?
Solved

Folder Ownership and Permissions

Posted on 2005-05-03
29
Medium Priority
?
2,151 Views
Last Modified: 2011-03-16
Ok, here is my problem. I have 100s of personal home dirs for each of our users on a file server. Eacj user only has access to his or her dir. I need to setup the ownership on all folders and subfolders to the local admins group while preserving the user NTFS permissions (this way they can still access their own dir since they are not part of the local admins group). I have tried SUBINACL and ROBOCOPY, but these overwrite the existing permissions and just give the local admins full control.

Any ideas how I can do this?
0
Comment
Question by:Justin Durrant
  • 13
  • 10
  • 4
  • +1
28 Comments
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13921943
You can do this by script using cacls -

For example.  If your users' home dirs are on f:\Home and named after the user name, so that things look like this:

F:\Home\jsmith
F:\Home\jdoe
F:\Home\mthompson
F:\Home\dfinley
etc

Then run this command in a batch file:

for /f "tokens=1" %%a in ('dir /b f:\home') do (
    cacls f:\home\%%a /t /c /g %computername%\administrators:f
    cacls f:\home\%%a /t /e /c /g domain\%%a:f
)

The above will set each user's home directory so that the local admins group and the domain user for which the directory is named will have FULL control over the folder.
0
 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13926233
also dont forget to remove the 'Users' group as they have default read permissions to all folders on Win2k3 file server.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13926243
No need.  Default behaviour of CACLS will REPLACE permissions completely.  The /e switch edits them.  Thus it's important to put the admins first or you could lock yourself out.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Author Comment

by:Justin Durrant
ID: 13926736
Ok bare with me here I suck at scripting... I created a batch file called cacls.bat with the following:

for /f "tokens=1" %%a in ('dir /b c:\test') do (
    cacls c:\test\%%a /t /c /g %computername%\administrators:f
    cacls c:\test\%%a /t /e /c /g domain\%%a:f
)

I also created one replacing "domain" with our domain name and no luck:

for /f "tokens=1" %%a in ('dir /b c:\test') do (
    cacls c:\test\%%a /t /c /g %computername%\administrators:f
    cacls c:\test\%%a /t /e /c /g americas\%%a:f
)


When I run it against a test dir it just loops:


C:\>(
cacls c:\test\test1 /t /c /g NFDNT015\administrators:f
 cacls c:\test\test1 /t /e /c /g americas\test1:f
)

C:\>for /F "tokens=1" %a in ('dir /b c:\test') do (
cacls c:\test\%a /t /c /g NFDNT015\administrators:f
 cacls c:\test\%a /t /e /c /g americas\%a:f
)

C:\>(
cacls c:\test\test1 /t /c /g NFDNT015\administrators:f
 cacls c:\test\test1 /t /e /c /g americas\test1:f
)

C:\>for /F "tokens=1" %a in ('dir /b c:\test') do (
cacls c:\test\%a /t /c /g NFDNT015\administrators:f
 cacls c:\test\%a /t /e /c /g americas\%a:f
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13927157
Sorry, small screw up on my part:

First, create a text file with the letter y and a carriage return.  Do this by typiing EXACTLY the following a at command line, replacing [key] with pressing the key.

COPY CON C:\Y.TXT[Enter]
Y[Enter]
[F6]

Next, use the following in a script:
for /f "tokens=1" %%a in ('dir /b /ad c:\test') do (
    cacls c:\test\%%a /t /c /g builtin\administrators:f < c:\y.txt
    cacls c:\test\%%a /t /e /c /g americas\%%a:f < c:\y.txt
)
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13927296
To step through this:

the loop lists all the users in that folder because the folders are named the same as the usernames.
the first CACLS line sets the administrators to full control
the second CACLS line sets the user to full control (this must be second or errors will occur trying to set admins to full).
At the end of each CACLS line, there is a < c:\y.txt - this is there because CACLS will prompt you to confirm you want to do this.  There is no built in switch to turn this prompting off, so we redirect "input" so that the file "y.txt" provides the Y Enter needed.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13927681
Still stuck in the loop..

