Justin Durrant
asked on
Folder Ownership and Permissions
Ok, here is my problem. I have 100s of personal home dirs for each of our users on a file server. Eacj user only has access to his or her dir. I need to setup the ownership on all folders and subfolders to the local admins group while preserving the user NTFS permissions (this way they can still access their own dir since they are not part of the local admins group). I have tried SUBINACL and ROBOCOPY, but these overwrite the existing permissions and just give the local admins full control.
Any ideas how I can do this?
Any ideas how I can do this?
also dont forget to remove the 'Users' group as they have default read permissions to all folders on Win2k3 file server.
No need. Default behaviour of CACLS will REPLACE permissions completely. The /e switch edits them. Thus it's important to put the admins first or you could lock yourself out.
ASKER
Ok bare with me here I suck at scripting... I created a batch file called cacls.bat with the following:
for /f "tokens=1" %%a in ('dir /b c:\test') do (
cacls c:\test\%%a /t /c /g %computername%\administrat ors:f
cacls c:\test\%%a /t /e /c /g domain\%%a:f
)
I also created one replacing "domain" with our domain name and no luck:
for /f "tokens=1" %%a in ('dir /b c:\test') do (
cacls c:\test\%%a /t /c /g %computername%\administrat ors:f
cacls c:\test\%%a /t /e /c /g americas\%%a:f
)
When I run it against a test dir it just loops:
C:\>(
cacls c:\test\test1 /t /c /g NFDNT015\administrators:f
cacls c:\test\test1 /t /e /c /g americas\test1:f
)
C:\>for /F "tokens=1" %a in ('dir /b c:\test') do (
cacls c:\test\%a /t /c /g NFDNT015\administrators:f
cacls c:\test\%a /t /e /c /g americas\%a:f
)
C:\>(
cacls c:\test\test1 /t /c /g NFDNT015\administrators:f
cacls c:\test\test1 /t /e /c /g americas\test1:f
)
C:\>for /F "tokens=1" %a in ('dir /b c:\test') do (
cacls c:\test\%a /t /c /g NFDNT015\administrators:f
cacls c:\test\%a /t /e /c /g americas\%a:f
for /f "tokens=1" %%a in ('dir /b c:\test') do (
cacls c:\test\%%a /t /c /g %computername%\administrat
cacls c:\test\%%a /t /e /c /g domain\%%a:f
)
I also created one replacing "domain" with our domain name and no luck:
for /f "tokens=1" %%a in ('dir /b c:\test') do (
cacls c:\test\%%a /t /c /g %computername%\administrat
cacls c:\test\%%a /t /e /c /g americas\%%a:f
)
When I run it against a test dir it just loops:
C:\>(
cacls c:\test\test1 /t /c /g NFDNT015\administrators:f
cacls c:\test\test1 /t /e /c /g americas\test1:f
)
C:\>for /F "tokens=1" %a in ('dir /b c:\test') do (
cacls c:\test\%a /t /c /g NFDNT015\administrators:f
cacls c:\test\%a /t /e /c /g americas\%a:f
)
C:\>(
cacls c:\test\test1 /t /c /g NFDNT015\administrators:f
cacls c:\test\test1 /t /e /c /g americas\test1:f
)
C:\>for /F "tokens=1" %a in ('dir /b c:\test') do (
cacls c:\test\%a /t /c /g NFDNT015\administrators:f
cacls c:\test\%a /t /e /c /g americas\%a:f
Sorry, small screw up on my part:
First, create a text file with the letter y and a carriage return. Do this by typiing EXACTLY the following a at command line, replacing [key] with pressing the key.
COPY CON C:\Y.TXT[Enter]
Y[Enter]
[F6]
Next, use the following in a script:
for /f "tokens=1" %%a in ('dir /b /ad c:\test') do (
cacls c:\test\%%a /t /c /g builtin\administrators:f < c:\y.txt
cacls c:\test\%%a /t /e /c /g americas\%%a:f < c:\y.txt
)
First, create a text file with the letter y and a carriage return. Do this by typiing EXACTLY the following a at command line, replacing [key] with pressing the key.
