xcacls.vbs problems

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm trying to change the ownership of a folder on my Windows 2000 server.
First I tried xcacls.exe but this tool doesn't change the ownership so I
tried it with xcacls.vbs. When I use this tool I do get the following error
message:

Error: This security ID may not be assigned as the owner of this object.
(Msg#543)

Who knows how I can solve this problem or maybe another tool to do the trick?
Here is the full output of xcacls.vbs:

t:\tools>cscript T:\Tools\xcacls.vbs T:\Tools\TEST /O nl\testnl2 /G
nl\testnl2:F /F /S /T /DEBUG

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 5-11-2004 9:57:16
Main: Enter
IsOSSupported: Enter
IsOSSupported: OSVer = 5.0
IsOSSupported: Return = True
IsOSSupported: Exit
PrintArguments: Enter

Startup directory:
"T:\Tools"

Arguments Used:
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
Filename = "T:\Tools\TEST"
/F (All Files under current directory)
/S (All Sub Directories under current directory)
/T (Traverse Directories)
/G (Grant rights)
nl\testnl2:F
/O (Change Ownership)
nl\testnl2
/DEBUG

PrintArguments: Exit
SetMainVars: Enter
GetServerNameString: Enter
GetServerNameString: Return = FALSE
GetServerNameString: Exit
HasWildcardCharacters: Enter
HasWildcardCharacters: Return = FALSE
HasWildcardCharacters: Exit
SetMainVars: Return = TRUE
SetMainVars: Exit

CheckTrustees: Enter
CheckTrustees: Checking Users to make sure they are proper Trustee's
GetDefaultNames: Enter
GetDefaultNames: Exit
GetDefaultDomainSid: Enter
GetDefaultDomainSid: Exit
CheckTrustees: Checking /G users
FixListOfTrustees: Enter
FixThisTrustee: Enter
SetTrustee: Enter
GetStandardSid: Enter
GetStandardSid: Return = NOTHING
GetStandardSid: Exit
GetAccountObj: Enter
GetUserObj: Enter
GetUserObj: strDomain = NL
GetUserObj: strName = TESTNL2
GetUserObj: Return = Win32_UserAccount object
GetUserObj: Exit
GetAccountObj: Return = Win32_UserAccount or Win32_Group object
GetAccountObj: Exit
SetTrustee: Return = Win32_Trustee object
SetTrustee: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
FixThisTrustee: Return = True
FixThisTrustee: Exit
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
FixListOfTrustees: Return = True
FixListOfTrustees: Exit
CheckTrustees: Checking /O user
FixThisTrustee: Enter
SetTrustee: Enter
GetStandardSid: Enter
GetStandardSid: Return = NOTHING
GetStandardSid: Exit
GetAccountObj: Enter
GetUserObj: Enter
GetUserObj: strDomain = NL
GetUserObj: strName = TESTNL2
GetUserObj: Return = Win32_UserAccount object
GetUserObj: Exit
GetAccountObj: Return = Win32_UserAccount or Win32_Group object
GetAccountObj: Exit
SetTrustee: Return = Win32_Trustee object
SetTrustee: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
FixThisTrustee: Return = True
FixThisTrustee: Exit
CheckTrustees: Return = True
CheckTrustees: Exit
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
No Wildcard characters detected for "T:\Tools\TEST"
DoesPathNameExist: Enter
DoesPathNameExist: Return = 1
DoesPathNameExist: Exit
DoTheWorkOnThisItem: Enter

**************************************************************************
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
Directory: T:\Tools\TEST
SetACLForObject: Enter
SetACLForObject: Working on "T:\Tools\TEST"
SetACLForObject: Sorting DACL array and modifying rights if needed
SetACLForObject: Granting Rights for Users (that haven't been granted already)
AccessMask_New: Enter
StringAceFlag: Enter
StringAceFlag: Return = This Folder, Subfolders and Files
StringAceFlag: Exit
SetACE: Enter
SetACE: Return = Win32_Ace object
SetACE: Exit
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
Granting NTFS rights (F access for This Folder, Subfolders and Files) for
"NL\TestNL2"
AccessMask_New: Return = True
AccessMask_New: Exit
SetACLForObject: Forming new DACL array
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
SetACLForObject: Saving new Descriptor
SetACLForObject: Changing Ownership
TrusteesMatch: Enter
TrusteesMatch: Checking Users to see if they match
TrusteesMatch: No Match
TrusteesMatch: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
Changing Ownership to "NL\TestNL2"
Error: This security ID may not be assigned as the owner of this object.
(Msg#543)
SetACLForObject: Exit
**************************************************************************
DoTheWorkOnThisItem: Exit
DoTheWorkOnEverythingUnderDirectory: Enter
DoTheWorkOnEverythingUnderDirectory: Directory passed: "T:\Tools\TEST"
DoTheWorkOnThisItem: Enter

