Mass changing of folder permissions

I am administrating a windows 2003 server enivornmment with clients running xp and 2000. I have recently aquired this position and have a lot of cleaning up to do as far as network set up and stuff. One Problem I have is with users home folders. I was under the impression that when you create a home folder through AD that the default permissions on that folder were for the user only. When I create a home folder for a user in AD, the folder is inherting parent folder permissions and also giving the user full control. I just want the user to have access to the folder only and for administrators to be able to take ownership.

Another problem Im having is that some of the previous home folders created have these "inherent permissions" and i really dont want to have to go through each users home folder and look at the settings and change them. Anyone know how i can mass change security permissions on these folders?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you must setting up at the begining, now thats hard to do it, it's no chance that windows by itself can may mass change, because the OS don't know how to identify every single user. what i recommend is, just set the mass permissions to root or administrators in this case...and change one by one to the users folders...i know is a hard task, but i don't see other solution.

Congrats (or should I say condelences) on your new position.  You have a lot of long days ahead of you.  I've been there and understand all too well.  

Some things to keep in mind about taking ownership.
  - The local Administrator account always has the right to "Take Ownership" of any object (file, etc.) on the local machine
  - Members of the Domain Admins group have the same rights as the local administrator on every machine in the domain
  - Members of the Domain Admins group will be able to take ownership of any file or folder on machine that is a member of the domain

Now as far as users having full control of their home folders...The user will have ownership of any file or folder they create inside their home folders, and thus full control, anyway and if you implement roaming user profiles they will require full control of their profile paths.  I don't know that I would change anything there.

Inheritance is the real problem here.  You don't want everyone able to access anyone else's home folders.  You have 2 options here: 1. Change user permissions using Advanced Security Settings in Windows Explorer;  2.  Using the XCACLS utility

To change permissions using Advanced Security Settings:
1.   From the file server, go into Windows Explorer and right-click the parent folder of your user's home folders and choose "Properties"
         - ex.  Where a user's home folder is located at g:\HomeFolders\username you would go to the G: drive and right-click the FomeFolders folder
2.   Hit the "Advanced" button
3.   Clear the "Inheret permissions..." check box then hit the "Copy" button
4.   Select a user or group that should not have access to users' home folders (Users or Everone for example) and hit the Edit button
5.   Clear all "Allow" check boxes and select "Apply to: Subfolders and files only" then hit "OK" the "Apply" (May take several minutes)
6.   Repeat for each account that should not have access
      - Be sure to leave the "System" and "Creator Owner" alone

Check out for directions on using XCACLS and to download it.

Hope this helps.  Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sentinel8oAuthor Commented:
That sounds like it will solve my problem with having unwanted groups inherted to the homefolders but the inhert permissions  option would still be checked right? I thought that when a home folder was created it had creator with full control of folder and subfolders, and thats it. I Know that the administrator has take ownership permission regardless. I was just wondering when a home folder is created through AD is the inheret permissions option checked by default?
It looks like I misunderstood your question.  I apologise for not answering it correctly.  Yes, new home folders will inheret permissions from the parent folder.  If I remember correctly it's new profiles that don't inheret but I can't remember just now and I'm not someplace I can check it out.
Sentinel8oAuthor Commented:
no it was a two part question acutally so you did answer my questions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.