COPY CON C:\Y.TXT[Enter]
Y[Enter]
[F6]
Next, use the following in a script:
for /f "tokens=1" %%a in ('dir /b /ad c:\test') do (
cacls c:\test\%%a /t /c /g builtin\administrators:f < c:\y.txt
cacls c:\test\%%a /t /e /c /g americas\%%a:f < c:\y.txt
)
To step through this:
the loop lists all the users in that folder because the folders are named the same as the usernames.
the first CACLS line sets the administrators to full control
the second CACLS line sets the user to full control (this must be second or errors will occur trying to set admins to full).
At the end of each CACLS line, there is a < c:\y.txt - this is there because CACLS will prompt you to confirm you want to do this. There is no built in switch to turn this prompting off, so we redirect "input" so that the file "y.txt" provides the Y Enter needed.
the loop lists all the users in that folder because the folders are named the same as the usernames.
the first CACLS line sets the administrators to full control
the second CACLS line sets the user to full control (this must be second or errors will occur trying to set admins to full).
At the end of each CACLS line, there is a < c:\y.txt - this is there because CACLS will prompt you to confirm you want to do this. There is no built in switch to turn this prompting off, so we redirect "input" so that the file "y.txt" provides the Y Enter needed.
ASKER
Still stuck in the loop..
Here is the contents of my y.txt file:
COPY CON C:\Y.TXT
Y
Here is the batch file:
for /f "tokens=1" %%a in ('dir /b /ad c:\test') do (
cacls c:\test\%%a /t /c /g builtin\administrators:f < c:\y.txt
cacls c:\test\%%a /t /e /c /g americas\%%a:f < c:\y.txt
)
And the result:
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
Here is the contents of my y.txt file:
COPY CON C:\Y.TXT
Y
Here is the batch file:
for /f "tokens=1" %%a in ('dir /b /ad c:\test') do (
cacls c:\test\%%a /t /c /g builtin\administrators:f < c:\y.txt
cacls c:\test\%%a /t /e /c /g americas\%%a:f < c:\y.txt
)
And the result:
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
ASKER
Nevermind.. i see i create the Y text with the copy con command.. so I got the y.txt created, ran the batch file. Still looping:
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\test1 /t /e /c /g americas\test1:f 0<c:\y.txt
)
C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f 0<c:\y.txt
cacls c:\test\%a /t /e /c /g americas\%a:f 0<c:\y.txt
)
It's supposed to loop. Do you have an account in the domain called "test1". Here's what I do:
********Here's the EXACT script I'm using:
rem @echo off
for /f "tokens=1" %%a in ('dir /ad /b c:\temp\scripts\cacls') do (
cacls c:\temp\scripts\cacls\%%a /t /c /g builtin\administrators:f < y.txt
cacls c:\temp\scripts\cacls\%%a /t /e /c /g antiverse\%%a:f
)
********Now, I run the script (test.cmd)
C:\Temp\scripts\cacls>test
********And here's what the Batch file does
C:\Temp\scripts\cacls>rem @echo off
C:\Temp\scripts\cacls>for /F "tokens=1" %a in ('dir /ad /b c:\temp\scripts\cacls
') do (
cacls c:\temp\scripts\cacls\%a /t /c /g builtin\administrators:f 0<y.txt
cacls c:\temp\scripts\cacls\%a /t /e /c /g antiverse\%a:f
)
C:\Temp\scripts\cacls>(
cacls c:\temp\scripts\cacls\andr eab /t /c /g builtin\administrators:f 0<y.txt
cacls c:\temp\scripts\cacls\andr eab /t /e /c /g antiverse\andreab:f
)
Are you sure (Y/N)?processed dir: c:\temp\scripts\cacls\andr eab
processed dir: c:\temp\scripts\cacls\andr eab
C:\Temp\scripts\cacls>(
cacls c:\temp\scripts\cacls\leew /t /c /g builtin\administrators:f 0<y.txt
cacls c:\temp\scripts\cacls\leew /t /e /c /g antiverse\leew:f
)
Are you sure (Y/N)?processed dir: c:\temp\scripts\cacls\leew
processed dir: c:\temp\scripts\cacls\leew
********Now I test the results - I check the permissions on the folders. I do this by using cacls but you can check it with file properties as well.
