• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 196
  • Last Modified:

Script to change file permissions on Server 2003

We're trying to set up a script to modify permissions on a whole ton of folders, 850 to be exact.  It's an HR_Data folder at the top level underneath which there is an Active Employees subfolder.  Under that is the 850 folders, one for each employee.  Inside those is 3 subfolders: HR, Training, and Safety.  We have two groups that need permissions to these.  Setting up the permissions on the 850 folders is easy since each has the same permission, I'm highlighting all of them, right-clicking and changing the permissions to add read and execute for these two groups.  But the complication comes in with the 3 subfolders:

Group1 - modify on HR subfolder
Group2 - deny everything on HR subfolder

Group1 - deny everything on Training and Safety subfolders.
Group2 - modify on Training and Safety subfolders.

Rather than go into every one of the 850 folders and modify the permissions on the subfolders manually, is there some script that can do this?  I've been looking at cacls.exe but can't get it to work on a test folder I have.
1 Solution
Rich RumbleSecurity SamuraiCommented:
NTFS permissions can be tricky, you have to remember that the most restrictive permission is the one that will apply, especially when there is a conflict in those permissions.
User_1 is in HR's Group, and the Domain_Users group.
If you give the HR-Group full control of a folder, but the domain_users have read only, if user1 goes to modify something, he/she will be denied because user1 is in the domain_users group, and that group has the most restrictive permission(read only). This is where the "effective permissions" tab can help you understand. Remember just because you give a permission to someone/group, it will not "over-ride" a deny permission from another group. Direct permissions (giving a specific user full control for example) will "over-ride".
You could probably use a simple text editor like Notepad++ or even Excel !-)
In excel...
A                    B                               C                        D                        E                 F
calcs.exe || \\path\to\HR_data\ || %username% || \HR /T /C /E /G || %username%|| :F
Copy that over and over(or drag the corner of the cell to replicate) copy the usernames into the variable %username% columns (C and E), copy and past all that into a text file, rename to batch, double click. you can put a group in column E if you wish...

"cacls.exe \\path\to\HR_data\user_1\HR /T /C /E /G user_1:F"
"cacls.exe \\path\to\HR_data\user_1\HR /T /C /E /G group_1:F"

REM This is a basic logon script you could use...
@Echo OFF
if exist cacls.exe \\path\to\HR_data\%username%\HR /T /C /E /G %username%:F

Open in new window


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now