?
Solved

Script Different NTFS Permissions per Subfolder

Posted on 2008-11-11
24
Medium Priority
?
617 Views
Last Modified: 2013-12-04
I would like to script or elsewise automate the setting of NTFS permissions on users home directories.

My setup is consisting of 1 000 users, all with their home directories on a common root;

Root
Users A to E
Users E to K
Users K to Z

The solution would preferably be a script that runs of the Root, searching through all subfolders, and assigning the rights, plus ownership of the subfolders, to the various users.

The users home directories are identical to the usernames of the users.
0
Comment
Question by:crayonas
  • 11
  • 11
22 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 22934336
Are you looking at giving 'everyone' access to these folders?Something like this should work...
cd \RootFolder
for /f %%a in ('dir /ad /b') do call :process %%a
goto :eof
 
:process
set fld=%1
set val=%fld:~0,1%
call %val%
goto :eof
 
:A
:B
:C
:D
:E
REM set permissions here
goto :eof
 
:F
:G
:H
:I
:J
:K
REM set permissions here
goto :eof
 
:L
:M
:N
:O
:P
:Q
:R
:S
:T
:U
:V
:W
:X
:Y
:Z
REM set permissions here

Open in new window

0
 
LVL 1

Author Comment

by:crayonas
ID: 22934376
I don't see how your script runs - could you explain what the various lines do?


The preferred setup would be:

Root (Domain Admins:F Domain Users:R)
   Users A to E
      Anna (Domain Admins:F Domain Users:NONE Anna:F)
   Users E to K
   Users K to Z
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22934445
Changes things a bit then...thought you mean you wanted all of A-E folders to have the same access..?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:crayonas
ID: 22934616
No.
Users need access to their own folders and files, but not access to any other folders in the structure.

(Why would I want the same access for all Home Directories within one subfolder?)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22934676
That's what I was wondering... ;^)

Still, not entirely clear as to what your setup is.

Am I to assume that you have a structure like

F:\
   >Anna
   >Bob
   >etc

and you want only Anna & Admins to have access to that folder, and Bob and Admins to have access to Bob folder...?

Still, I don't see why the breakdown A-E, etc...
0
 
LVL 1

Author Comment

by:crayonas
ID: 22934733
Correct. The Domain Admins should have full control on all folders, while only the corresponding user should have access to his/her folder (home dir) and content.


Our FileServer01 is setup with three disks due to capacity.
The disks are mounted in the folder \\FileServer01\Users\ as Users A to E / Users E to K / Users K to Z. Below these mount points are the corresponding users home directories.                      


\\FileServer01\Users\            (ROOT)
 >Users A to E
   >Anna (Domain Admins:F Domain Users:NONE Anna:F)
   >Bob

 >Users E to K
   >Erin

 >Users K to Z
   >Kenny
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22934755
Just trying to make sure I understand...
Your physical path to Anna is
\\FileServer01\Users\Users A to E\Anna ??
0
 
LVL 1

Author Comment

by:crayonas
ID: 22934780
Yes.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22934890
This should work - just remove the pause if it works as you desire....
@echo off
setlocal enabledelayedexpansion
f:
cd\users
for /f "delims=" %%p in ('dir /ad /b') do call :process "%%p"
goto :eof
 
:process
Set parent=%1
cd %parent%
for /f %%c in ('dir /ad /b') do (
  Set user=%%c
  Set folder=%%~dpnxc
  call :setACL
)
cd ..
goto :eof
 
:setACL
echo. %user%
echo. %folder%
cacls /t /g "Domain Admins":F /g %user%:F /g SYSTEM:F
set user=
set folder=
pause

Open in new window

0
 
LVL 1

Author Comment

by:crayonas
ID: 22934954
Thanks, I will try this out.
0
 
LVL 1

Author Comment

by:crayonas
ID: 22940679
Could you explain what the various lines do before I employ this on our system?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22941234
The for loop loops through all folders found in the users folder, passing that value to the process routine.
Process changes to the user subfolder, then loops through all child folders therin, assigning two variables, user and folder, and then calling the setACL routine, which sets the permissions on all folders, recursively, to include only Domain Admins, the specific user, and the System account (never a good idea to remove that one...)
0
 
LVL 1

Author Comment

by:crayonas
ID: 22962650
I'll try the script on Wednesday.
I'm planning on changing the line

cacls /t /g "Domain Admins":F /g %user%:F /g SYSTEM:F

to

cacls /t /g "Domain Admins@Domain":F /g %user%@Domain:F /g SYSTEM:F /g "Creator Owner":F

do you see any immediate problems with this change?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22964421
Nope - that should work... good luck.
0
 
LVL 1

Author Comment

by:crayonas
ID: 22979237
It seems as the script tries to recurse throughout all subdirectories.
It should only set permissions on parent subfolders in the structure.

On a more serious issue, the script does not seem to work properly.
What happens is that it returns the basic help/info for cacls.

Se code snippet for exact copy of .bat file.
The output is like this:


The system cannot find the path specified.
Press any key to continue . . .
 Printers
 C:\Profiles\BERN\Printers
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]

(Cut out for shortening purposes..)

        The ACE does not apply to the current file/directory.
Press any key to continue . . .
 Start-menu
 C:\Profiles\BERN\Start-menu
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]

(Cut out for shortening purposes..)

Press any key to continue . . .
The system cannot find the path specified.
@echo off
setlocal enabledelayedexpansion
cd\profiles
for /f "delims=" %%p in ('dir /ad /b') do call :process "%%p"
goto :eof
 
:process
Set parent=%1
cd %parent%
for /f %%c in ('dir /ad /b') do (
  Set user=%%c
  Set folder=%%~dpnxc
  call :setACL
)
cd ..
goto :eof
 
:setACL
echo. %user%
echo. %folder%
cacls /e /g "Domain Admins":F /g %user%:F /g SYSTEM:F
set user=
set folder=

Open in new window

0
 
LVL 67

Accepted Solution

by:
sirbounty earned 1000 total points
ID: 22979431
remove the /t parameter to prevent recursive changes.
If that doesn't solve it - let me know, may have to get some echo lines placed in there to see what it's trying to do...
0
 
LVL 1

Author Comment

by:crayonas
ID: 23614266
A colleague made the day and made a script that solved the issue.
0
 
LVL 1

Author Comment

by:crayonas
ID: 23614313
Problem solved internally.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 23614468
Can you post the solution please...
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 23628189
Ordinarily, I'd simply ignore this, but since I never heard back from the 11/17 post, and then 3 months later it's solved, can you please post the solution?
0
 
LVL 1

Author Comment

by:crayonas
ID: 24555955
I am not familiar with the script used, however, the hints from sirbounty did not fulfill my question.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24557019
Perhaps this was more custom-fit than would suit your needs.
Try opening a new question and someone should be able to help you further...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question