C:\Temp\scripts\cacls>cacl s leew
C:\Temp\scripts\cacls\leew BUILTIN\Administrators:(OI )(CI)F
ANTIVERSE\leew:(OI)(CI)F
********Here's the EXACT script I'm using:
rem @echo off
for /f "tokens=1" %%a in ('dir /ad /b c:\temp\scripts\cacls') do (
cacls c:\temp\scripts\cacls\%%a /t /c /g builtin\administrators:f < y.txt
cacls c:\temp\scripts\cacls\%%a /t /e /c /g antiverse\%%a:f
)
********Now, I run the script (test.cmd)
C:\Temp\scripts\cacls>test
********And here's what the Batch file does
C:\Temp\scripts\cacls>rem @echo off
C:\Temp\scripts\cacls>for /F "tokens=1" %a in ('dir /ad /b c:\temp\scripts\cacls
') do (
cacls c:\temp\scripts\cacls\%a /t /c /g builtin\administrators:f 0<y.txt
cacls c:\temp\scripts\cacls\%a /t /e /c /g antiverse\%a:f
)
C:\Temp\scripts\cacls>(
cacls c:\temp\scripts\cacls\andr
cacls c:\temp\scripts\cacls\andr
)
Are you sure (Y/N)?processed dir: c:\temp\scripts\cacls\andr
processed dir: c:\temp\scripts\cacls\andr
C:\Temp\scripts\cacls>(
cacls c:\temp\scripts\cacls\leew
cacls c:\temp\scripts\cacls\leew
)
Are you sure (Y/N)?processed dir: c:\temp\scripts\cacls\leew
processed dir: c:\temp\scripts\cacls\leew
********Now I test the results - I check the permissions on the folders. I do this by using cacls but you can check it with file properties as well.
C:\Temp\scripts\cacls>cacl
C:\Temp\scripts\cacls\leew
ANTIVERSE\leew:(OI)(CI)F
ASKER
Ok.. I do not have a domain account called test1. Let me try against an acutal folder.
ASKER
Ok.. this may not work.. Reason being if our domain accounts are not the same us our user folder.
For example, I have a folder called durrantj on the file server yet my domain account is nfdjdurr.
Is there a workaround for this?
For example, I have a folder called durrantj on the file server yet my domain account is nfdjdurr.
Is there a workaround for this?
You can create a text file with space or tab dlimited columns. For example:
Account Folder
durrantj nfdjdurr
smitha asmith
johnsonv vicjohns
I'll post a script shortly that should handle that.
Account Folder
durrantj nfdjdurr
smitha asmith
johnsonv vicjohns
I'll post a script shortly that should handle that.
ASKER
thx man
rem @echo off
REM Assumes file is in format Account-Folder; Reverse A-B if different.
for /f "tokens=1" %%a in (folderlist.txt) do (
cacls c:\temp\scripts\cacls\%%b /t /c /g builtin\administrators:f < y.txt
cacls c:\temp\scripts\cacls\%%b /t /e /c /g YourDomainName\%%a:f
)
The above should do.
Note - folderlist.txt should have no column headings or footer information. A pure text file with data only - like this:
----------------
durrantj nfdjdurr
smitha asmith
johnsonv vicjohns
----------------
REM Assumes file is in format Account-Folder; Reverse A-B if different.
for /f "tokens=1" %%a in (folderlist.txt) do (
cacls c:\temp\scripts\cacls\%%b /t /c /g builtin\administrators:f < y.txt
cacls c:\temp\scripts\cacls\%%b /t /e /c /g YourDomainName\%%a:f
)
The above should do.
Note - folderlist.txt should have no column headings or footer information. A pure text file with data only - like this:
----------------
durrantj nfdjdurr
smitha asmith
johnsonv vicjohns
----------------
Funny, this is similar to what I had to do a year and half ago. I got a text file in a tab delimited format with a folder name, and UP TO 3 users that should have been granted permissions, to the folder. I had to modify this on a weekly basis for over 100 folders. It took me a few days of interrupted work, but I got the script working and didn't touch it again.
