Solved

Auto create sub folder in all users home drives

Posted on 2013-06-07
12
433 Views
Last Modified: 2013-06-21
I need to create a folder called SCANS in all of our users home drives.
Is there a way to auto create these folders with the desired permissions?
0
Comment
Question by:steveLaMi
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 53

Expert Comment

by:Bill Prew
ID: 39230917
Where are the "home drives" located?

What permissions?

~bp
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39230977
There are a *ton* of ways to do it.

1. As a one-time shot, you can do this by command line easily enough.  Assuming that the home directories are in \\server\share\<username>

pushd \\server\share
for /d %f in (*) do md "%f\SCANS"
popd

Open in new window


2. if you want an automated process, then you can create it by GPP, or by a login script.  The login script would be:
md "%homedrive%%homepath%\SCANS"

Open in new window


In these cases, the permissions will inherit.  It's easy enough to add a cacls.exe command in either of these after the folder is created.

1. This would change to:
pushd \\server\share
for /d %f in (*) do md "%f\SCANS" && cacls "%f\SCANS" /e /g useraccount:f /r useraccount2
popd

Open in new window


2. would change to
md "%homedrive%%homepath%\SCANS" && "%f\SCANS" /e /g useraccount:f /r useraccount2

Open in new window


CACLS has multiple options, and I put a couple there.
/e (edit permissions instead of overwrite them)
/r (remove permissions for the specified group, put " marks if you have spaces, like "domain users"
/g (grant permission to a user/group).
/t (process subdirectories also)

So, as a full example:
cacls "%homedrive%%homepath%\SCANS" /e /t /r "users" /g "authenticated users":c "creator owner":f

Open in new window

this command would take the newly created scans directory, edit the permissions on the folder and subfolders, would remove the normal Users group permission, would give the Authenticated Users group Change access (modify), and would give the Creator Owner full control.

Coralon
0
 
LVL 77

Expert Comment

by:arnold
ID: 39231070
You can use a login script.
Check whether the directory already exists.
If it does not mkdir homedir driveletter:\scans
Etc.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:steveLaMi
ID: 39245464
Coralon,

The folder creation worked great.  Now I have a scanning account, example: Ricoh5000, that I want to have full access to that SCANS directory only.  Can that be automated as well?
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39246182
Absolutely.  

The method just depends on how you created the folders in the first place.

If you did it manually (like the first example)
pushd \\server\share
for /d %f in (*) do cacls "%f\SCANS" /e /t /g "domain\ricoh5000":f
popd

Open in new window


If you went for the automatic method, then you just use the example I posted above..
md "%homedrive%%homepath%\SCANS" && "%f\SCANS" /e /t /g "domain\ricoh5000":f 

Open in new window


The automatic would do well with an if statement now that I'm thinking about it even more.  
if exist "%homedrive%%homepath%\SCANS" (echo .) else (md "%homedrive%%homepath%\SCANS" && cacls "%homedrive%%homepath%\SCANS" /e /t /g "domain\ricoh5000":f )

Open in new window


Coralon
0
 

Author Comment

by:steveLaMi
ID: 39253891
When I type that in I get a More prompt.
Any ideas?

FYI my path is
\\cisvfs\home\%username%\scans
0
 
LVL 77

Expert Comment

by:arnold
ID: 39254842
%username% is a variable.

Where are you typeing this ?

A simple USER GPO with a login script that does
@echo off
mkdir %userprofile%\scans where presumably


should do the trick.
0
 
LVL 24

Expert Comment

by:Coralon
ID: 39254872
You don't want the user profile, you want the home directory.

If you are getting a more prompt, there is a typo in the command, because it is looking for another character (i.e. command terminator).

Coralon
0
 

Author Comment

by:steveLaMi
ID: 39266250
Thanks for getting back to me. The folder creation actually worked. All of my users have a SCANS folder in their home drives now.  However, the adding of PHILLYRICOH to the security access list for full permissions did not take.  Is there a way of just adding that to the existing scans folders?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39266303
IMHO, changes to user level folders are best done through user level GPO login or logout script or both.
The folder in question is owned by the user. The user can use cacls to grant (/e ) edit the existing ACL to make sure.

The main issue I see is that the scans folder likely has granted rights to user PHILLYRICOH full rights within the folder, the problem is that the user PHILLYRICOH likely has no rights to pass %homedrive%%homepath%\

You need to add phillyricoh to the main share with traverse directory rights.
so phillyricoh can do
make sure the use phillyricoh has rights/security settings on the sharing permissions side.
0
 
LVL 24

Accepted Solution

by:
Coralon earned 500 total points
ID: 39266519
Using the initial code for a manual setup:

pushd \\server\share
for /d %f in (*) do cacls "%f\SCANS" /e /g <domain>\phillyricoh:f /t
popd

Open in new window


Arnold:
I was referring to the automated script.  With the automated script, it is running from the user's security context, and they already own the directory and have full control.  With that, the 2nd piece of the script with cacls.exe is running in the user context, so they have %homedrive%%homepath%.

The manual script piece (that I have in this post) is for the admins.  

Coralon
0
 
LVL 77

Expert Comment

by:arnold
ID: 39266847
Check what effective rights this user has on the sharing security settings.  This is where the write rights might be missing.
Is the phillyricoh user unable to access the share?
Lets try this example.  You using cacls granted phillyricoh access to a subdirectory.
What is the effective permission for phillyricoh user on the %username% directory of any f your users?
Can it access traverse directory, read contents?
I.e. you give a person, phillyricoh, the master key for the entire third floor.  In the mornng you arrive to see phillyricoh standing at the front door.
You ask him what is going on? He tells you, he can not enter.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question