dprice7
asked on
cacls batch script needs to run for each file in the folder to change permissions
How can I write a script batch program to read all the file names in a directory and change the permissions using the CACLS command?
thanks in advance,
Don
thanks in advance,
Don
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sirbounty,
I need to make sure administrator is the owner of all files within this folder before I execute this command for each file
otherwise the permissions don't seem to change.
Can it be done within your loop?
thanks again,
Don
I need to make sure administrator is the owner of all files within this folder before I execute this command for each file
otherwise the permissions don't seem to change.
Can it be done within your loop?
thanks again,
Don
Can you provide a little more detail on your situation and what you're trying to accomplish?
ASKER
Please allow me to elaborate a little..
The specific circumstance is I have a folder that is used to store completed documents in for all to read but none to change. First of all the user who creates these documents needs a way to transfer them into this folder.
Once that occurs I need to remove the change permissions from that user and anyone else who was carried over from the originating folder.
Hence the reason for this loop.
g:
cd Quality
CD\MyFolder
for %a in (*.*) do cacls %a /T /G "X\Domain Admins":F "X\Domain Users":R "X\QualityDocCtrl-Admin":R
I also tried to get around the issue of ownership by changin the owner on the top folder manusally and checking the box that says to do the same for subfolders.
This loop does not work in a batch program it errors out saying a problem with a.
suggestions for doing the loop and changing the owner are appreciated,
Does it make more sense now?
Don
The specific circumstance is I have a folder that is used to store completed documents in for all to read but none to change. First of all the user who creates these documents needs a way to transfer them into this folder.
Once that occurs I need to remove the change permissions from that user and anyone else who was carried over from the originating folder.
Hence the reason for this loop.
g:
cd Quality
CD\MyFolder
for %a in (*.*) do cacls %a /T /G "X\Domain Admins":F "X\Domain Users":R "X\QualityDocCtrl-Admin":R
I also tried to get around the issue of ownership by changin the owner on the top folder manusally and checking the box that says to do the same for subfolders.
This loop does not work in a batch program it errors out saying a problem with a.
suggestions for doing the loop and changing the owner are appreciated,
Does it make more sense now?
Don
ASKER
sir bounty,
Does your not responding mean you give up or are just busy right now?
thanks,
Don
Does your not responding mean you give up or are just busy right now?
thanks,
Don
Sorry Don - been out of pocket for a while.
Sounds like by your last post, it still isn't resolved? No need to accept until it is...
Let me see if I can assist further, just in case...
So, UserA creates a document and then needs to copy it into a folder that only users should have Read access to?
I don't think it's necessary to go about it this way. Let's try this:
Preliminary steps:
a) Set QualityDocCtrl's share permissions to be Everyone/Full Control
b) Set QualityDocCtrl' Security/NTFS permissions to be Domain Users/Read (you will also probably have to set up special permissions (advanced) to allow 'change permissions' permission.
Now, in the process as you'd outlined above, if I understand correctly, this is what needs to occur:
a) UserA creates a QualityDoc
b) UserA should now run the script that resets the permissions to Domain Users\Write access
c) UserA should "Copy" the file to QualityDocCtrl
d) UserA should now run a script that resets the permissions back to Domain Users\Read Only
e) UserA deletes the original file
See, the way NTFS works is if you 'move' a file (which is essentially a copy/delete) - the permissions that were originally on the file when it was in the 'working' folder remain.
Thus, if UserA creates a document in FolderA (obviously he has write access to this folder), and he then moves it to FolderB - the file basically ignores any permission settings on FolderB and retains the original permissions. The reasoning is the file itself isn't really 'moved'. The only change that really occurs is NTFS's 'pointer' updates the location in its table where the file is now stored.
However, if UserA takes that same file from FolderA and Copies it to FolderB - well now, it inherits the permissions of FolderB, since it's a 'new' file that 'lives' in that folder. Then, UserA just needs to delete the file from the original location (presumably, this isn't a problem in your situation). I assume that it's been set up for a move to occur?
Anyway, hope this helps.
I may check my email in the morning, but just so you're aware - I'm out of town until Wednesday late evening, so if you post again after tomorrow morning, it may be a while before I can respond. Good luck!
Sounds like by your last post, it still isn't resolved? No need to accept until it is...
Let me see if I can assist further, just in case...
So, UserA creates a document and then needs to copy it into a folder that only users should have Read access to?
I don't think it's necessary to go about it this way. Let's try this:
Preliminary steps:
a) Set QualityDocCtrl's share permissions to be Everyone/Full Control
b) Set QualityDocCtrl' Security/NTFS permissions to be Domain Users/Read (you will also probably have to set up special permissions (advanced) to allow 'change permissions' permission.
Now, in the process as you'd outlined above, if I understand correctly, this is what needs to occur:
a) UserA creates a QualityDoc
b) UserA should now run the script that resets the permissions to Domain Users\Write access
c) UserA should "Copy" the file to QualityDocCtrl
d) UserA should now run a script that resets the permissions back to Domain Users\Read Only
e) UserA deletes the original file
See, the way NTFS works is if you 'move' a file (which is essentially a copy/delete) - the permissions that were originally on the file when it was in the 'working' folder remain.