ASKER
Cool I will try it.. Please confirm this will set the owner of all folders and subfolders to the local admins group? Also, I assume it also replaces the NTFS permissons on all child objects correct? Is it just changes the durrantj folder and not all the files and folders within it, it is of no use to me.
Thx,
Justin
Thx,
Justin
Sorry, won't change ownership. Why is this necessary?
WILL change permissions recursively - The /T option in the CACLS line handles that.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
If you must change ownership, you can download some utilities that should allow this:
http://gnuwin32.sourceforge.net/packages/fileutils.htm
Specifically the CHOWN command from the above link.
WILL change permissions recursively - The /T option in the CACLS line handles that.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
If you must change ownership, you can download some utilities that should allow this:
http://gnuwin32.sourceforge.net/packages/fileutils.htm
Specifically the CHOWN command from the above link.
ASKER
Well some users have setup their folder for them only to have access. Maybe I don't need to change ownership.
I just need to get by the access denied messages when I try and access their home dirs.
I just need to get by the access denied messages when I try and access their home dirs.
Hmmm.... not sure... if they've already locked you out, you may need to use that chown command to change things first.
ASKER
That's what I was afraid of... dam end users.
Use XcAcls
XcAcls Syntax
XcAcls uses the following syntax:
xcaclsFileName[/t][/e][/x] [/c][/gUse r:Permissi ons;Spec][ /rUser][/p User:Permi ssions;Spe c] [...]][/dUser [...]][/y][/?|/h]
Parameters
FileName
Indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) is typically applied. All standard wildcard characters can be used.
/t
Recursively walks through the current directory and all of its subdirectories, applying the chosen access rights to the matching files or directories.
/e
Edits the ACL instead of replacing it.
/x
Edits the ACL instead of replacing it; affects only the ACEs that the specified users already own.
/c
Causes XcAcls to continue if an "access denied" error occurs. If /c is omitted, XcAcls stops on this error.
/gUser: Permissions; Spec
Grants User access to the matching file or directory. Permissions apply the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
R- Read
C - Change (write)
F - Full Control
P - Change Permissions (special access)
O - Take Ownership (special access)
X - Execute (special access)
E - Read (Special access)
W - Write (Special access)
D - Delete (Special access)
T - Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value)
Notes
• The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Share permissions.
• All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
/rUser
- Revokes all access rights for the specified user.
/pUser: Permissions; Spec
-Replaces access rights for User. Permissions applies the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
R- Read
C -Change (write)
F - Full Control
P - Change Permissions (special access)
O - Take Ownership (special access)
X - Execute (special access)
E - Read (special access)
W - Write (special access)
D - Delete (special access)
T - Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value.)
Notes
• The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Share permissions.
• All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
/dUser
-Denies the specified user access to the file or directory.
/y
-Disables the confirmation when replacing user access rights. By default, XcAcls asks for confirmation. Because of this feature, when XcAcls is used in a batch routine, the routine stops responding until the right answer is entered. Use the /y parameter when you use XcAcls in batch mode.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------
XcAcls Examples
Example 1: Replace ACLs of All Files and Directories in the Current Directory
You want to replace the existing ACLs of all files and directories in the current directory with Read and Write access for the administrator, suppressing confirmation. Type the following at the command line:
xcacls *.* /g administrator:rw /y
Notice that you are not asked to confirm the change. You see output similar to the following:
processed file: C:\data\compressed.txt
processed file: C:\data\deptdata.txt
processed file: C:\data\dirafter.txt
processed file: C:\data\temp.txt
processed file: C:\data\uncompressed.txt
processed file: C:\data\userdata.txt
You can check to see that the command was executed by typing the following at the command line:
xcacls *.*
You see output similar to the following, confirming that the access rights have been set for the administrator:
C:\data\compressed.txt MYCOMPUTER\Administrator:( special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\deptdata.txt MYCOMPUTER\Administrator:( special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\dirafter.txt MYCOMPUTER\Administrator:( special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\temp.txt MYCOMPUTER\Administrator:( special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\uncompressed.txt MYCOMPUTER\Administrator:( special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\userdata.txt MYCOMPUTER\Administrator:( special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Example 2: Edit the ACLs of the Current Directory
You want to give TestUser Read, Write, Run, and Delete rights on all new files created in this directory, but only Read and Write permissions on the directory itself. Type the following at the command line:
xcacls *.* /g TestUser:rwed;rw /e
You see output similar to the following:
processed file: C:\test\compressed.txt
processed file: C:\test\deptdata.txt
processed file: C:\test\dirafter.txt
processed file: C:\test\temp.txt
processed file: C:\test\uncompressed.txt
processed file: C:\test\userdata.txt
C:\data\compressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\deptdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\dirafter.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\temp.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\uncompressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\userdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
The command edited the ACL of a file or a directory, but its effect on a directory was different. The ACE added to the directory is also an inherit ACE for new files created in this directory.
