[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


LDAP Query profile path & take ownership of network folders/files script

Posted on 2013-12-04
Medium Priority
Last Modified: 2013-12-06
Hi guys,

I'm trying to take ownership of many files & folders for a client. The file and folders are located on a File server, these folders are automatically created when the user John Doe logs into the domain for the 1st time. The folders are generated from the profile tab in Active Directory, so think \\SERV-01\profiles\johndoe

This works great, John Doe logs into the domain and the folder is automatically created on the file server. John Doe is able to access, read & write into the folder. Problem is the local Admin account (or any other account) does not have access to this folder. The only way to gain admin access is to take ownership of the files, and then give admin and user John Doe  access to his files. Easy if you had one or two folders/users but unfortunately I have thousands to deal with.

Now onto the tricky part; bear with me here.

Say John Doe leaves, the admins delete his account but keep the \\SERV-01\profiles\johndoe folder. 1 year later John Doe comes back into the company, the user is recreated in Active Directory and this is where problems arise. John Doe logs into the domain with his new account with \\SERV-01\profiles\johndoe set as his profile path. He notices upon logging into the domain he does not have access to \\SERV-01\profiles\johndoe, in order to "fix" this issue his profile path in active directory is changed to \\SERV-01\profiles\johndoe2 (note the 2 at the end). He now logs back into the domain and voila, he has a new folder he can access at \\SERV-01\profiles\johndoe2. The reason why he cannot access the old path is due to UID mismatch, the old path has the UID of the first John Doe account, the returning John Doe account has a new UID.

This is where I'm called in. I need to be able to do two of the following things in 1 script:

1) Gain admin access to \\SERV-01\profiles\johndoe via taking ownership and adding the local built-in admin group into the ACL with full permission

2) Somehow add the new John Doe UID account onto the old \\SERV-01\profiles\johndoe folder. I assume this requires an ldap query onto the "users" OU, dumping the results and trying to match the \\SERV-01\profiles\johndoe folder to John Doe.

I'm assuming a VBS/BAT script of sorts can pull this magic off, but I'm open to any other method to achieve my solution. Any takers?

Thanks Experts.
Question by:levertm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
LVL 67

Expert Comment

ID: 39697331
Perms setup for the share, ntfs or both?
For the first issue, I think the local admin should have rights at the profiles level, with inheritance turned on - easy to setup with cacls/icalcs/xcacls.

The second portion is a bit confusing - but it may be because it's late for me :^)
If the account is removed, then the acl for that folder would have the '<account unknown s-1-15-2-...>' listed - that would simply need to be removed with the new account/uid...  Again, probably accomplishable via icacls/xcacls.

Author Comment

ID: 39697383
So for the first part you propose I run (elevated cmd):

icacls profiles /setowner Administrator /T /C


icacls profiles /grant Administrators:(F) /T /C

As for the second part, its tricky indeed. I believe I need to use some sort of variable to achieve what I want. The account is removed and yes I have a '<account unknown s-1-15-2-...>' listed on the folder which is the old John Doe account, not only do I need to remove this old UID but also add the new John Doe UID to the permissions (share/ntfs) of the said folder.  I need to be able to do this automatically without having to manually do it for each folder.

I'm sure I need some sort of script that has a variable, it may look like this:

John Doe logs in
John doe has \\SERV-01\profiles\johndoe in his profile tab
The Folder only has the old John Doe UID '<account unknown s-1-15-2-...>'
The script kicks into gear
Sets administrators owner to \\SERV-01\profiles\johndoe
Grants administrators full access to \SERV-01\profiles\johndoe
Identifies the new John Doe UID and adds it into \\SERV-01\profiles\johndoe

It's the bit with the variable that's tricky, that's why I think I need to query ldap and match the profile path name with the account UID and set that new account to the folder.
LVL 67

Expert Comment

ID: 39697999
No, I don't believe you need to give the Administrator ownership, you just need access to the data, correct?

icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F

should suffice, and this should allow the Admin to gain access to any profile's data.

For the 2nd part, to be clean, you would want to eventually remove that unknown account, but it's not entirely necessary.  All you should really need to do is to simply  apply the ACE for that existing/'new' user:

icacls profiles\johndoe /e /t /grant domain\johndoe:M
(assuming you want to limit the user to Modify rights, which should be the limit, so they can't befuddle what you've done to configure everything correctly)
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 39698848
Hi Sirbountry,

i had an issue with your initial command

icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F

Open in new window

I get an Invalid parameter "/e" error. Through my research I also found that the /grant option removes all existing ACL rather than appending. This doesnt work for me since I need to keep the current ACL (user home drive needs user access).

So i got the following:


Right now only user1 has access to user1 folder and so on with the other users. I need to add administrators to user1 folder but also be able to keep the current ACL which has the appropriate user for their folder.

Author Comment

ID: 39698869
I found an article that asks what I want to do -


Going to look into this.

Author Comment

ID: 39698891
Getting closer, I found this as well:

Cool, I'm getting closer, I am running the following command

for /f %i in (users.txt) do icacls.exe C:\test\*.* /grant %i:(OI)(CI)F /C /T

I have two accounts listed in users.txt   ( domain\user ) and I have a test folder created with two folders with the same name as the user account.

When I run the command above it adds the accounts but it adds both accounts to both folders. I'm sure the syntax is off but I'm not sure what I need to do to fix it.


I think this may work, I will have to test it. I may need to find out if I can /grant multiple users in 1 line though. Also I need to create this script and have no idea how to make it, do I just save as a batch file?
LVL 67

Expert Comment

ID: 39698969
Yes, you should be able to grant multiple in one line, and yes save it as a bat or cmd extension.
The /e was my error - it's used with cacls, and it's for editing the acl, as opposed to replacing it.
I'd have to dig into icacls to find the equivalent.

Author Comment

ID: 39699495
Hmm the batch file isnt working, the command prompt opens and closes immedietly.

I have the following line in the .bat file:

for /f %i in (users2.txt) do icacls.exe D:\test\*.* /grant %i:(OI)(CI)F /C /T

Open in new window

The users2.txt has the following:


I also have the following folders in D:\test


Author Comment

ID: 39699625
I actually am 90% close to accomplishing this, my final batch file looks like this:

for /f "tokens=*" %%i (users2.txt) do icacls.exe D:\test\%%i /grant %%i:F Administrator:F\

NOW, my only poblem is if I Administrators dont have access to say JOHN folder the script fails with a access denied, albeit continues with the remaining folders.

How do I modify my script to take ownership of that folder first and then apply the new permissions? This may be a seperate batch file?
LVL 67

Expert Comment

ID: 39700000
Yes, a batch file needs two % signs - running from the cmd line, only one.

I'm not sure icacls will do the trick, but within the same batch file, you could take ownership first via subinacl.exe (http://ss64.com/nt/subinacl.html) or takeown.exe (I appear to have this one natively on my win7 client).
LVL 67

Accepted Solution

sirbounty earned 2000 total points
ID: 39700714
This should work as a one-liner (remember single %) or a batch (double %):

for /d %a in (d:\profiles\*) do takeown /f "%~fa" /r /d y & icacls.exe "%~fa" /grant %a:F Administrator:F

@echo off
for /d %%a in (d:\profiles\*) do (
  takeown /f "%%~fa" /r /d y 
  icacls.exe "%%~fa" /grant %%a:F Administrator:F

Open in new window


Author Comment

ID: 39700950
Thank you sir bounty that did it. It also caused a new issue but you have answered my question.
LVL 67

Expert Comment

ID: 39700972
Happy to have helped - thanx for the grade! :^)

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question