Link to home
Start Free TrialLog in
Avatar of homerslmpson
homerslmpsonFlag for United States of America

asked on

Help th Bulk Folder Permission Change:

We have a "master project folder" of sorts on our network.
In that project folder are sub-folders numbered 1-9.  
The folders numbered 1-9 have different permissions based on the number.  
For example folder 1 may allow the accounting dept modify rights while folder 2 may allow the purchasing dept modify rights.
When we open a certain internal webpage, we can create a new project folder by entering a name for the new project.
A script then copies the "master project folder" and all sub-folders to the network location it's supposed to and gives it the name we typed in earlier.
The permissions have already been assigned to the "master project folder" and all sub-folders so the permissions are copied as well.
The issue we are having here is that users are accidentally dragging/dropping entire project folders into other project folders by mistake.
I'd like to prevent this by removing modify rights at the root level.
While I can easily make changes to the "master folder" so all future projects have the permissions I want, there are many folders that are already on the network.
Any idea how I can modify the permissions of each project folder already on the network without removing the inherited permissions that are being applied to the sub-folders?

So to give you a hypothetical, here is the current permissions set for a project:
Project ABC (accounting, purchasing and drafting have modify rights - all others have read only)
Folder 1 (accounting, purchasing and drafting - modify rights)
Folder 2 (accounting - modify rights - all other groups - read only)
Folder 3 (purchasing - modify rights - all other groups - read only)

This is what I'd like to be:
Project ABC (read only for everyone)
Folder 1 (accounting, purchasing and drafting - modify rights)
Folder 2 (accounting - modify rights - all other groups - read only)
Folder 3 (purchasing - modify rights - all other groups - read only)

I've used Subinacl in the past but I don't know if there is a way to accomplish what I want.
Avatar of Lionel MM
Lionel MM
Flag of United States of America image

Yes you can do this--you can remove inherited permissions from just one folder and change permissions on just one folder. You can add this to your script. These may be helpful
http://support.microsoft.com/kb/265360
You can run ICACLS F:\Folder to see what the current permissions are
Then run ICACLS T:\Folder /INHERITANCE:R to remove the inheritance on that folder only
You can then add permissions for that folder as you desire for example
ICACLS T:\Folder /GRANT Administrators:(CI)(OI)F (full rights to administrator)
inheritance rights may precede either form and are applied only to directories:
        (OI) - object inherit
        (CI) - container inherit
        (IO) - inherit only
        (NP) - don't propagate inherit
        (I) - permission inherited from parent container
Example ICACLS T:\Folder /GRANT User1: (NP)M (this will give user1 modify rights but will not affect inheritance (the (NP))
And these are the rights you can assign
N - no access
 F - full access
 M - modify access
 RX - read and execute access
 R - read-only access
 W - write-only access
 D - delete access

You can always re-run ICACLS T:\Folder to see how permissions and inheritance is being affected.
Avatar of homerslmpson

ASKER

Whoa.
This looks like it will work but is a bit confusing.
How about I give you a more realistic example and you tell me how this would be accomplished using iCACLS?

P:\Projects\Job Number 1 (root)
P:\Projects\Job Number 1\Sales\...
P:\Projects\Job Number 1\Purchasing\...

P:\Projects\Job Number 2 (root)
P:\Projects\Job Number 2\Sales\...
P:\Projects\Job Number 2\Purchasing\...

In the example above, the Job Number root folders (P:\Projects\Job Number 1 and P:\Projects\Job Number 2) have a set of base permissions.  These base permissions are applied to all sub-folders and files so that the sub-folders and files have a foundation of sorts.  
The Sales folders then gets additional permissions as does the Purchasing folder.

If I want to change the Job Number 1 and Job Number 2 permissions without affecting the permissions on the folders/files below, how would I do that?  

Lets just say for the sake of simplicity I wanted to alter the "Job Number" root folders to give DomainABC\Administrator full access and DomainABC\UserA modify rights. Everyone else would have read access.

I'd like the Sales folder and Purchasing folder permissions to remain unchanged.  

The only permissions being changed would be the root Project folders.

Any insight would be appreciated.
So you want everything to stay the same except you want to change P:\Projects to restrict access to the folder and prevent users from adding or creating folders in P:\Projects?
Yes. That is what I'd like to do.

I simply need to ask the programmer to let me know what user account the webpage script runs as when the project folders are created so that the script continues to work.
Any update on this?
Sorry to be such a pain but it seemed like you actually had a solution for me.
Yes, so sorry--work just got really busy and just can't seem to get caught up. Will try to get something to you soon.
ICACLS P:\Projects /GRANT User1:R
This will give the user User1 READ access rights to the folder P:\projects and will not affect folders below it. If you have a group that all the users belong to you can replace user1 with a user group name. They will be able to see this folder but not add, delete, or change anything in it. Keep in mind this will not change existing permissions on folder P:\Projects but will add this permission to it.
I appreciate you taking the time to get back to me.

This is what I'd like to do but am unsure if this is possible:

- Remove ALL permissions to each project folder in the P drive
- Grant the "Authenticated Users" group read-only access to each project folder
- Grant the "Administrators" group full-control
(without having these changes apply to the sub-folders of each project)

I found out that the folder CREATION script is ran under the Administrator user account so if we REMOVE all current permissions, GRANT the "Administrators" group full control and everyone else read-only rights, everything should work out properly.
ASKER CERTIFIED SOLUTION
Avatar of Lionel MM
Lionel MM
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for your help.
You're welcome I hope you got it to work as you wanted.