Example 3:
Edit Permissions on a Directory Without Creating an Inherit for New Files
You want to grant Read and Write permissions on a directory for TestUser. You do not want to create an inherit entry for new files, but grant only Read access to existing files. Type the following at the command line:
xcacls *.* /g TestUser:r;trw /e
You see output similar to the following:
C:\data\compressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\deptdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\dirafter.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\temp.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\uncompressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\userdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
XcAcls Syntax
XcAcls uses the following syntax:
xcaclsFileName[/t][/e][/x]
Parameters
FileName
Indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) is typically applied. All standard wildcard characters can be used.
/t
Recursively walks through the current directory and all of its subdirectories, applying the chosen access rights to the matching files or directories.
/e
Edits the ACL instead of replacing it.
/x
Edits the ACL instead of replacing it; affects only the ACEs that the specified users already own.
/c
Causes XcAcls to continue if an "access denied" error occurs. If /c is omitted, XcAcls stops on this error.
/gUser: Permissions; Spec
Grants User access to the matching file or directory. Permissions apply the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
R- Read
C - Change (write)
F - Full Control
P - Change Permissions (special access)
O - Take Ownership (special access)
X - Execute (special access)
E - Read (Special access)
W - Write (Special access)
D - Delete (Special access)
T - Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value)
Notes
• The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Share permissions.
• All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
/rUser
- Revokes all access rights for the specified user.
/pUser: Permissions; Spec
-Replaces access rights for User. Permissions applies the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:
R- Read
C -Change (write)
F - Full Control
P - Change Permissions (special access)
O - Take Ownership (special access)
X - Execute (special access)
E - Read (special access)
W - Write (special access)
D - Delete (special access)
T - Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value.)
Notes
• The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Share permissions.
• All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
/dUser
-Denies the specified user access to the file or directory.
/y
-Disables the confirmation when replacing user access rights. By default, XcAcls asks for confirmation. Because of this feature, when XcAcls is used in a batch routine, the routine stops responding until the right answer is entered. Use the /y parameter when you use XcAcls in batch mode.
--------------------------
XcAcls Examples
Example 1: Replace ACLs of All Files and Directories in the Current Directory
You want to replace the existing ACLs of all files and directories in the current directory with Read and Write access for the administrator, suppressing confirmation. Type the following at the command line:
xcacls *.* /g administrator:rw /y
Notice that you are not asked to confirm the change. You see output similar to the following:
processed file: C:\data\compressed.txt
processed file: C:\data\deptdata.txt
processed file: C:\data\dirafter.txt
processed file: C:\data\temp.txt
processed file: C:\data\uncompressed.txt
processed file: C:\data\userdata.txt
You can check to see that the command was executed by typing the following at the command line:
xcacls *.*
You see output similar to the following, confirming that the access rights have been set for the administrator:
C:\data\compressed.txt MYCOMPUTER\Administrator:(
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\deptdata.txt MYCOMPUTER\Administrator:(
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\dirafter.txt MYCOMPUTER\Administrator:(
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\temp.txt MYCOMPUTER\Administrator:(
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\uncompressed.txt MYCOMPUTER\Administrator:(
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
C:\data\userdata.txt MYCOMPUTER\Administrator:(
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
Example 2: Edit the ACLs of the Current Directory
You want to give TestUser Read, Write, Run, and Delete rights on all new files created in this directory, but only Read and Write permissions on the directory itself. Type the following at the command line:
xcacls *.* /g TestUser:rwed;rw /e
You see output similar to the following:
processed file: C:\test\compressed.txt
processed file: C:\test\deptdata.txt
processed file: C:\test\dirafter.txt
processed file: C:\test\temp.txt
processed file: C:\test\uncompressed.txt
processed file: C:\test\userdata.txt
C:\data\compressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\deptdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\dirafter.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\temp.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\uncompressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\userdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
The command edited the ACL of a file or a directory, but its effect on a directory was different. The ACE added to the directory is also an inherit ACE for new files created in this directory.