Here is the contents of my y.txt file:

COPY CON C:\Y.TXT
Y

Here is the batch file:

for /f "tokens=1" %%a in ('dir /b /ad c:\test') do (
    cacls c:\test\%%a /t /c /g builtin\administrators:f < c:\y.txt
    cacls c:\test\%%a /t /e /c /g americas\%%a:f < c:\y.txt
)


And the result:


C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\test1 /t /e /c /g americas\test1:f  0<c:\y.txt
)

C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\%a /t /e /c /g americas\%a:f  0<c:\y.txt
)

C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\test1 /t /e /c /g americas\test1:f  0<c:\y.txt
)

C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\%a /t /e /c /g americas\%a:f  0<c:\y.txt
)

0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13927817
Nevermind.. i see i create the Y text with the copy con command.. so I got the y.txt created,  ran the batch file. Still looping:



C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\test1 /t /e /c /g americas\test1:f  0<c:\y.txt
)

C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\%a /t /e /c /g americas\%a:f  0<c:\y.txt
)

C:\>(
cacls c:\test\test1 /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\test1 /t /e /c /g americas\test1:f  0<c:\y.txt
)

C:\>for /F "tokens=1" %a in ('dir /b /ad c:\test') do (
cacls c:\test\%a /t /c /g builtin\administrators:f  0<c:\y.txt
 cacls c:\test\%a /t /e /c /g americas\%a:f  0<c:\y.txt
)









0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13928289
It's supposed to loop. Do you have an account in the domain called "test1". Here's what I do:

********Here's the EXACT script I'm using:
rem @echo off
for /f "tokens=1" %%a in ('dir /ad /b c:\temp\scripts\cacls') do (
cacls c:\temp\scripts\cacls\%%a /t /c /g builtin\administrators:f < y.txt
cacls c:\temp\scripts\cacls\%%a /t /e /c /g antiverse\%%a:f
)


********Now, I run the script (test.cmd)
C:\Temp\scripts\cacls>test

********And here's what the Batch file does
C:\Temp\scripts\cacls>rem @echo off

C:\Temp\scripts\cacls>for /F "tokens=1" %a in ('dir /ad /b c:\temp\scripts\cacls
') do (
cacls c:\temp\scripts\cacls\%a /t /c /g builtin\administrators:f  0<y.txt
 cacls c:\temp\scripts\cacls\%a /t /e /c /g antiverse\%a:f
)

C:\Temp\scripts\cacls>(
cacls c:\temp\scripts\cacls\andreab /t /c /g builtin\administrators:f  0<y.txt

 cacls c:\temp\scripts\cacls\andreab /t /e /c /g antiverse\andreab:f
)
Are you sure (Y/N)?processed dir: c:\temp\scripts\cacls\andreab
processed dir: c:\temp\scripts\cacls\andreab

C:\Temp\scripts\cacls>(
cacls c:\temp\scripts\cacls\leew /t /c /g builtin\administrators:f  0<y.txt
 cacls c:\temp\scripts\cacls\leew /t /e /c /g antiverse\leew:f
)
Are you sure (Y/N)?processed dir: c:\temp\scripts\cacls\leew
processed dir: c:\temp\scripts\cacls\leew

********Now I test the results - I check the permissions on the folders.  I do this by using cacls but you can check it with file properties as well.
C:\Temp\scripts\cacls>cacls leew
C:\Temp\scripts\cacls\leew BUILTIN\Administrators:(OI)(CI)F
                           ANTIVERSE\leew:(OI)(CI)F
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13928345
Ok.. I do not have a domain account called test1. Let me try against an acutal folder.

0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13928370
Ok.. this may not work.. Reason being if our domain accounts are not the same us our user folder.

For example, I have a folder called durrantj on the file server yet my domain account is nfdjdurr.

Is there a workaround for this?
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13928443
You can create a text file with space or tab dlimited columns.  For example:

Account Folder
durrantj nfdjdurr
smitha asmith
johnsonv vicjohns

I'll post a script shortly that should handle that.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13928464
thx man

0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13928467
rem @echo off
REM Assumes file is in format Account-Folder; Reverse A-B if different.
for /f "tokens=1" %%a in (folderlist.txt) do (
cacls c:\temp\scripts\cacls\%%b /t /c /g builtin\administrators:f < y.txt
cacls c:\temp\scripts\cacls\%%b /t /e /c /g YourDomainName\%%a:f
)

The above should do.

