Using icacls to fix permissions on users home folders
Dear support
I have created a script using icacls which sets the user as the owner of that folder and also sets the user full control over this folder only from the folder name.
I wanted someone to assist me with this script so that the script sets user with full control over folders, sub folders and files and not just folder only. Any help much appreciated.
Script:
FOR /D %%i in (*) do (
ICACLS "%%i" /grant "domain\%%i":F /T
ICACLS "%%i" /setowner "domain\%%i" /t
)
regards
Vinay
I have created a script using icacls which sets the user as the owner of that folder and also sets the user full control over this folder only from the folder name.
I wanted someone to assist me with this script so that the script sets user with full control over folders, sub folders and files and not just folder only. Any help much appreciated.
Script:
FOR /D %%i in (*) do (
ICACLS "%%i" /grant "domain\%%i":F /T
ICACLS "%%i" /setowner "domain\%%i" /t
)
regards
Vinay
Forget the last post I made, that script did something else.
Here is a Kixtart script that I have that will match a folder name to a NT Username, and then Reset the folder so that the user has Ownership and Full control.
You need to run it with Kixtart (www.kixtart.org)
save the file as a text file with .kix extension and run is from DOS/CMD as
kixtart32 script.kix
You can create some test folder structure first to verify it does what you need.
In the script (text file type) you have to set your Domain and the Root folder - at the top of the script
;-------------------------
$ScanFolder = "e:\newfolder"
$DomainName = "Domain"
$DomObj = getobject("WinNT://@LDomai
$DomObj.filter = "user",""
for each $user in $DomObj
If $user.AccountDisabled = "0"
$username = $user.name
$userhome = TranslateName (3, "", 3, "@LDomain\$username", 1)
$userinfo = GetObject("LDAP://" + $userhome[0])
if $userinfo.mail <> ""
$TempUser = $userinfo.sAMAccountName
$UserFolder = $ScanFolder + "\" + $TempUser
$FullName = $DomainName + "\" + $TempUser
if Exist($UserFolder) = 1
? "Process folder: " + $UserFolder
RUN ('ICACLS $UserFolder /grant $FullName:(CI)f /T')
? "Process Ownership :" + $FullName
RUN ('ICACLS $UserFolder /setowner $FullName /T')
endif
endif
endif
next
? "Finished"
exit
; TranslateName function authored by Howard A. Bullock
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate")
$Error = @error
$ErrorText = @serror
if $Error = 0
$NameTranslate.Init ($InitType, $BindName)
$Error = @error
$ErrorText = @serror
if $Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
$Error = @error
$ErrorText = @serror
if $Error = 0
$ReturnName = $NameTranslate.Get($Return
$Error = @error
$ErrorText = @serror
endif
endif
endif
$TranslateName = $ReturnName, $Error, $ErrorText
Endfunction
Here is a Kixtart script that I have that will match a folder name to a NT Username, and then Reset the folder so that the user has Ownership and Full control.
You need to run it with Kixtart (www.kixtart.org)
save the file as a text file with .kix extension and run is from DOS/CMD as
kixtart32 script.kix
You can create some test folder structure first to verify it does what you need.
In the script (text file type) you have to set your Domain and the Root folder - at the top of the script
;-------------------------
$ScanFolder = "e:\newfolder"
$DomainName = "Domain"
$DomObj = getobject("WinNT://@LDomai
$DomObj.filter = "user",""
for each $user in $DomObj
If $user.AccountDisabled = "0"
$username = $user.name
$userhome = TranslateName (3, "", 3, "@LDomain\$username", 1)
$userinfo = GetObject("LDAP://" + $userhome[0])
if $userinfo.mail <> ""
$TempUser = $userinfo.sAMAccountName
$UserFolder = $ScanFolder + "\" + $TempUser
$FullName = $DomainName + "\" + $TempUser
if Exist($UserFolder) = 1
? "Process folder: " + $UserFolder
RUN ('ICACLS $UserFolder /grant $FullName:(CI)f /T')
? "Process Ownership :" + $FullName
RUN ('ICACLS $UserFolder /setowner $FullName /T')
endif
endif
endif
next
? "Finished"
exit
; TranslateName function authored by Howard A. Bullock
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
Dim $NameTranslate, $ReturnName, $Error, $ErrorText
$Error = 0
$ErrorText = ""
$ReturnName = ""
$NameTranslate = CREATEOBJECT ("NameTranslate")
$Error = @error
$ErrorText = @serror
if $Error = 0
$NameTranslate.Init ($InitType, $BindName)
$Error = @error
$ErrorText = @serror
if $Error = 0
$NameTranslate.Set ($LookupNameType, $LookupName)
$Error = @error
$ErrorText = @serror
if $Error = 0
$ReturnName = $NameTranslate.Get($Return
$Error = @error
$ErrorText = @serror
endif
endif
endif
$TranslateName = $ReturnName, $Error, $ErrorText
Endfunction
Try this (you need to specify folder start where user folders exist)
@echo off
c:
cd\
for /f "tokens=*" %%i in ('dir c:\folders\users /b') do (
icacls "c:\folders\users\%%i" /grant %%i:(F) /T /C
icacls "c:\folders\users\%%i" /setowner %%i:(F) /T /C )
Regards,
Krzysztof
@echo off
c:
cd\
for /f "tokens=*" %%i in ('dir c:\folders\users /b') do (
icacls "c:\folders\users\%%i" /grant %%i:(F) /T /C
icacls "c:\folders\users\%%i" /setowner %%i:(F) /T /C )
Regards,
Krzysztof
ASKER
iSiek:
When I used your script on Windows Server 2008 R2 i get the following errors:
"tokens=*" was unexpected at this time
And with the script originally posted works fine but problem is : It applys to only this Folder (Under shared user folder properties - Security TAB - Advanced - TYPE NAME PERMISSION INHERITED FROM APPLY TO)
All I needed from the script is it applies to this folder, sub folders and files>
Thanks for all your responses
When I used your script on Windows Server 2008 R2 i get the following errors:
"tokens=*" was unexpected at this time
And with the script originally posted works fine but problem is : It applys to only this Folder (Under shared user folder properties - Security TAB - Advanced - TYPE NAME PERMISSION INHERITED FROM APPLY TO)
All I needed from the script is it applies to this folder, sub folders and files>
Thanks for all your responses
ASKER
Chakko:
THanks for your response
The script which you have provided me worked like a treat but the problem I have is when script is executed it takes lot of CPU power (from 5 to 85%) for just couple of test folders.
I am bit worried If I perform this script against 500 user folders could bring down file server. Can you please clarify on this? And also if possible can you please assist with my current script.
Any help much appreciated
THanks for your response
The script which you have provided me worked like a treat but the problem I have is when script is executed it takes lot of CPU power (from 5 to 85%) for just couple of test folders.
I am bit worried If I perform this script against 500 user folders could bring down file server. Can you please clarify on this? And also if possible can you please assist with my current script.
Any help much appreciated
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I posted a script that basically does what you need. You can remove the line(s) which grant people the Create Folder right. ie. Just leave the lines that reset the ownership and assign the user Full Control
https://www.experts-exchange.com/questions/27421207/groupshare-permissions-question.html