Example 3:
Edit Permissions on a Directory Without Creating an Inherit for New Files
You want to grant Read and Write permissions on a directory for TestUser. You do not want to create an inherit entry for new files, but grant only Read access to existing files. Type the following at the command line:
xcacls *.* /g TestUser:r;trw /e
You see output similar to the following:
C:\data\compressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\deptdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\dirafter.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\temp.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\uncompressed.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
C:\data\userdata.txt Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES
MYCOMPUTER\TestUser:C
ASKER
Thanks Sean..
That is a little advanced for me. :)
Can you tell me the exact command I would run to achieve the results I am looking for?
Remember, I don't want the users to lose permissions to their folders. I just want to make sure the loca admins group has full control and ownership of all files and folder under the Users share.
Thx,
Justin
That is a little advanced for me. :)
Can you tell me the exact command I would run to achieve the results I am looking for?
Remember, I don't want the users to lose permissions to their folders. I just want to make sure the loca admins group has full control and ownership of all files and folder under the Users share.
Thx,
Justin
xcacls *.* /t /e /c /g [local admins group]:O /p [local admins group]:F /y
ASKER
Ok here is what I ran and the error:
C:\>xcacls c:\test\*.* /t /e /c /g administrators:o /p administrators:f /y
ERROR: One or more arguments are not correct.
If I run the ownership and NTFS permissions separate I get this:
C:\>xcacls c:\test\*.* /t /e /c /p administrators:f /y
processed directory: c:\test\test1
processed directory: c:\test\test2
processed directory: c:\test\test3
processed directory: c:\test\test1\*.*
ERROR: The filename, directory name, or volume label syntax is incorrect.
Thanks.
C:\>xcacls c:\test\*.* /t /e /c /g administrators:o /p administrators:f /y
ERROR: One or more arguments are not correct.
If I run the ownership and NTFS permissions separate I get this:
C:\>xcacls c:\test\*.* /t /e /c /p administrators:f /y
processed directory: c:\test\test1
processed directory: c:\test\test2
processed directory: c:\test\test3
processed directory: c:\test\test1\*.*
ERROR: The filename, directory name, or volume label syntax is incorrect.
Thanks.
try without the space..
xcalcs *.* /t /e /c /gAdministrators:O /pAdministrators:F /y
xcalcs *.* /t /e /c /gAdministrators:O /pAdministrators:F /y
ASKER
Nope.....
I guess I just need something that will assign the local admins group as the owner of all objects while keeping the NTFS permissions.
I guess I just need something that will assign the local admins group as the owner of all objects while keeping the NTFS permissions.
ASKER
I redid all the permissions manually.. man what a pain. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For example. If your users' home dirs are on f:\Home and named after the user name, so that things look like this:
F:\Home\jsmith
F:\Home\jdoe
F:\Home\mthompson
F:\Home\dfinley
etc
Then run this command in a batch file:
for /f "tokens=1" %%a in ('dir /b f:\home') do (
cacls f:\home\%%a /t /c /g %computername%\administrat
cacls f:\home\%%a /t /e /c /g domain\%%a:f
)
The above will set each user's home directory so that the local admins group and the domain user for which the directory is named will have FULL control over the folder.