Avatar of bgcm12
 asked on

granting access to all user areas to a new domain-local group.


I have created a new domain local security group.  I want members of this group to have access to users home-drive shares.

I don't want to manually add the group to the ACL of each users share.

I thought that it would be a case of adding the new group to the ACL of the root directory holding the user shares and within the advanced tab checking "replace permission on child objects" - but this will remove the permissions for the specific user of the homedrive.

Is there an easy way for me to add this group to all user shares?

Thanks in advance.

Windows Server 2003

Avatar of undefined
Last Comment

8/22/2022 - Mon
Michael Pfister

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Thanks - that seemed to work with individual files within the user areas scrolling down the command window at high speed.  However, it stopped this scroll twice at the same place when it reached a file in an area halfway through the list of users - with the error "The data area passed to a system call is too small".

Upon checking the individual user areas and sub-folders, (both above and below the user's directory where the command crashed out) the new usergroup specified seems to have been added with the relevant Change privilges.

However, when logged in as a user who is a member of this group with the ability to change files- they do not have the ability to map to the share.  I therefore explicitly shared the homedrives folder, tried again to map to it from a user with Change priviliges - of course, they then had the ability to map to the drive and read files with the drive - but they cannot modify or write to any of the user homedrives...

any ideas please?

Increasing points available...
Michael Pfister

I (hopefully) understand your question now. Caclc will only modify NTFS permissions and not share permissions.
And regarding your last post: If you create a new share under XP or WIndows 2003, it will have "Read" as default permission. If you need "Change", you have to modify the share perrmission.

I normally leave Everyone:Full for the share and only restrict the NTFS permissions to match my requirements, but thats a matter of taste.

I'd use rmtshare.exe (an old Microsoft Resource Kit NT 4.0 tool) to modify the share permissions. Problem: NT 4 resource kit is no longer available.
I'm searching for it...

Michael Pfister

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Thanks for your efforts Michael.

I too prefer to restrict by NTFS security - but there intially seemed to be a problem with the CACLS method.  After a reboot, it works perfectly - members of the new group added to the users' home shares now have change permissions.

Thanks again.