Solved

syntax for creating rights for hundreds of folders using xcacls

Posted on 2009-07-16
11
309 Views
Last Modified: 2013-12-04
I have several hundred directories on a Windows 2003 server that I need to set special permissions on.  I used a batch file to create the folders but need an automated way to set the permissions.  I'm inheriting what I can from the parent but each folder will have different user permissions.  I manually set one up and ran an xcacls query.  The result follows:

C:\xcacls z:\archive\jdoe
z:\archive\jdoe DOMAIN\jdoe:(OI)(CI)(special access:)
                                  DELETE
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                 BUILTIN\Administrators:(OI)(CI)F
                 NT AUTHORITY\SYSTEM:(OI)(CI)F


Is there a way to use xcacls to set the permissions on the other directories based on this user's permissions listed above?  I'm not tied to xcacls but would prefer not to purchase a 3rd party solution.  Thanks in advance for your help.
0
Comment
Question by:DTUser
  • 6
  • 2
11 Comments
 
LVL 18

Expert Comment

by:kjanicke
ID: 24880547
Is the folder and the user name the same?  Are you trying to set folder permissions on home drives?

0
 
LVL 18

Accepted Solution

by:
kjanicke earned 250 total points
ID: 24880631
If so ...

xcacls z:\archive\jdoe /G jdoe:F
Would give JDoe full control of the folder with his name.

You could create a simple txt file with all of the active directory accounts (export it with csvde).  For this example, I will call this list "list.txt"

Than pipe it into a for loop.  

for /F %i in (list.txt) do xcacls z:\archive\%i /G %i:F

The first "%i" says what the variable is called.  The second and third "%i" would be replaced with each entry in the list file.


0
 

Author Comment

by:DTUser
ID: 24894752
Thanks kjanicke.  My goal is to not give the users Full Access.  i want to restrict them from creating and deleting subfolders.  

Yes, the folder name and user names are the same.

Thanks.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 24899186
I just specified "full" for the example.  You can set the permissions as required.  

If you adding to the permissions, look at the switches available.  There is a switch to leave the original permissions and just add or append.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:DTUser
ID: 24928329
Thanks kjanicke.  Just struggling with the syntax a bit.  Any assistance is appreciated.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038395
It's hard to help with syntax when you do not specify the paramters you are trying to set.  But I did help you with a solution, and it is a tried and tested solution.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038406
My suggestion above provided syntax. You have to adjust the permissions to your specific needs.  XCACLS /? will show details of options, as well as microsoft examples.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25046769
Author requested: "have several hundred directories on a Windows 2003 server that I need to set special permissions on"

I asked for specific information becuase it sounded like a similar problem to what we have on site, which is; setting permissions on all home drives.

The for loop will set permissions on all home drives using a txt file and an xcacls command.  My specific example sets full control.  but the permissions can easily be adjusted to site specific needs.  Synatx can be found with xcacls /? and at http://support.microsoft.com/kb/318754

Example 2
The ACEs that are added to the folder in this example also inherit ACE for new files that are created in this folder. The command gives TestUser read, write, run, and delete rights on all new files created in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /G TestUser:RWED;RW /E at the command prompt, and then press ENTER.

On NTFS system, you can use the GUI interface to view advanced security features to show specific rights granted to change, read, or full access.  I believe Full gives you permissions to "delete" folders.

I would recommend #3 as the first option.  #2 if author does not agree.  Regardless, I was the only one to offer a solution and it does show how to loop permissions thru hundred of folders in this situation, without having to buy a third party tool.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now