Solved

syntax for creating rights for hundreds of folders using xcacls

Posted on 2009-07-16
11
318 Views
Last Modified: 2013-12-04
I have several hundred directories on a Windows 2003 server that I need to set special permissions on.  I used a batch file to create the folders but need an automated way to set the permissions.  I'm inheriting what I can from the parent but each folder will have different user permissions.  I manually set one up and ran an xcacls query.  The result follows:

C:\xcacls z:\archive\jdoe
z:\archive\jdoe DOMAIN\jdoe:(OI)(CI)(special access:)
                                  DELETE
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                 BUILTIN\Administrators:(OI)(CI)F
                 NT AUTHORITY\SYSTEM:(OI)(CI)F


Is there a way to use xcacls to set the permissions on the other directories based on this user's permissions listed above?  I'm not tied to xcacls but would prefer not to purchase a 3rd party solution.  Thanks in advance for your help.
0
Comment
Question by:DTUser
  • 6
  • 2
11 Comments
 
LVL 18

Expert Comment

by:kjanicke
ID: 24880547
Is the folder and the user name the same?  Are you trying to set folder permissions on home drives?

0
 
LVL 18

Accepted Solution

by:
kjanicke earned 250 total points
ID: 24880631
If so ...

xcacls z:\archive\jdoe /G jdoe:F
Would give JDoe full control of the folder with his name.

You could create a simple txt file with all of the active directory accounts (export it with csvde).  For this example, I will call this list "list.txt"

Than pipe it into a for loop.  

for /F %i in (list.txt) do xcacls z:\archive\%i /G %i:F

The first "%i" says what the variable is called.  The second and third "%i" would be replaced with each entry in the list file.


0
 

Author Comment

by:DTUser
ID: 24894752
Thanks kjanicke.  My goal is to not give the users Full Access.  i want to restrict them from creating and deleting subfolders.  

Yes, the folder name and user names are the same.

Thanks.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 18

Expert Comment

by:kjanicke
ID: 24899186
I just specified "full" for the example.  You can set the permissions as required.  

If you adding to the permissions, look at the switches available.  There is a switch to leave the original permissions and just add or append.
0
 

Author Comment

by:DTUser
ID: 24928329
Thanks kjanicke.  Just struggling with the syntax a bit.  Any assistance is appreciated.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038395
It's hard to help with syntax when you do not specify the paramters you are trying to set.  But I did help you with a solution, and it is a tried and tested solution.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038406
My suggestion above provided syntax. You have to adjust the permissions to your specific needs.  XCACLS /? will show details of options, as well as microsoft examples.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25046769
Author requested: "have several hundred directories on a Windows 2003 server that I need to set special permissions on"

I asked for specific information becuase it sounded like a similar problem to what we have on site, which is; setting permissions on all home drives.

The for loop will set permissions on all home drives using a txt file and an xcacls command.  My specific example sets full control.  but the permissions can easily be adjusted to site specific needs.  Synatx can be found with xcacls /? and at http://support.microsoft.com/kb/318754

Example 2
The ACEs that are added to the folder in this example also inherit ACE for new files that are created in this folder. The command gives TestUser read, write, run, and delete rights on all new files created in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /G TestUser:RWED;RW /E at the command prompt, and then press ENTER.

On NTFS system, you can use the GUI interface to view advanced security features to show specific rights granted to change, read, or full access.  I believe Full gives you permissions to "delete" folders.

I would recommend #3 as the first option.  #2 if author does not agree.  Regardless, I was the only one to offer a solution and it does show how to loop permissions thru hundred of folders in this situation, without having to buy a third party tool.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a better way to communicate time sensitive or critical info.
Why pager replacement is still an issue OnPage has what some might call a “hate/hate” relationship with pagers. Not much room for love. As we see it, pagers are an antiquated bit of technology. Pagers are dinosaurs which, like most dinosaurs, sho…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question