Script Different NTFS Permissions per Subfolder

I would like to script or elsewise automate the setting of NTFS permissions on users home directories.

My setup is consisting of 1 000 users, all with their home directories on a common root;

Root
Users A to E
Users E to K
Users K to Z

The solution would preferably be a script that runs of the Root, searching through all subfolders, and assigning the rights, plus ownership of the subfolders, to the various users.

The users home directories are identical to the usernames of the users.
LVL 1
crayonasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sirbountyCommented:
Are you looking at giving 'everyone' access to these folders?Something like this should work...
cd \RootFolder
for /f %%a in ('dir /ad /b') do call :process %%a
goto :eof
 
:process
set fld=%1
set val=%fld:~0,1%
call %val%
goto :eof
 
:A
:B
:C
:D
:E
REM set permissions here
goto :eof
 
:F
:G
:H
:I
:J
:K
REM set permissions here
goto :eof
 
:L
:M
:N
:O
:P
:Q
:R
:S
:T
:U
:V
:W
:X
:Y
:Z
REM set permissions here

Open in new window

0
crayonasAuthor Commented:
I don't see how your script runs - could you explain what the various lines do?


The preferred setup would be:

Root (Domain Admins:F Domain Users:R)
   Users A to E
      Anna (Domain Admins:F Domain Users:NONE Anna:F)
   Users E to K
   Users K to Z
0
sirbountyCommented:
Changes things a bit then...thought you mean you wanted all of A-E folders to have the same access..?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

crayonasAuthor Commented:
No.
Users need access to their own folders and files, but not access to any other folders in the structure.

(Why would I want the same access for all Home Directories within one subfolder?)
0
sirbountyCommented:
That's what I was wondering... ;^)

Still, not entirely clear as to what your setup is.

Am I to assume that you have a structure like

F:\
   >Anna
   >Bob
   >etc

and you want only Anna & Admins to have access to that folder, and Bob and Admins to have access to Bob folder...?

Still, I don't see why the breakdown A-E, etc...
0
crayonasAuthor Commented:
Correct. The Domain Admins should have full control on all folders, while only the corresponding user should have access to his/her folder (home dir) and content.


Our FileServer01 is setup with three disks due to capacity.
The disks are mounted in the folder \\FileServer01\Users\ as Users A to E / Users E to K / Users K to Z. Below these mount points are the corresponding users home directories.                      


\\FileServer01\Users\            (ROOT)
 >Users A to E
   >Anna (Domain Admins:F Domain Users:NONE Anna:F)
   >Bob

 >Users E to K
   >Erin

 >Users K to Z
   >Kenny
0
sirbountyCommented:
Just trying to make sure I understand...
Your physical path to Anna is
\\FileServer01\Users\Users A to E\Anna ??
0
crayonasAuthor Commented:
Yes.
0
sirbountyCommented:
This should work - just remove the pause if it works as you desire....
@echo off
setlocal enabledelayedexpansion
f:
cd\users
for /f "delims=" %%p in ('dir /ad /b') do call :process "%%p"
goto :eof
 
:process
Set parent=%1
cd %parent%
for /f %%c in ('dir /ad /b') do (
  Set user=%%c
  Set folder=%%~dpnxc
  call :setACL
)
cd ..
goto :eof
 
:setACL
echo. %user%
echo. %folder%
cacls /t /g "Domain Admins":F /g %user%:F /g SYSTEM:F
set user=
set folder=
pause

Open in new window

0
crayonasAuthor Commented:
Thanks, I will try this out.
0
crayonasAuthor Commented:
Could you explain what the various lines do before I employ this on our system?
0
sirbountyCommented:
The for loop loops through all folders found in the users folder, passing that value to the process routine.
Process changes to the user subfolder, then loops through all child folders therin, assigning two variables, user and folder, and then calling the setACL routine, which sets the permissions on all folders, recursively, to include only Domain Admins, the specific user, and the System account (never a good idea to remove that one...)
0
crayonasAuthor Commented:
I'll try the script on Wednesday.
I'm planning on changing the line

cacls /t /g "Domain Admins":F /g %user%:F /g SYSTEM:F

to

cacls /t /g "Domain Admins@Domain":F /g %user%@Domain:F /g SYSTEM:F /g "Creator Owner":F

do you see any immediate problems with this change?
0
sirbountyCommented:
Nope - that should work... good luck.
0
crayonasAuthor Commented:
It seems as the script tries to recurse throughout all subdirectories.
It should only set permissions on parent subfolders in the structure.

On a more serious issue, the script does not seem to work properly.
What happens is that it returns the basic help/info for cacls.

Se code snippet for exact copy of .bat file.
The output is like this:


The system cannot find the path specified.
Press any key to continue . . .
 Printers
 C:\Profiles\BERN\Printers
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
               [/P user:perm [...]] [/D user [...]]

(Cut out for shortening purposes..)

        The ACE does not apply to the current file/directory.
Press any key to continue . . .
 Start-menu
 C:\Profiles\BERN\Start-menu
Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]

(Cut out for shortening purposes..)

Press any key to continue . . .
The system cannot find the path specified.
@echo off
setlocal enabledelayedexpansion
cd\profiles
for /f "delims=" %%p in ('dir /ad /b') do call :process "%%p"
goto :eof
 
:process
Set parent=%1
cd %parent%
for /f %%c in ('dir /ad /b') do (
  Set user=%%c
  Set folder=%%~dpnxc
  call :setACL
)
cd ..
goto :eof
 
:setACL
echo. %user%
echo. %folder%
cacls /e /g "Domain Admins":F /g %user%:F /g SYSTEM:F
set user=
set folder=

Open in new window

0
sirbountyCommented:
remove the /t parameter to prevent recursive changes.
If that doesn't solve it - let me know, may have to get some echo lines placed in there to see what it's trying to do...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crayonasAuthor Commented:
A colleague made the day and made a script that solved the issue.
0
crayonasAuthor Commented:
Problem solved internally.
0
sirbountyCommented:
Can you post the solution please...
0
sirbountyCommented:
Ordinarily, I'd simply ignore this, but since I never heard back from the 11/17 post, and then 3 months later it's solved, can you please post the solution?
0
crayonasAuthor Commented:
I am not familiar with the script used, however, the hints from sirbounty did not fulfill my question.
0
sirbountyCommented:
Perhaps this was more custom-fit than would suit your needs.
Try opening a new question and someone should be able to help you further...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.