Icacls variables in batch file

batchicaclsscripting

I'm moving users to a new domain, file server and user name format. I'm trying to write a simple DOS batch to copy the data and set the permissions. X: is mapped to the old server and E: is the local drive on the new server. The input file is just a CSV list of OldUserName,NewUserName. The CSV file is State.users.csv. (The batch splits out the State for use in the path on the new server).

The batch file:

SETLOCAL EnableDelayedExpansion     

FOR /F "delims=. tokens=1" %%a in ("%1") DO SET Site=%%a

FOR /F "delims=, tokens=1-2" %%c in (%1) do (
    ROBOCOPY X:\Users\%%c E:\%Site%\User\%%d /E /Z
    ICACLS "E:\%Site%\User\%%d" /grant "Domain Admins":(OI)(CI)F /Inheritance:r
    ICACLS "E:\%Site%\User\%%d" /grant "SYSTEM":(OI)(CI)F
    ICACLS "E:\%Site%\User\%%d" /grant "CREATER OWNER":(OI)(CI)F
    ICACLS "E:\%Site%\User\%%d" /grant "%%d":(OI)(CI)F
    IF NOT "%2"=="" RENAME X:\Users\%%c ZZZ-%%c
)

ENDLOCAL

When run, the icacls command dies with:

(CI)F was unexpected at this time.
        ICACLS "E:\Ohio\User\%d" /grant "Domain Admins":(OI)(CI)F /Inheritance:r

and never even runs the robocopy…? (With all of the icacls commented out, the robocopy works fine.)

Yet, the lines I have rem'd out during testing echo out the variables properly substituted:

(
rem ROBOCOPY X:\Users\MDuffy E:\Ohio\User\Steve.Hrsk /E /Z
rem ICACLS "E:\Ohio\User\Steve.Hrsk" /grant "Domain Admins":(OI)(CI)F /Inheritance:r
rem ICACLS "E:\Ohio\User\Steve.Hrsk" /grant "SYSTEM":(OI)(CI)F
rem ICACLS "E:\Ohio\User\Steve.Hrsk" /grant "CREATER OWNER":(OI)(CI)F
rem ICACLS "E:\Ohio\User\Steve.Hrsk" /grant "Steve.Hrsk":(OI)(CI)F
IF NOT "" == "" RENAME X:\Users\MDuffy ZZZ-MDuffy
)

I can copy and paste those lines (minus the REM of course) at the command prompt and icacls works as expected.

I've tried single qoutes, single quotes around the double quotes. I've added quotes to the robocopy command and it works fine (with either single or double).

For the sake of my sanity, I've taken out the (CI) and then it dies at the F for Full.

I've tried it with and without the EnableDelayedExpansion, no luck.

I've also removed the first FOR /F. Same results.

Instead of REM, I used ECHO and I STILL get the error "(CI)F was unexpected…"!!

I've copied and pasted to a new file, tried encoding it as ANSI and UTF-8, viewed all hidden characters (found a TAB between ICACLS and "E:…" on the first one, but replacing with a space didn't help). [I'm using Notepad++]

I've pasted it in a new file, saved that as text file with UTF-8 encoding and then renamed it to .bat from the cmd line….

I don't know why the variable expansion works fine for Robocopy but not Icacls (when it's not REM'd out).

What am I missing here?

Best Answer

I found that I needed to add cmd /c to the beginning of the icacls command.

My batch file looks like this: 

for /f "tokens=*" %%i in (%1) do (
        cmd /c "icacls.exe F:\home\%%i /grant %%i:(oi)(ci)(m)"
    )
)

This works fine for me.

Related Topic