %%X IN (".") DO - the main part of the for loop
** the /R switch means recursive, which means look in every directory and subdirectory
** %%X - the variable which stores the directory, file name, or filename plus directory that the for loop is currently looking at
** IN (".") - the base directory or file to start from initially. A single dot means whichever directory the command prompt is at already.
** DO - command is given after this, acting on whatever file/directory is stored in the variable.

but, where it says "/grant administrators:F", could that be changed to everyone?

Yes.

and how can i integrate this into the right-click menu i see in My Computer making Q whichever drive i click on? the drive letter assigned would probably change depending on if the customer's hdd has a recovery partition or something similar.

I think you just add whatever command you want to the registry in HKEY_CLASSES_ROOT\Drive\shell\[insert command name here]\command in the "(Default)" string
Or you could add it to HKEY_CLASSES_ROOT\Folder\[insert command name here]\command if you want to add a command to folders

To make the drive/folder variable (as in, replaced by whatever drive/directory you're right-clicking on), replace Q: in the command with pushd %1

So you'd end up with this:
cmd.exe /c pushd %1 && FOR /R %%X IN (".") DO takeown /a /f "%%X*" && FOR /R %%X IN (".") DO icacls "%%X" /remove:d /grant administrators:F

http://sites.google.com/site/apokalipse/registry.png