Note - folderlist.txt should have no column headings or footer information.  A pure text file with data only - like this:
----------------
durrantj nfdjdurr
smitha asmith
johnsonv vicjohns
----------------
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13928529
Funny, this is similar to what I had to do a year and half ago.  I got a text file in a tab delimited format with a folder name, and  UP TO 3 users that should have been granted permissions, to the folder.  I had to modify this on a weekly basis for over 100 folders.  It took me a few days of interrupted work, but I got the script working and didn't touch it again.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13928579
Cool I will try it.. Please confirm this will set the owner of all folders and subfolders to the local admins group? Also, I assume it also replaces the NTFS permissons on all child objects correct? Is it just changes the durrantj folder and not all the files and folders within it, it is of no use to me.

Thx,

Justin

0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13928705
Sorry, won't change ownership.  Why is this necessary?

WILL change permissions recursively -  The /T option in the CACLS line handles that.
   /T            Changes ACLs of specified files in
                 the current directory and all subdirectories.

If you must change ownership, you can download some utilities that should allow this:
http://gnuwin32.sourceforge.net/packages/fileutils.htm
Specifically the CHOWN command from the above link.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13929130
Well some users have setup their folder for them only to have access. Maybe I don't need to change ownership.

I just need to get by the access denied messages when I try and access their home dirs.

0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 13929197
Hmmm.... not sure... if they've already locked you out, you may need to use that chown command to change things first.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13929210
That's what I was afraid of... dam end users.

0
 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13929371
Use XcAcls

XcAcls Syntax
XcAcls uses the following syntax:

xcaclsFileName[/t][/e][/x][/c][/gUser:Permissions;Spec][/rUser][/pUser:Permissions;Spec] [...]][/dUser [...]][/y][/?|/h]

Parameters
FileName

Indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) is typically applied. All standard wildcard characters can be used.

/t

Recursively walks through the current directory and all of its subdirectories, applying the chosen access rights to the matching files or directories.

/e

Edits the ACL instead of replacing it.

/x

Edits the ACL instead of replacing it; affects only the ACEs that the specified users already own.

/c

Causes XcAcls to continue if an "access denied" error occurs. If /c is omitted, XcAcls stops on this error.

/gUser: Permissions; Spec

Grants User access to the matching file or directory. Permissions apply the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:

R- Read
 
C - Change (write)
 
F - Full Control
 
P - Change Permissions (special access)
 
O - Take Ownership (special access)
 
X - Execute (special access)
 
E - Read (Special access)
 
W - Write (Special access)
 
D - Delete (Special access)
 
T - Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value)
 
Notes

• The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Share permissions.
 
• All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
 
/rUser
- Revokes all access rights for the specified user.

/pUser: Permissions; Spec
-Replaces access rights for User. Permissions applies the specified access right to files. Spec can be the same as Permissions and only applies to a directory. In this case, Permissions is used for file inheritance in this directory. Permissions and Spec accept the following values:

R- Read
 
C -Change (write)
 
F - Full Control
 
P - Change Permissions (special access)
 
O - Take Ownership (special access)
 
X - Execute (special access)
 
E - Read (special access)
 
W - Write (special access)
 
D - Delete (special access)
 
T - Used only by Spec. ACE not specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right must follow. Spec entries that precede T (in other words, those between the semicolon and the T) are ignored. (Special value.)
 
Notes

• The access options for files (special file and directory access options for directories) are identical. For detailed explanations of these options, see Permissions for files and folders or Share permissions.
 
• All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights, such as LIST or READ.
 
/dUser
-Denies the specified user access to the file or directory.

/y
-Disables the confirmation when replacing user access rights. By default, XcAcls asks for confirmation. Because of this feature, when XcAcls is used in a batch routine, the routine stops responding until the right answer is entered. Use the /y parameter when you use XcAcls in batch mode.

