hi

You could search.
You might not be the first one, that has got this problem ..
Google: php exec cacls.exe

You could try to ask in our PHP Help forum
http://phpbuilder.com/board/forumdisplay.php?f=1

Because [man]exec/man is a PHPFunction, and in PHP Help is where all people that knows PHP are.
I am sure they can help you.

regards
halojoy

Thanks anyway.

I've already spent days "googling" and went to almost each one listed. This is the closest one http://www.phpbuilder.com/board/showthread.php?t=10348430 but it didn't really solve my problem. We use Windows/IIS here and not apache.

I've posted this thread into php coding forum as suggested....keep my fingers crossed!

Did you give the IUSR account permission to modify the permissions for the c:\ppan folder? Have you tried giving the IUSR account Full Control as well? Note that it most likely already has permissions to execute cacls.exe - it's the permissions of the c:\ppan folder than you need to open up for IUSR.

Also, try changing exec() to [man]system/man to see if anything is being outputted (exec() only returns the last line of output - system() returns all of it).

ahhh! Beginning to get somewhere, thanks....the IUSR_* didn't work, but...

If I assign MyPC\Users full control, it works - but bearing in mind that I have the script hosted on MyPC and I was assigning permissions to MyPC\Users on the same PC.

My query is...in a normal IT infrastructure (Windows), you would have the script hosting on one server (serverM here) and the user folder on another server (serverS here). How do I give permission to ServerM\Users full control on ServerS directory? Surely ServerM\Users are built-in users within ServerM hence it won't be seen by ServerS?!

Can I get round it by creating an Active Directory user? If so, how can you associate this AD user to ServerM\Users?!

constance.kan wrote:

Can I get round it by creating an Active Directory user?

Exactly.

You say you have ServerM running IIS. You can create an AD user called IUSR_ServerM (or anything else, actually - it's up to you) and assign it some random, secret password (make sure you remember it, though! :p).

On ServerM, open up the Services MMC module (in Administrative Tools) and find the IIS service... I'm pretty sure the one you need to change is the World Wide Web service or something similar (I don't have easy access to my W2k3 serves right now, so I can't give you exact instructions). If you go to the properties of that service and select the Log On tab, you can change the credentials that the service uses to start. Instead of using a local account, tell it to use the newly created domain account. It should then look like DOMAIN_NAME\IUSR_ServerM once you're done.

Then it's a simple matter of giving IUSR_ServerM (on the domain - NOT one of either server's local accounts) permissions in directories on other servers. Note that I believe you also should create another AD user for the worker process when it uses anonymous access - the IWAM_ServerM account, as there is a place within the IIS manager to specify which account to use; you'd want to switch this from the local IWAM_ServerM account to the one in your AD domain. Once you've made all of these changes, you should be able to disable both IUSR/IWAM local accounts on ServerM to verify that IIS is using the domain accounts now.

Again, sorry I couldn't give you exact instructions - I don't have access to my W2k3 servers right now. If you can't figure it out on your own, let me know and I'll try to post more exact instructions once I fix some VPN issues :p

I think you mean the "Authentication Methods", and select "Basic authentication"?

A few questions....

1. Do I set this to just the php script page that runs the codes for this? Or the whole web site?!

2. My boss, who is always too busy to help me (and he's an infrastructure - not a developer), told me to use "Integrated Windows authentication". I should never give the guest user more rights than the defaults. It is set to "Integrated Windows authentication" currently, but it doesn't work. What would be the impact? Does that mean it picks up the user's login - whoever's running the script? If that's the case, I'm login as myself and I'm an admin with full rights?!

3. I've used:
   echo ($SERVER['LOGON_USER'])
   echo($SERVER['AUTH_USER']);
   echo($_SERVER['REMOTE_USER']);
   to display the users in php
   and they displayed my username for all of the above and I have admin rights.

So why am I still getting permission dennied? I've even put myself with full control in the folder where I want to make directory.

HELP? I thought I am getting so close and yet I'm still not there!

I've also written up my "experiment results"...

RUNNING SCRIPT / SCRIPT HOSTED / PERMFORMING TASK / PERFORMING / TASK LOCATION / RESULT

My local PC / Svr_M / exec cacls for user ppan / Svr_S /(\Svr_S\CKTest\ppan) / nothing happened

My local PC / Svr_M / exec cacls for user ppan / Svr_M /(\Svr_M\CKTest\ppan) / OK – ppan added with full control

My local PC / My local PC / exec cacls for user ppan / My local PC /(c:\ppan) / OK – ppan added with full control