Is there a way to create folders and security permissions in bulk?

Posted on 2010-09-01
Last Modified: 2012-06-27
My HR department is coming to me saying that they are going to go to all electronic documents for their personnel records.  Unfortunately, this means creating a folder for each one of our employees (hundreds).  Even worse, they want certain folders within each personnel folder to have different permissions.  (This is because medical records can only be accessed by certain people, but simple employment status can be accessed by anyone.)  So what I'm asking is:  Is there any way to automate this process, either through a script or a program?

FYI:  The folders might look something like this:
John Smith
     Contact Information (security level 1)
     Employment Status (security level 1)
     Salary Information (security level 2)
     Medical (security level 3)
Jane Doe
     Contact Information (security level 1)
     Employment Status (security level 1)
     Salary Information (security level 2)
     Medical (security level 3)
So the folders and permissions levels would be the same under each personnel file.  I just don't want to have to create all these by hand.
Question by:silver1386
  • 4
  • 3
  • 2
  • +2

Accepted Solution

MONSTA2008 earned 125 total points
ID: 33579477
The Microsoft Technet Scripting Repository is one of the best tools you can keep in your arsenal for things like this.  You can access the home for this here:

This script, for example, will create an entire folder structure based on a .csv file and set permissions for you.

In many cases you can find one script to do one feature and another to do something different and then look to combine the two.  I would obviously test these out in a development or sandbox environment first to make sure they do what you want.
LVL 11

Expert Comment

ID: 33579497
This is a typical task with windows server, and very easily setup with group policy.  How are you setting up your shares?  How will they be accessed? What OS are you using?

Author Comment

ID: 33579727
The shares are just shared folders on a file server.
They are accessed through Windows Explorer.
The server's OS is Server 2008 R2.  The client machines are Windows 7 64-bit.
LVL 10

Expert Comment

ID: 33579865
Suggest Document Management Solutions:
I am adding two open source softwares link here: 

Author Comment

ID: 33579869
The second link that you listed showed a Visual Basic script.  I know absolutely nothing about PowerShell, but would PowerShell make this any easier?
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Expert Comment

ID: 33581442
You could absolutely do the same with PowerShell.  This fellow has a script that comes pretty close to what you're looking to do.  It may require a bit of minor tweaking but the concepts are the same as in VBScript (appending your variables as needed, etc.).
LVL 11

Expert Comment

ID: 33581998
Ah, I see your dilemma.  I was thinking more along the lines of folder redirection.  Although, you could do this easily with excel and command prompt.  Create new security groups for each level and add them to the appropriate users.  Create a folder for your new folders and give access to appropriate users.  Hide the share by using $ after the folder name.
Create an excel file with all user names.   Use mkdir drive:path\<point to cell with employee name>\lev1 to create the folder and subfolder.  Use ICACLS drive:path\<point to cell with employee name>\lev1 /GRANT:group,F - or something along those lines - to modify permissions.   You could also use net share for each folder, but it may cause issues.
Test individual commands with a single folder to ensure you have it setup correctly and then move them to excel and copy on down...
There may be an easier approach, but it seems fairly simple.

Expert Comment

ID: 33583584
silver1386, powershell can perform admin functions for windows server, sql server, exchange server, and sharepoint server

Author Comment

ID: 33597402
The research that I've done on mkdir doesn't look very promising, especially in batch form.  I've never scripted before, so what you've provided makes little sense.  Could you elaborate any, especially on the <point to cell with employee name>?
LVL 11

Assisted Solution

gikkel earned 125 total points
ID: 33600633
Basically all you're doing is using excel to create one line that will make your folders and group settings which will automatically point to the column with the user name. This way you can easily copy that same formula and automatically reference the next user name.  It's not really scripting, just referencing.  
Like I mentioned, you will need to spend some time to determine exactly what the formula will entail to properly create the folder and apply the group settings.  But the basic idea is to have a spreadsheet with every employee's name in a separate row.  For instance, you could have cell A1 with the employee's first name and B1 with the last name.  In your other cells, you would have your formula which would reference cells A1 and B1 for names.
Cell A1: First
Cell B1: Last
Cell C1: ="mkdir "&"""D:\Test\"&$A1&" "&$B1&"\Lev1\"""
Cell D1: =" "&"""D:\Test\"&$A1&" "&$B1&"\Lev2\"""
Cell E1: =" "&"""D:\Test\"&$A1&" "&$B1&"\Lev3\"""
You would have your list already set with all employee names in columns A and columns B, then when you copy cells C1, D1, and E1 down to other rows and they'll automatically reference the next employee.  When you're finished, you would copy all the cells with the mkdir formulas to the clipboard. Open up command prompt, right click and paste.  You'll automatically have a folder for every employee with three different subfolders.  Since you'll already be in the mkdir command, you would need to use icacls to set your permissions on a different row to do it all at once.  I'd recommend you just put it on the same row but copy and paste it to excel after the directories are all created.

Author Comment

ID: 33621391
Thank you guys for all your thoughts and comments.  Being completely new to scripts, I knew nothing about any of this.  I got my in-house application developer (who obviously understands code) to come take a look at it with me.  After some time, this is what we came up with:

@echo off

for /f "tokens=* delims=" %%g in (namedata.txt) do (
mkdir c:\employment\%%g
mkdir c:\employment\%%g\NormalDocs
xcacls C:\employment\%%g\NormalDocs /T /G domain\SecGroup1:R /E
mkdir c:\employment\%%g\SecretDocs
xcacls C:\employment\%%g\SecretDocs /T /G domain\SecGroup2:R /E
echo %%g

It is pulling the names from a text file in the root directory called "namedata.txt."  As you can see, I'm using Xcacls, which I got the download and instructions from Microsoft here:  I also had to install WMI Tools ( to get it to work.  The script refers to the text file to create the employee's folder.  Then it creates the first subfolder and sets permissions on it.  Then it creates the next subfolder and sets permissions on it.  It's not extremely fast, but it works.  I say all this just in case someone else stumbles across this question and wants to know what I did.

The best answers I feel were from MONSTA2008 and qikkel, so I will split the points between them.

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now