**************************************************************************
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
File: T:\Tools\TEST\hallo.txt
SetACLForObject: Enter
SetACLForObject: Working on "T:\Tools\TEST\hallo.txt"
SetACLForObject: Sorting DACL array and modifying rights if needed
SetACLForObject: Granting Rights for Users (that haven't been granted already)
AccessMask_New: Enter
StringAceFlag: Enter
StringAceFlag: Return = This Folder and Files
StringAceFlag: Exit
SetACE: Enter
SetACE: Return = Win32_Ace object
SetACE: Exit
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
Granting NTFS rights (F access for This Folder and Files) for "NL\TestNL2"
AccessMask_New: Return = True
AccessMask_New: Exit
SetACLForObject: Forming new DACL array
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
SetACLForObject: Saving new Descriptor
SetACLForObject: Changing Ownership
TrusteesMatch: Enter
TrusteesMatch: Checking Users to see if they match
TrusteesMatch: No Match
TrusteesMatch: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
Changing Ownership to "NL\TestNL2"
Error: This security ID may not be assigned as the owner of this object.
(Msg#543)
SetACLForObject: Exit
**************************************************************************
DoTheWorkOnThisItem: Exit
DoTheWorkOnEverythingUnderDirectory: Exit
Main: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit


Operation Complete
Elapsed Time: 1,015625 seconds.

Ending Script at 5-11-2004 9:57:17
 
Download the fixed SubInACL from tip 8530 in the 'Tips & Tricks' at http://www.jsiinc.com

To set ownership on a folder
subinacl /subdirectories "FolderPath" /setowner="DomainName\Username"
To set ownership on a file
subinacl /subdirectories "FilePath" /setowner="DomainName\Username"





I'm trying to change the ownership of a folder on my Windows 2000 server.
First I tried xcacls.exe but this tool doesn't change the ownership so I
tried it with xcacls.vbs. When I use this tool I do get the following error
message:

Error: This security ID may not be assigned as the owner of this object.
(Msg#543)

Who knows how I can solve this problem or maybe another tool to do the trick?
Here is the full output of xcacls.vbs:

t:\tools>cscript T:\Tools\xcacls.vbs T:\Tools\TEST /O nl\testnl2 /G
nl\testnl2:F /F /S /T /DEBUG

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 5-11-2004 9:57:16
Main: Enter
IsOSSupported: Enter
IsOSSupported: OSVer = 5.0
IsOSSupported: Return = True
IsOSSupported: Exit
PrintArguments: Enter

Startup directory:
"T:\Tools"

Arguments Used:
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
Filename = "T:\Tools\TEST"
/F (All Files under current directory)
/S (All Sub Directories under current directory)
/T (Traverse Directories)
/G (Grant rights)
nl\testnl2:F
/O (Change Ownership)
nl\testnl2
/DEBUG

PrintArguments: Exit
SetMainVars: Enter
GetServerNameString: Enter
GetServerNameString: Return = FALSE
GetServerNameString: Exit
HasWildcardCharacters: Enter
HasWildcardCharacters: Return = FALSE
HasWildcardCharacters: Exit
SetMainVars: Return = TRUE
SetMainVars: Exit

CheckTrustees: Enter
CheckTrustees: Checking Users to make sure they are proper Trustee's
GetDefaultNames: Enter
GetDefaultNames: Exit
GetDefaultDomainSid: Enter
GetDefaultDomainSid: Exit
CheckTrustees: Checking /G users
FixListOfTrustees: Enter
FixThisTrustee: Enter
SetTrustee: Enter
GetStandardSid: Enter
GetStandardSid: Return = NOTHING
GetStandardSid: Exit
GetAccountObj: Enter
GetUserObj: Enter
GetUserObj: strDomain = NL
GetUserObj: strName = TESTNL2
GetUserObj: Return = Win32_UserAccount object
GetUserObj: Exit
GetAccountObj: Return = Win32_UserAccount or Win32_Group object
GetAccountObj: Exit
SetTrustee: Return = Win32_Trustee object
SetTrustee: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
FixThisTrustee: Return = True
FixThisTrustee: Exit
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
FixListOfTrustees: Return = True
FixListOfTrustees: Exit
CheckTrustees: Checking /O user
FixThisTrustee: Enter
SetTrustee: Enter
GetStandardSid: Enter
GetStandardSid: Return = NOTHING
GetStandardSid: Exit
GetAccountObj: Enter
GetUserObj: Enter
GetUserObj: strDomain = NL
GetUserObj: strName = TESTNL2
GetUserObj: Return = Win32_UserAccount object
GetUserObj: Exit
GetAccountObj: Return = Win32_UserAccount or Win32_Group object
GetAccountObj: Exit
SetTrustee: Return = Win32_Trustee object
SetTrustee: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
FixThisTrustee: Return = True
FixThisTrustee: Exit
CheckTrustees: Return = True
CheckTrustees: Exit
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
No Wildcard characters detected for "T:\Tools\TEST"
DoesPathNameExist: Enter
DoesPathNameExist: Return = 1
DoesPathNameExist: Exit
DoTheWorkOnThisItem: Enter

