Solved

syntax for creating rights for hundreds of folders using xcacls

Posted on 2009-07-16
11
314 Views
Last Modified: 2013-12-04
I have several hundred directories on a Windows 2003 server that I need to set special permissions on.  I used a batch file to create the folders but need an automated way to set the permissions.  I'm inheriting what I can from the parent but each folder will have different user permissions.  I manually set one up and ran an xcacls query.  The result follows:

C:\xcacls z:\archive\jdoe
z:\archive\jdoe DOMAIN\jdoe:(OI)(CI)(special access:)
                                  DELETE
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                 BUILTIN\Administrators:(OI)(CI)F
                 NT AUTHORITY\SYSTEM:(OI)(CI)F


Is there a way to use xcacls to set the permissions on the other directories based on this user's permissions listed above?  I'm not tied to xcacls but would prefer not to purchase a 3rd party solution.  Thanks in advance for your help.
0
Comment
Question by:DTUser
  • 6
  • 2
11 Comments
 
LVL 18

Expert Comment

by:kjanicke
ID: 24880547
Is the folder and the user name the same?  Are you trying to set folder permissions on home drives?

0
 
LVL 18

Accepted Solution

by:
kjanicke earned 250 total points
ID: 24880631
If so ...

xcacls z:\archive\jdoe /G jdoe:F
Would give JDoe full control of the folder with his name.

You could create a simple txt file with all of the active directory accounts (export it with csvde).  For this example, I will call this list "list.txt"

Than pipe it into a for loop.  

for /F %i in (list.txt) do xcacls z:\archive\%i /G %i:F

The first "%i" says what the variable is called.  The second and third "%i" would be replaced with each entry in the list file.


0
 

Author Comment

by:DTUser
ID: 24894752
Thanks kjanicke.  My goal is to not give the users Full Access.  i want to restrict them from creating and deleting subfolders.  

Yes, the folder name and user names are the same.

Thanks.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 24899186
I just specified "full" for the example.  You can set the permissions as required.  

If you adding to the permissions, look at the switches available.  There is a switch to leave the original permissions and just add or append.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:DTUser
ID: 24928329
Thanks kjanicke.  Just struggling with the syntax a bit.  Any assistance is appreciated.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038395
It's hard to help with syntax when you do not specify the paramters you are trying to set.  But I did help you with a solution, and it is a tried and tested solution.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038406
My suggestion above provided syntax. You have to adjust the permissions to your specific needs.  XCACLS /? will show details of options, as well as microsoft examples.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25046769
Author requested: "have several hundred directories on a Windows 2003 server that I need to set special permissions on"

I asked for specific information becuase it sounded like a similar problem to what we have on site, which is; setting permissions on all home drives.

The for loop will set permissions on all home drives using a txt file and an xcacls command.  My specific example sets full control.  but the permissions can easily be adjusted to site specific needs.  Synatx can be found with xcacls /? and at http://support.microsoft.com/kb/318754

Example 2
The ACEs that are added to the folder in this example also inherit ACE for new files that are created in this folder. The command gives TestUser read, write, run, and delete rights on all new files created in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /G TestUser:RWED;RW /E at the command prompt, and then press ENTER.

On NTFS system, you can use the GUI interface to view advanced security features to show specific rights granted to change, read, or full access.  I believe Full gives you permissions to "delete" folders.

I would recommend #3 as the first option.  #2 if author does not agree.  Regardless, I was the only one to offer a solution and it does show how to loop permissions thru hundred of folders in this situation, without having to buy a third party tool.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now