• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

Modifying multiple folder security permissios quickly

Hi,

I have a folder housing Home folders of all users in my Active Directory. With some reason whihc I have no idea, folders have modify permission for Authenticated users for all subfolders. I am sure it wasn't like that before. However I need to fix that issue but one by one removing Servername\Users and Authenticated users permissions is not practical as I have many users.

How can I modify permissons in bulk?

Regards



Windows 2008 R2, Active Directory
0
teomcam
Asked:
teomcam
  • 6
  • 6
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
I would try this way. On that server run in command-line

cd\
drive:\
cd path-to folders
dir /b >c:\folders.txt

Open in new window


to have all folders in a text file

now, remove unwanted groups from ACL
for /f %i in (c:\folders.txt) do cacls %i /E /C /R: "Servername\Users" "Authenticated users"

Open in new window


execute this code in the same location as the previous one

Regards,
Krzysztof
0
 
bakfaloniCommented:
check this script

http://blog.tyang.org/2010/07/01/powershell-script-setting-ntfs-permissions-in-bulk/


But I thought it's better to create one share and then let folder redirection take care of the rest.
 
eg

Create - D:\Users
 Set permissions on D:\Users as follows;
 - Administrators: Full Control (This folder, subfolders and files)
 - System: Full Control (This folder, subfolders and files)
 - Domain Users: Create Folder (This folder only)
 - CREATOR OWNER: Full Control (Subfolders only)
 
Share D:\Users as Users
 Set Share permissions to Everyone: Full Control
 
Set MyDocs folder redirection for users to \\server\Users\%username%\MyDocs
 
If you still need a drive mapped to home directory, set path to \\server\Users\%username%\MyDocs
 
If you want to do Application Data or Desktop redirection, then you can redirect to \\server\Users\%username%\AppData and \\server\Users\%username%\Desktop respectively
0
 
teomcamAuthor Commented:
@iSiek
Receiving following error.
C:\Users\Administrator\Desktop\Home>cacls /i /E /C /R: "SERVER10\Users" "Authent
icated users"

 NOTE: Cacls is now deprecated, please use Icacls.

 Displays or modifies access control lists (ACLs) of files

 CACLS filename [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm]
        [/R user [...]] [/P user:perm [...]] [/D user [...]]
    filename      Displays ACLs.
    /T            Changes ACLs of specified files in
                  the current directory and all subdirectories.
    /L            Work on the Symbolic Link itself versus the target
    /M            Changes ACLs of volumes mounted to a directory
    /S            Displays the SDDL string for the DACL.
    /S:SDDL       Replaces the ACLs with those specified in the SDDL string
                  (not valid with /E, /G, /R, /P, or /D).
    /E            Edit ACL instead of replacing it.
    /C            Continue on access denied errors.
    /G user:perm  Grant specified user access rights.
                  Perm can be: R  Read
                               W  Write
                               C  Change (write)
                               F  Full control
    /R user       Revoke specified user's access rights (only valid with /E).
    /P user:perm  Replace specified user's access rights.
                  Perm can be: N  None
                               R  Read
                               W  Write
                               C  Change (write)
                               F  Full control
    /D user       Deny specified user access.
 Wildcards can be used to specify more than one file in a command.
 You can specify more than one user in a command.

 Abbreviations:
    CI - Container Inherit.
         The ACE will be inherited by directories.
    OI - Object Inherit.
         The ACE will be inherited by files.
    IO - Inherit Only.
         The ACE does not apply to the current file/directory.
    ID - Inherited.
         The ACE was inherited from the parent directory's ACL.

Open in new window

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, this is only information but program still works fine :) Please notice that you used /i instead of %i :D that's why you see this error

Please try again with %i

Krzysztof
0
 
teomcamAuthor Commented:
@iSiek

I used both actually but still not working. I used with %i and /i still the same.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, but you need to follow all above steps I have written, not just the only last with your won tweak :D

You need to have all folders exported to text file (first code block) and then run the second code (this with cacls and %i)

All of them must be run exactly as they are except server name in servername\users line

:)

Krzysztof
0
 
teomcamAuthor Commented:
@iSiek

Please find the code below. I also eliminated the servername\users part but still not working.

C:\Users\Administrator>dir /b >c:\folders.txt

C:\Users\Administrator>for /f %i in (c:\folders.txt) do cacls %i /E /C /R: "Authenticated users"

Open in new window


NOTE: Cacls is now deprecated, please use Icacls.

 Displays or modifies access control lists (ACLs) of files

Open in new window

0
 
Krzysztof PytkoActive Directory EngineerCommented:
Because first, you need to use commands to go into folder where those users folders are saved :)

CACLS had nothing to do that's why you saw an empty output ;)

Let's say I have user folders on G-Drive in home\users folder. Inside it all user foldera re stored i.e.

iSiek
iSiek2
iSiek3
etc.

Full Path
g:\home\users\iSiek
g:\home\users\iSiek2
g:\home\users\iSiek3

so, you need to first type:
g:\
cd home\users
dir /b >c:\users.txt

Open in new window


or simply
dir /b g:\home\users >c:\folders.txt

Open in new window


to get all user folders in text file

now, type the second code :)
for /f %i in (c:\folders.txt) do cacls %i /E /C /R: "Servername\Users" "Authenticated users"

Open in new window


but adjust above folder path to your scenario.

Krzysztof
0
 
teomcamAuthor Commented:
Hi,

Yes I am doing it as you described. Above code was for you only thats why you didnt see the actual path. First command successfully creating txt file no problem with that but second one not working.

Please find the actual one below. Sorry for confusion.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>cd "C:\Users\Administrator\Desktop\Home"

C:\Users\Administrator\Desktop\Home>dir /b >c:\folders.txt

C:\Users\Administrator\Desktop\Home>for /f %i in (c:\folders.txt) do cacls %i /E
 /C /R: "Authenticated users"

Open in new window


And same error
C:\Users\Administrator\Desktop\Home>cacls student2 /E /C /R: "Authenticated users"

[b] NOTE: Cacls is now deprecated, please use Icacls.[/b]

 Displays or modifies access control lists (ACLs) of files

 CACLS filename [/T] [/M] [/L] [/S[:SDDL]] [/E] [/C] [/G user:perm]
        [/R user [...]] [/P user:perm [...]] [/D user [...]]

Open in new window

0
 
Krzysztof PytkoActive Directory EngineerCommented:
Strange because it works for me :/

Can you try running that in elevated command-line ?

Ah ok, my mistake :) Do not use colon (:) after R switch :] That's why you see the error. I'm sorry

use for the last step this code
for /f %i in (c:\folders.txt) do cacls %i /E /C /R "Servername\Users" "Authenticated users"

Open in new window


Krzysztof
0
 
teomcamAuthor Commented:
Thanks mate you are life saver :)
0
 
Krzysztof PytkoActive Directory EngineerCommented:
No problem, you're welcome :)
I'm glad I could help

Krzysztof
0
 
teomcamAuthor Commented:
Oh BTW I had removed servername\users as it never worked with some reason.

No mapping between account names and security IDs was done.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now