Category Archives: CLI

For command line-related posts.

How to restore Administrators’ access to redirected My Documents folders

If you followed Microsoft’s Best practices for Folder Redirection, you accepted the default settings and allowed the system to create the folders.

The problem is that by default, the Grant the user exclusive rights to My Documents check box is selected, with the following consequence (quote from the Technet library article about folder redirection):

If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.

This means that if you already have a bunch of existing redirected My Documents folders set up that way and that you need to access them, you are out of luck. The only documented way to regain access to the folders is to take ownership of each individual folder and manually edit the permissions to give the Administrators group full control. I found a better way.

Note that if you are just setting up folder redirection and want to make sure that administrators will have access to the folders, follow the steps listed in the following article: Enabling the administrator to have access to redirected folders. For everybody else, read on.

The trick is to realize that the local system account has full control over the folder and that PsExec allows you to run commands using that account (using the -s switch). So, if the command in question happens to be a PowerShell script that gives full control to a group you belong to, the problem is solved!

Here is what you need to do:

1. Download and install PsExec and PowerShell. PowerShell needs to be installed on the computer (probably a server) hosting the redirected folders.

2. Edit the $StartingDir and $Principal variables in the following script to match your environment. $StartingDir should be the path to the shared folder that contains all you users redirected My Documents folders, $Principal is the name of the local user or local group that should be granted the permission. It has to be a local account because the script will be run using the local system account, which doesn’t know about domain accounts. We’ll add domain users and/or groups later (step 4).

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "C:\Users"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}

Note: This script is a simplified version of Don Jones’ script found here: http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx. Check it out for more options.

3. Now, we need to run the above script using PsExec using the local system account. Note that the command line shown will run PsExec on the current computer and that the -noexit switch will prevent PowerShell from closing when the script terminates, so you get a chance to read the output.

Here is what you need to type at the command prompt (changing the paths and file names to match your environment):

>psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"

The -i switch will make the PowerShell window visible on the Desktop. If you use Remote Desktop to connect to your server, make sure that you connect to the console or you won’t see any output.

4. Now that the local Administrators group has full control on all files and folders (and I am assuming that you are a member of the local Administrator group), you can run the script again as yourself  (remove the -s switch) to give domain users and groups full control, using the domain\user or domain\group format for the $Principal variable.

5. Done!

Advertisements

How to programmatically set the processor affinity of an application

One of the user I support runs an older CAD application that doesn’t work properly on computers using a dual core processor. It creates ghosting artifacts when he draws and eventually crashes the application. The trick is to limit the application’s process to only one processor (or one core). To do it manually:

  1. Launch the application
  2. Locate the application’s process in the Task Manager (type taskmgr from the Run command or press Ctrl+Alt+Delete)
  3. Right-click on the process and select Set Affinity
  4. Uncheck all the selected CPUs except one.

It works well, but it needs to be done every time the application is launched.

To do it automatically, I downloaded a free command line utility from a company called Beyond Logic: process.exe. To have a process named ExampleAppProcess.exe use only CPU 1, type:

process -a ExampleAppProcess.exe 01

So, I copied process.exe in a folder and added the path to this folder to the PATH environment variable. Then, I opened Notepad and typed:

cd c:\Program Files\ExampleAppFolder
start ExampleApp.exe
process -a ExampleAppProcess.exe 01

I saved this file as Affinity.cmd and added a shortcut to it on the Desktop. I changed the name and the icon of the shortcut to match the one used by the original application, and then deleted the original shortcut.

Now my user doesn’t have to do anything special: He double-clicks on what appears the be the same shortcut as before, but now his application works.

How to launch Outlook Express from the command line

Even if you “uninstall” Outlook Express via Add/Remove Windows Components (type control appwiz.cpl,,2 at the command prompt), it is still very much installed. The icons and shortcuts pointing to it are gone but you can still easily launch Outlook Express by typing msimn at the command line.

More info here: OLEXP: Command Line Options for Outlook Express

Also, the site to go to for everything Outlook Express: Inside Outlook Express

Keep Windows on time with the built-in Windows Time service

I had to keep a W2K machine on time as its main job is to control clocks in different locations. It turns out that Windows as a built-in SNTP client that can be set to retrieve the time from public SNTP servers.

The idea is to give Windows a list of time servers to check and then restart the Windows Time service for the change to take effect.

So, first you need a list of available SNTP time servers.

Then, you use the net time command to enter a list of time servers, e.g.:

C:\>net time /setsntp:"ns.scruz.net ntp.ucsd.edu ntp1.mainecoon.com"

Finally, you restart the Windows Time service:

C:\>net stop W32Time
C:\>net stop W32Time

How to deal with “CMD does not support UNC paths as current directories“

The solution is to use pushd instead of cd to change the current directory to a share accessed via a UNC path (e.g.: >pushd \\myserver\myshare).
Use popd when done.

More info on the Microsoft Web site.