Solved

syntax for creating rights for hundreds of folders using xcacls

Posted on 2009-07-16
11
320 Views
Last Modified: 2013-12-04
I have several hundred directories on a Windows 2003 server that I need to set special permissions on.  I used a batch file to create the folders but need an automated way to set the permissions.  I'm inheriting what I can from the parent but each folder will have different user permissions.  I manually set one up and ran an xcacls query.  The result follows:

C:\xcacls z:\archive\jdoe
z:\archive\jdoe DOMAIN\jdoe:(OI)(CI)(special access:)
                                  DELETE
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                 BUILTIN\Administrators:(OI)(CI)F
                 NT AUTHORITY\SYSTEM:(OI)(CI)F


Is there a way to use xcacls to set the permissions on the other directories based on this user's permissions listed above?  I'm not tied to xcacls but would prefer not to purchase a 3rd party solution.  Thanks in advance for your help.
0
Comment
Question by:DTUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
11 Comments
 
LVL 18

Expert Comment

by:kjanicke
ID: 24880547
Is the folder and the user name the same?  Are you trying to set folder permissions on home drives?

0
 
LVL 18

Accepted Solution

by:
kjanicke earned 250 total points
ID: 24880631
If so ...

xcacls z:\archive\jdoe /G jdoe:F
Would give JDoe full control of the folder with his name.

You could create a simple txt file with all of the active directory accounts (export it with csvde).  For this example, I will call this list "list.txt"

Than pipe it into a for loop.  

for /F %i in (list.txt) do xcacls z:\archive\%i /G %i:F

The first "%i" says what the variable is called.  The second and third "%i" would be replaced with each entry in the list file.


0
 

Author Comment

by:DTUser
ID: 24894752
Thanks kjanicke.  My goal is to not give the users Full Access.  i want to restrict them from creating and deleting subfolders.  

Yes, the folder name and user names are the same.

Thanks.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 18

Expert Comment

by:kjanicke
ID: 24899186
I just specified "full" for the example.  You can set the permissions as required.  

If you adding to the permissions, look at the switches available.  There is a switch to leave the original permissions and just add or append.
0
 

Author Comment

by:DTUser
ID: 24928329
Thanks kjanicke.  Just struggling with the syntax a bit.  Any assistance is appreciated.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038395
It's hard to help with syntax when you do not specify the paramters you are trying to set.  But I did help you with a solution, and it is a tried and tested solution.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038406
My suggestion above provided syntax. You have to adjust the permissions to your specific needs.  XCACLS /? will show details of options, as well as microsoft examples.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25046769
Author requested: "have several hundred directories on a Windows 2003 server that I need to set special permissions on"

I asked for specific information becuase it sounded like a similar problem to what we have on site, which is; setting permissions on all home drives.

The for loop will set permissions on all home drives using a txt file and an xcacls command.  My specific example sets full control.  but the permissions can easily be adjusted to site specific needs.  Synatx can be found with xcacls /? and at http://support.microsoft.com/kb/318754

Example 2
The ACEs that are added to the folder in this example also inherit ACE for new files that are created in this folder. The command gives TestUser read, write, run, and delete rights on all new files created in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /G TestUser:RWED;RW /E at the command prompt, and then press ENTER.

On NTFS system, you can use the GUI interface to view advanced security features to show specific rights granted to change, read, or full access.  I believe Full gives you permissions to "delete" folders.

I would recommend #3 as the first option.  #2 if author does not agree.  Regardless, I was the only one to offer a solution and it does show how to loop permissions thru hundred of folders in this situation, without having to buy a third party tool.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
We asked our MSP customer base what their favorite tools were and how they help them serve clients. We focused our questions on favorite tools in the following categories: >PSA tools >RMM tools >Alert management tools >Communication tools and Mo…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question