Setting NTFS permissions on mutiple folders by a specific name in a directory tree

Posted on 2009-12-16
Last Modified: 2012-05-08
How do I set group specific NTFS file.folder permissions by a specific folder name on multiple folders in a directory tree?
Projects---Project 1
                 Project 2

Want to search the tree, find all folders by a specific name and Edit, the existing permissions to Add/Remove specific permissions.
Remove some groups altogether Project
Add some groups - Projects - RO
Edit existing groups - Accounting-ENG
Will XCACLS.vbs do it? If so, how do I perform this by a specific folder name throught a directory tree?

Question by:NetManaged
    LVL 31

    Accepted Solution

    Using subinacl should solve this. As path, use the base parent path followed by \FolderToChange. For example, the syntax below will give administrators full access to all Contracts folder below C:\Projects and remove the permissions earlier given to grouptoremove. You can add multiple /grant and /remove at the same time when neaded.

    subinacl /subdirectories C:\Projects\Contracts /grant=administrators=F /revoke=grouptoremove

    use 'subinacl /? /grant' for help on setting permissions.

    Author Comment

    Close to what I need but not quite. I should have provided more detail.
    I need more of a find all directories with a specifc name in a multilevel tree and Edit:Grant,Replace,Revoke and then make permission changes for that folder either at that level only OR for all files/folders contained in that folder.
    The folder Projects has 300+ uniquely named Customer folders, with a second level of uniquely named project folders with then a standard folder structure under each project.
    I need a solution to start at a specific folder level, then search for a specific folder name and then make permission changes for that folder and if needed all files and subfolders.
    LVL 31

    Expert Comment

    by:Henrik Johansson
    With subinacl, it will search for subfolders below the structure.
    Using C:\Projecs\Contracts as in sample, it will search for any Contracts folder below C:\Projects independent of having any subfolder between the parent folder like C:\Projects\Project1\Contracts.
    As object name parameter for subinacl, use parent folder followed by folder or file to process like C:\Path\To\Projects\Contracts or C:\Paht\To\Projects\*.doc
    The action parameters /grant and /revoke can be entered multiple times at the same time. It can also use /replace to replace a group with another group (/replace=oldgroup=newgroup) or /deny to set deny permissions.

    subinacl /subdirectories C:\Projects\Contracts /grant=GroupFull=F /grant=GroupChange=C /revoke=RemoveGroup1 /revoke=RemoveGroup2 /replace=OldGroup=NewGroup

    If a group shall be set to readonly that has already been granted write permission, first execute the command to revoke all permissions for the group and after that execute the command to grant read permission.
    You can also use /deny as action parameter to deny a group the write permission. Just keep in mind that a deny permission always override allow if there's a conflict.

    Author Comment

    henjoh09, Does subinacl have the same explicit folder/file permissions ability as xcacls.vbs? I reviewed some documentation, but I couldn't see more granular control as is in xcacls.vbs.
    Does xcacls.vbs have the same "find the directory" capability?

    Author Comment

               I'm willing to provide 100 points to henjoh09. His answer was part of the solution, but there was no followup with my question regarding another Microsoft tool purported to perform similar functions.
    My apologies for being so tardy in resolving the open question.
    I'm selecting Object in order to provide the points to henjoh09.
    Thank you for your attention.
    Regards, Greg

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now