------------------------------------------------------------------------------------------------------

XcAcls Examples

Example 1: Replace ACLs of All Files and Directories in the Current Directory
You want to replace the existing ACLs of all files and directories in the current directory with Read and Write access for the administrator, suppressing confirmation. Type the following at the command line:

xcacls *.* /g administrator:rw /y

Notice that you are not asked to confirm the change. You see output similar to the following:

processed file:  C:\data\compressed.txt
processed file:  C:\data\deptdata.txt
processed file:  C:\data\dirafter.txt
processed file:  C:\data\temp.txt
processed file:  C:\data\uncompressed.txt
processed file:  C:\data\userdata.txt

You can check to see that the command was executed by typing the following at the command line:

xcacls *.*

You see output similar to the following, confirming that the access rights have been set for the administrator:

C:\data\compressed.txt MYCOMPUTER\Administrator:(special access:)

                                           READ_CONTROL
                                           SYNCHRONIZE
                                           FILE_GENERIC_READ
                                           FILE_GENERIC_WRITE
                                           FILE_GENERIC_EXECUTE
                                           FILE_READ_DATA
                                           FILE_WRITE_DATA
                                           FILE_APPEND_DATA
                                           FILE_READ_EA
                                           FILE_WRITE_EA
                                           FILE_EXECUTE
                                           FILE_READ_ATTRIBUTES
                                           FILE_WRITE_ATTRIBUTES
 

C:\data\deptdata.txt MYCOMPUTER\Administrator:(special access:)

                                         READ_CONTROL
                                         SYNCHRONIZE
                                         FILE_GENERIC_READ
                                         FILE_GENERIC_WRITE
                                         FILE_GENERIC_EXECUTE
                                         FILE_READ_DATA
                                         FILE_WRITE_DATA
                                         FILE_APPEND_DATA
                                         FILE_READ_EA
                                         FILE_WRITE_EA
                                         FILE_EXECUTE
                                         FILE_READ_ATTRIBUTES
                                         FILE_WRITE_ATTRIBUTES
 

C:\data\dirafter.txt MYCOMPUTER\Administrator:(special access:)

                                         READ_CONTROL
                                         SYNCHRONIZE
                                         FILE_GENERIC_READ
                                         FILE_GENERIC_WRITE
                                         FILE_GENERIC_EXECUTE
                                         FILE_READ_DATA
                                         FILE_WRITE_DATA
                                         FILE_APPEND_DATA
                                         FILE_READ_EA
                                         FILE_WRITE_EA
                                         FILE_EXECUTE
                                         FILE_READ_ATTRIBUTES
                                         FILE_WRITE_ATTRIBUTES
 

C:\data\temp.txt MYCOMPUTER\Administrator:(special access:)

                                     READ_CONTROL
                                     SYNCHRONIZE
                                     FILE_GENERIC_READ
                                     FILE_GENERIC_WRITE
                                     FILE_GENERIC_EXECUTE
                                     FILE_READ_DATA
                                     FILE_WRITE_DATA
                                     FILE_APPEND_DATA
                                     FILE_READ_EA
                                     FILE_WRITE_EA
                                     FILE_EXECUTE
                                     FILE_READ_ATTRIBUTES
                                     FILE_WRITE_ATTRIBUTES
 

C:\data\uncompressed.txt MYCOMPUTER\Administrator:(special access:)

                                             READ_CONTROL
                                             SYNCHRONIZE
                                             FILE_GENERIC_READ
                                             FILE_GENERIC_WRITE
                                             FILE_GENERIC_EXECUTE
                                             FILE_READ_DATA
                                             FILE_WRITE_DATA
                                             FILE_APPEND_DATA
                                             FILE_READ_EA
                                             FILE_WRITE_EA
                                             FILE_EXECUTE
                                             FILE_READ_ATTRIBUTES
                                             FILE_WRITE_ATTRIBUTES
 

C:\data\userdata.txt MYCOMPUTER\Administrator:(special access:)

                                         READ_CONTROL
                                         SYNCHRONIZE
                                         FILE_GENERIC_READ
                                         FILE_GENERIC_WRITE
                                         FILE_GENERIC_EXECUTE
                                         FILE_READ_DATA
                                         FILE_WRITE_DATA
                                         FILE_APPEND_DATA
                                         FILE_READ_EA
                                         FILE_WRITE_EA
                                         FILE_EXECUTE
                                         FILE_READ_ATTRIBUTES
                                         FILE_WRITE_ATTRIBUTES