**************************************************************************
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
Directory: T:\Tools\TEST
SetACLForObject: Enter
SetACLForObject: Working on "T:\Tools\TEST"
SetACLForObject: Sorting DACL array and modifying rights if needed
SetACLForObject: Granting Rights for Users (that haven't been granted already)
AccessMask_New: Enter
StringAceFlag: Enter
StringAceFlag: Return = This Folder, Subfolders and Files
StringAceFlag: Exit
SetACE: Enter
SetACE: Return = Win32_Ace object
SetACE: Exit
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
Granting NTFS rights (F access for This Folder, Subfolders and Files) for
"NL\TestNL2"
AccessMask_New: Return = True
AccessMask_New: Exit
SetACLForObject: Forming new DACL array
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
SetACLForObject: Saving new Descriptor
SetACLForObject: Changing Ownership
TrusteesMatch: Enter
TrusteesMatch: Checking Users to see if they match
TrusteesMatch: No Match
TrusteesMatch: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
Changing Ownership to "NL\TestNL2"
Error: This security ID may not be assigned as the owner of this object.
(Msg#543)
SetACLForObject: Exit
**************************************************************************
DoTheWorkOnThisItem: Exit
DoTheWorkOnEverythingUnderDirectory: Enter
DoTheWorkOnEverythingUnderDirectory: Directory passed: "T:\Tools\TEST"
DoTheWorkOnThisItem: Enter

**************************************************************************
DisplayPathString: Enter
DisplayPathString: Return = TRUE
GetServerNameString: Exit
File: T:\Tools\TEST\hallo.txt
SetACLForObject: Enter
SetACLForObject: Working on "T:\Tools\TEST\hallo.txt"
SetACLForObject: Sorting DACL array and modifying rights if needed
SetACLForObject: Granting Rights for Users (that haven't been granted already)
AccessMask_New: Enter
StringAceFlag: Enter
StringAceFlag: Return = This Folder and Files
StringAceFlag: Exit
SetACE: Enter
SetACE: Return = Win32_Ace object
SetACE: Exit
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
Granting NTFS rights (F access for This Folder and Files) for "NL\TestNL2"
AccessMask_New: Return = True
AccessMask_New: Exit
SetACLForObject: Forming new DACL array
AddObjectToArray: Enter
AddObjectToArray: Return = True
AddObjectToArray: Exit
SetACLForObject: Saving new Descriptor
SetACLForObject: Changing Ownership
TrusteesMatch: Enter
TrusteesMatch: Checking Users to see if they match
TrusteesMatch: No Match
TrusteesMatch: Exit
TrusteesDisplay: Enter
TrusteesDisplay: Exit
Changing Ownership to "NL\TestNL2"
Error: This security ID may not be assigned as the owner of this object.
(Msg#543)
SetACLForObject: Exit
**************************************************************************
DoTheWorkOnThisItem: Exit
DoTheWorkOnEverythingUnderDirectory: Exit
Main: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit
ClearObjectArray: Enter
ClearObjectArray: Return = TRUE
ClearObjectArray: Exit


Operation Complete
Elapsed Time: 1,015625 seconds.

Ending Script at 5-11-2004 9:57:17


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Thanks, that one works better.

Jerold Schulman said:
Download the fixed SubInACL from tip 8530 in the 'Tips & Tricks' at http://www.jsiinc.com

To set ownership on a folder
subinacl /subdirectories "FolderPath" /setowner="DomainName\Username"
To set ownership on a file
subinacl /subdirectories "FilePath" /setowner="DomainName\Username"








Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Well, to make this really strange. I get an identical error to what
Zeezuiper got - only when i run the following on the local machine -
SERVER = the local machine:

cscript //nologo \\SERVER\c$\xcacls\xcacls.vbs "\\SERVER\profile
s$\USER" /T /E /F /S /G DOMAIN\USER:F /L
\\SERVER\c$\xcacls\xcacls_Log-a
cl.txt /O "DOMAIN\USER"

However - if i run this script remotely, it works perfectly. Error
free. You can cut and paste it verbatim, and it does everything
perfectly. Run it locally on the machine where the directory resides,
and it gives that error, and doesnt set any permissions.
 
Back
Top