I am trying to grant access to a folder using PHP. I create a folder and then try to give the user "change/modify" access to the folder. My code looks like this:

#Grant user FULL CONTROL of Profiles folder

$grantprofile="cacls.exe ".$filepath." /e /t /g ".$username.":F";
$result=exec($grantprofile);

If I run the command from a command prompt, it works fine. For some reason, when ran from PHP, it doesn't seem to work.

I have the APACHE service running as a Domain Admin...

Is there another way to do this? Or does anyone know why this isn't working for me?

I appreciate any feedback,

Matt

    Try specifying the absolute path to the executable.

      If I put in the command exactly like I want it (without variables) it works.

      $grantprofile="cacls.exe \\Servername\profiles$\AATest /e /t /g domain\AATest:F";

      If I change it to the following, it does not work:
      $grantprofile="cacls.exe \\Servername\profiles$\".$uname." /e /t /g domain\".$uname.":F";

      Any ideas how I can get around this? The program obviously needs to be automated...

      Thanks!

        Build the string with variables as you're wanting to do, and then echo out the string before executing it. Does it look right? If you copy and paste the string into a DOS prompt, does it work? What if you copy the string and hardcode it into the script, does it work then?

          6 days later

          If I cut and paste the string into a DOS prompt, it works. If I copy the string and hardcode it into the script...it does not work

            When you say "cut and paste the string", you did echo() it out from the script, right? From what you have above, you're missing a slash before the server name (wouldn't initially cause an issue if the first character isn't a special character, e.g. 'S' in your example above).

            Are you absolutely positive that Apache is running under a Domain admin account? E.g. if you look in Services in the Administrative Tools group, the "Log On As" column says <Domain Name>\User, where 'User' is the username of the domain admin account?

            If so, have you logged on to a computer using this same account to verify that it has permissions to alter the directory's ACL?

              I have resolved the issue. I was attempting to set the security at a remote location and it turns out the problem was with timing. There was a lag time between the creation of the AD account and the ability to apply permissions on a separate file server.

              I appreciate all the help everyone provided. Thanks!!

                Ah, so it was a replication issue... the 'lag time' was probably 15-20 minutes.

                I've learned; whenever I make a change in AD and I want to go test it, I force replication between all servers immediately. Saves some headaches! :p

                Don't forget to mark this thread resolved.

                  Write a Reply...