Example 2: Edit the ACLs of the Current Directory

You want to give TestUser Read, Write, Run, and Delete rights on all new files created in this directory, but only Read and Write permissions on the directory itself. Type the following at the command line:

xcacls *.* /g TestUser:rwed;rw /e

You see output similar to the following:

processed file:  C:\test\compressed.txt
processed file:  C:\test\deptdata.txt
processed file:  C:\test\dirafter.txt
processed file:  C:\test\temp.txt
processed file:  C:\test\uncompressed.txt
processed file:  C:\test\userdata.txt
C:\data\compressed.txt Everyone:(special access:)
                                READ_CONTROL
                                SYNCHRONIZE
                                FILE_GENERIC_READ
                                FILE_GENERIC_WRITE
                                FILE_GENERIC_EXECUTE
                                FILE_READ_DATA
                                FILE_WRITE_DATA
                                FILE_APPEND_DATA
                                FILE_READ_EA
                                FILE_WRITE_EA
                                FILE_EXECUTE
                                FILE_READ_ATTRIBUTES
                                FILE_WRITE_ATTRIBUTES

                       MYCOMPUTER\TestUser:C

C:\data\deptdata.txt Everyone:(special access:)
                              READ_CONTROL
                              SYNCHRONIZE
                              FILE_GENERIC_READ
                              FILE_GENERIC_WRITE
                              FILE_GENERIC_EXECUTE
                              FILE_READ_DATA
                              FILE_WRITE_DATA
                              FILE_APPEND_DATA
                              FILE_READ_EA
                              FILE_WRITE_EA
                              FILE_EXECUTE
                              FILE_READ_ATTRIBUTES
                              FILE_WRITE_ATTRIBUTES

                     MYCOMPUTER\TestUser:C

C:\data\dirafter.txt Everyone:(special access:)
                              READ_CONTROL
                              SYNCHRONIZE
                              FILE_GENERIC_READ
                              FILE_GENERIC_WRITE
                              FILE_GENERIC_EXECUTE
                              FILE_READ_DATA
                              FILE_WRITE_DATA
                              FILE_APPEND_DATA
                              FILE_READ_EA
                              FILE_WRITE_EA
                              FILE_EXECUTE
                              FILE_READ_ATTRIBUTES
                              FILE_WRITE_ATTRIBUTES

                     MYCOMPUTER\TestUser:C

C:\data\temp.txt Everyone:(special access:)
                          READ_CONTROL
                          SYNCHRONIZE
                          FILE_GENERIC_READ
                          FILE_GENERIC_WRITE
                          FILE_GENERIC_EXECUTE
                          FILE_READ_DATA
                          FILE_WRITE_DATA
                          FILE_APPEND_DATA
                          FILE_READ_EA
                          FILE_WRITE_EA
                          FILE_EXECUTE
                          FILE_READ_ATTRIBUTES
                          FILE_WRITE_ATTRIBUTES

                 MYCOMPUTER\TestUser:C

C:\data\uncompressed.txt Everyone:(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                         MYCOMPUTER\TestUser:C

C:\data\userdata.txt Everyone:(special access:)
                              READ_CONTROL
                              SYNCHRONIZE
                              FILE_GENERIC_READ
                              FILE_GENERIC_WRITE
                              FILE_GENERIC_EXECUTE
                              FILE_READ_DATA
                              FILE_WRITE_DATA
                              FILE_APPEND_DATA
                              FILE_READ_EA
                              FILE_WRITE_EA
                              FILE_EXECUTE
                              FILE_READ_ATTRIBUTES
                              FILE_WRITE_ATTRIBUTES

                     MYCOMPUTER\TestUser:C

The command edited the ACL of a file or a directory, but its effect on a directory was different. The ACE added to the directory is also an inherit ACE for new files created in this directory.

