Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

syntax for creating rights for hundreds of folders using xcacls

Posted on 2009-07-16
11
Medium Priority
?
329 Views
Last Modified: 2013-12-04
I have several hundred directories on a Windows 2003 server that I need to set special permissions on.  I used a batch file to create the folders but need an automated way to set the permissions.  I'm inheriting what I can from the parent but each folder will have different user permissions.  I manually set one up and ran an xcacls query.  The result follows:

C:\xcacls z:\archive\jdoe
z:\archive\jdoe DOMAIN\jdoe:(OI)(CI)(special access:)
                                  DELETE
                                  READ_CONTROL
                                  SYNCHRONIZE
                                  FILE_GENERIC_READ
                                  FILE_GENERIC_EXECUTE
                                  FILE_READ_DATA
                                  FILE_WRITE_DATA
                                  FILE_READ_EA
                                  FILE_WRITE_EA
                                  FILE_EXECUTE
                                  FILE_READ_ATTRIBUTES
                                  FILE_WRITE_ATTRIBUTES

                 BUILTIN\Administrators:(OI)(CI)F
                 NT AUTHORITY\SYSTEM:(OI)(CI)F


Is there a way to use xcacls to set the permissions on the other directories based on this user's permissions listed above?  I'm not tied to xcacls but would prefer not to purchase a 3rd party solution.  Thanks in advance for your help.
0
Comment
Question by:DTUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
11 Comments
 
LVL 18

Expert Comment

by:kjanicke
ID: 24880547
Is the folder and the user name the same?  Are you trying to set folder permissions on home drives?

0
 
LVL 18

Accepted Solution

by:
kjanicke earned 1000 total points
ID: 24880631
If so ...

xcacls z:\archive\jdoe /G jdoe:F
Would give JDoe full control of the folder with his name.

You could create a simple txt file with all of the active directory accounts (export it with csvde).  For this example, I will call this list "list.txt"

Than pipe it into a for loop.  

for /F %i in (list.txt) do xcacls z:\archive\%i /G %i:F

The first "%i" says what the variable is called.  The second and third "%i" would be replaced with each entry in the list file.


0
 

Author Comment

by:DTUser
ID: 24894752
Thanks kjanicke.  My goal is to not give the users Full Access.  i want to restrict them from creating and deleting subfolders.  

Yes, the folder name and user names are the same.

Thanks.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 18

Expert Comment

by:kjanicke
ID: 24899186
I just specified "full" for the example.  You can set the permissions as required.  

If you adding to the permissions, look at the switches available.  There is a switch to leave the original permissions and just add or append.
0
 

Author Comment

by:DTUser
ID: 24928329
Thanks kjanicke.  Just struggling with the syntax a bit.  Any assistance is appreciated.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038395
It's hard to help with syntax when you do not specify the paramters you are trying to set.  But I did help you with a solution, and it is a tried and tested solution.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25038406
My suggestion above provided syntax. You have to adjust the permissions to your specific needs.  XCACLS /? will show details of options, as well as microsoft examples.
0
 
LVL 18

Expert Comment

by:kjanicke
ID: 25046769
Author requested: "have several hundred directories on a Windows 2003 server that I need to set special permissions on"

I asked for specific information becuase it sounded like a similar problem to what we have on site, which is; setting permissions on all home drives.

The for loop will set permissions on all home drives using a txt file and an xcacls command.  My specific example sets full control.  but the permissions can easily be adjusted to site specific needs.  Synatx can be found with xcacls /? and at http://support.microsoft.com/kb/318754

Example 2
The ACEs that are added to the folder in this example also inherit ACE for new files that are created in this folder. The command gives TestUser read, write, run, and delete rights on all new files created in this folder, but only read and write permissions on the folder itself. Type XCACLS *.* /G TestUser:RWED;RW /E at the command prompt, and then press ENTER.

On NTFS system, you can use the GUI interface to view advanced security features to show specific rights granted to change, read, or full access.  I believe Full gives you permissions to "delete" folders.

I would recommend #3 as the first option.  #2 if author does not agree.  Regardless, I was the only one to offer a solution and it does show how to loop permissions thru hundred of folders in this situation, without having to buy a third party tool.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Introducing Priority Question, our latest feature.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question