Thus, if UserA creates a document in FolderA (obviously he has write access to this folder), and he then moves it to FolderB - the file basically ignores any permission settings on FolderB and retains the original permissions. The reasoning is the file itself isn't really 'moved'. The only change that really occurs is NTFS's 'pointer' updates the location in its table where the file is now stored.
However, if UserA takes that same file from FolderA and Copies it to FolderB - well now, it inherits the permissions of FolderB, since it's a 'new' file that 'lives' in that folder. Then, UserA just needs to delete the file from the original location (presumably, this isn't a problem in your situation). I assume that it's been set up for a move to occur?
Anyway, hope this helps.
I may check my email in the morning, but just so you're aware - I'm out of town until Wednesday late evening, so if you post again after tomorrow morning, it may be a while before I can respond. Good luck!
ASKER
sirbounty,
thanks for not giving up on me. :)
I tried to have the owner manually copy different documents into the FolderB from various locations and each one kept their original permissions and owner.
That is why I wanted to let them copy everything to one location regardless of where it came from and then just change anything new in the directory to read only permissions for everyone or in this case change the existing permission on QualityDocCtrl_Admin to R(read) from C(change) .
Since it all needs to end up read only I thought of using the batch cacls to accomplish it.
But the other stumbling block seemed to be it wanted Admin to own the docs before the changes would work in the cacls command.
Don
thanks for not giving up on me. :)
I tried to have the owner manually copy different documents into the FolderB from various locations and each one kept their original permissions and owner.
That is why I wanted to let them copy everything to one location regardless of where it came from and then just change anything new in the directory to read only permissions for everyone or in this case change the existing permission on QualityDocCtrl_Admin to R(read) from C(change) .
Since it all needs to end up read only I thought of using the batch cacls to accomplish it.
But the other stumbling block seemed to be it wanted Admin to own the docs before the changes would work in the cacls command.
Don
More specifically Don, I believe it's requiring the 'change permissions' right that I mentioned before.
Can you provide a little more information on this/these NTFS volumes/partitions?
Is this move/copy occuring 'across' NTFS volumes or within the same volume? That would make a difference, and I may have misguided you with the statement above, re-reading it.
A copy results in a 'new' file being created and it should inherit the destination permissions.
A move is dependent upon the partition condition: if it's on the same partition, the file retains its original permission, but if it's across partitions, it inherits the destination permissions.
Here's a link referencing NTFS special perms: http://www.windowsitlibrary.com/Content/592/2.html
And another referencing move/copy permissions on NTFS: http://www.windowsitlibrary.com/Content/592/2.html#4
Of course, a move or copy to FAT loses all permissions.
I have been meaning to test what you're trying to accomplish, but since I'm out of town, I'm unable to until I return to the office. I hope that you find this information useful though.
Can you provide a little more information on this/these NTFS volumes/partitions?
Is this move/copy occuring 'across' NTFS volumes or within the same volume? That would make a difference, and I may have misguided you with the statement above, re-reading it.
A copy results in a 'new' file being created and it should inherit the destination permissions.
A move is dependent upon the partition condition: if it's on the same partition, the file retains its original permission, but if it's across partitions, it inherits the destination permissions.
Here's a link referencing NTFS special perms: http://www.windowsitlibrary.com/Content/592/2.html
And another referencing move/copy permissions on NTFS: http://www.windowsitlibrary.com/Content/592/2.html#4
Of course, a move or copy to FAT loses all permissions.
I have been meaning to test what you're trying to accomplish, but since I'm out of town, I'm unable to until I return to the office. I hope that you find this information useful though.
ASKER
The volume or partition would be the same in this case.
However, I would prefer not to place that restriction on the process.
We have certain people who author documents but once they are reviewed for correctness they need placed somewhere
for all the see but none to change and I don't want to do it manually only through a script that runs and checks the repository for files and automatically moves them to their new readable directory for all to see.
The original owners and permissions should no longer exist once they enter the new directory the owner should now be the administrator and everyone should be able to read the document.
However, I would prefer not to place that restriction on the process.
We have certain people who author documents but once they are reviewed for correctness they need placed somewhere
for all the see but none to change and I don't want to do it manually only through a script that runs and checks the repository for files and automatically moves them to their new readable directory for all to see.
The original owners and permissions should no longer exist once they enter the new directory the owner should now be the administrator and everyone should be able to read the document.
Don, the only other method that I can see to get this working is to have the administrator run the cacls script remotely.
In other words, you'll have to open the share for write permissions every time someone wants to copy a file there (scriptA) and then run another script after it's copied (scriptB)
scriptA
@cacls \\server\share\folder /g everyone:W
scriptB
@cacls \\server\share\folder /d everyone:W
It might be a pain to do so, but without getting into Advanced permissions, I see no other way...
In other words, you'll have to open the share for write permissions every time someone wants to copy a file there (scriptA) and then run another script after it's copied (scriptB)
scriptA
@cacls \\server\share\folder /g everyone:W
scriptB
@cacls \\server\share\folder /d everyone:W
It might be a pain to do so, but without getting into Advanced permissions, I see no other way...
CACLS C:\MyFolder /T /G Everyone:F