Example 3:
Edit Permissions on a Directory Without Creating an Inherit for New Files
You want to grant Read and Write permissions on a directory for TestUser. You do not want to create an inherit entry for new files, but grant only Read access to existing files. Type the following at the command line:

xcacls *.* /g TestUser:r;trw /e

You see output similar to the following:

C:\data\compressed.txt Everyone:(special access:)
                                READ_CONTROL
                                SYNCHRONIZE
                                FILE_GENERIC_READ
                                FILE_GENERIC_WRITE
                                FILE_GENERIC_EXECUTE
                                FILE_READ_DATA
                                FILE_WRITE_DATA
                                FILE_APPEND_DATA
                                FILE_READ_EA
                                FILE_WRITE_EA
                                FILE_EXECUTE
                                FILE_READ_ATTRIBUTES
                                FILE_WRITE_ATTRIBUTES

                       MYCOMPUTER\TestUser:C

C:\data\deptdata.txt Everyone:(special access:)
                              READ_CONTROL
                              SYNCHRONIZE
                              FILE_GENERIC_READ
                              FILE_GENERIC_WRITE
                              FILE_GENERIC_EXECUTE
                              FILE_READ_DATA
                              FILE_WRITE_DATA
                              FILE_APPEND_DATA
                              FILE_READ_EA
                              FILE_WRITE_EA
                              FILE_EXECUTE
                              FILE_READ_ATTRIBUTES
                              FILE_WRITE_ATTRIBUTES

                     MYCOMPUTER\TestUser:C

C:\data\dirafter.txt Everyone:(special access:)
                              READ_CONTROL
                              SYNCHRONIZE
                              FILE_GENERIC_READ
                              FILE_GENERIC_WRITE
                              FILE_GENERIC_EXECUTE
                              FILE_READ_DATA
                              FILE_WRITE_DATA
                              FILE_APPEND_DATA
                              FILE_READ_EA
                              FILE_WRITE_EA
                              FILE_EXECUTE
                              FILE_READ_ATTRIBUTES
                              FILE_WRITE_ATTRIBUTES

                     MYCOMPUTER\TestUser:C

C:\data\temp.txt Everyone:(special access:)
                          READ_CONTROL
                          SYNCHRONIZE
                          FILE_GENERIC_READ
                          FILE_GENERIC_WRITE
                          FILE_GENERIC_EXECUTE
                          FILE_READ_DATA
                          FILE_WRITE_DATA
                          FILE_APPEND_DATA
                          FILE_READ_EA
                          FILE_WRITE_EA
                          FILE_EXECUTE
                          FILE_READ_ATTRIBUTES
                          FILE_WRITE_ATTRIBUTES

                 MYCOMPUTER\TestUser:C

C:\data\uncompressed.txt Everyone:(special access:)
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_WRITE
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_APPEND_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                         MYCOMPUTER\TestUser:C

C:\data\userdata.txt Everyone:(special access:)
                              READ_CONTROL
                              SYNCHRONIZE
                              FILE_GENERIC_READ
                              FILE_GENERIC_WRITE
                              FILE_GENERIC_EXECUTE
                              FILE_READ_DATA
                              FILE_WRITE_DATA
                              FILE_APPEND_DATA
                              FILE_READ_EA
                              FILE_WRITE_EA
                              FILE_EXECUTE
                              FILE_READ_ATTRIBUTES
                              FILE_WRITE_ATTRIBUTES

                     MYCOMPUTER\TestUser:C





0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13930287
Thanks Sean..

That is a little advanced for me. :)

Can you tell me the exact command I would run to achieve the results I am looking for?

Remember, I don't want the users to lose permissions to their folders. I just want to make sure the loca admins group has full control and ownership of all files and folder under the Users share.

Thx,

Justin
0
 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13934038
xcacls *.* /t /e /c /g [local admins group]:O /p [local admins group]:F /y

0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13935928
Ok here is what I ran and the error:

C:\>xcacls c:\test\*.* /t /e /c /g administrators:o /p administrators:f /y
ERROR: One or more arguments are not correct.

If I run the ownership and NTFS permissions separate I get this:

C:\>xcacls c:\test\*.* /t /e /c /p administrators:f /y
processed directory: c:\test\test1
processed directory: c:\test\test2
processed directory: c:\test\test3
processed directory: c:\test\test1\*.*
ERROR: The filename, directory name, or volume label syntax is incorrect.


Thanks.
0
 
LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13937836
try without the space..

xcalcs *.* /t /e /c /gAdministrators:O /pAdministrators:F /y
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13938327
Nope.....

I guess I just need something that will assign the local admins group as the owner of all objects while keeping the NTFS permissions.
0
 
LVL 23

Author Comment

by:Justin Durrant
ID: 13963563
I redid all the permissions manually.. man what a pain. :)
0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
ID: 14000493
PAQd, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question