LDAP Query profile path & take ownership of network folders/files script

Hi guys,

I'm trying to take ownership of many files & folders for a client. The file and folders are located on a File server, these folders are automatically created when the user John Doe logs into the domain for the 1st time. The folders are generated from the profile tab in Active Directory, so think \\SERV-01\profiles\johndoe

This works great, John Doe logs into the domain and the folder is automatically created on the file server. John Doe is able to access, read & write into the folder. Problem is the local Admin account (or any other account) does not have access to this folder. The only way to gain admin access is to take ownership of the files, and then give admin and user John Doe  access to his files. Easy if you had one or two folders/users but unfortunately I have thousands to deal with.

Now onto the tricky part; bear with me here.

Say John Doe leaves, the admins delete his account but keep the \\SERV-01\profiles\johndoe folder. 1 year later John Doe comes back into the company, the user is recreated in Active Directory and this is where problems arise. John Doe logs into the domain with his new account with \\SERV-01\profiles\johndoe set as his profile path. He notices upon logging into the domain he does not have access to \\SERV-01\profiles\johndoe, in order to "fix" this issue his profile path in active directory is changed to \\SERV-01\profiles\johndoe2 (note the 2 at the end). He now logs back into the domain and voila, he has a new folder he can access at \\SERV-01\profiles\johndoe2. The reason why he cannot access the old path is due to UID mismatch, the old path has the UID of the first John Doe account, the returning John Doe account has a new UID.

This is where I'm called in. I need to be able to do two of the following things in 1 script:

1) Gain admin access to \\SERV-01\profiles\johndoe via taking ownership and adding the local built-in admin group into the ACL with full permission

2) Somehow add the new John Doe UID account onto the old \\SERV-01\profiles\johndoe folder. I assume this requires an ldap query onto the "users" OU, dumping the results and trying to match the \\SERV-01\profiles\johndoe folder to John Doe.

I'm assuming a VBS/BAT script of sorts can pull this magic off, but I'm open to any other method to achieve my solution. Any takers?

Thanks Experts.
Who is Participating?
sirbountyConnect With a Mentor Commented:
This should work as a one-liner (remember single %) or a batch (double %):

for /d %a in (d:\profiles\*) do takeown /f "%~fa" /r /d y & icacls.exe "%~fa" /grant %a:F Administrator:F

@echo off
for /d %%a in (d:\profiles\*) do (
  takeown /f "%%~fa" /r /d y 
  icacls.exe "%%~fa" /grant %%a:F Administrator:F

Open in new window

Perms setup for the share, ntfs or both?
For the first issue, I think the local admin should have rights at the profiles level, with inheritance turned on - easy to setup with cacls/icalcs/xcacls.

The second portion is a bit confusing - but it may be because it's late for me :^)
If the account is removed, then the acl for that folder would have the '<account unknown s-1-15-2-...>' listed - that would simply need to be removed with the new account/uid...  Again, probably accomplishable via icacls/xcacls.
levertmAuthor Commented:
So for the first part you propose I run (elevated cmd):

icacls profiles /setowner Administrator /T /C


icacls profiles /grant Administrators:(F) /T /C

As for the second part, its tricky indeed. I believe I need to use some sort of variable to achieve what I want. The account is removed and yes I have a '<account unknown s-1-15-2-...>' listed on the folder which is the old John Doe account, not only do I need to remove this old UID but also add the new John Doe UID to the permissions (share/ntfs) of the said folder.  I need to be able to do this automatically without having to manually do it for each folder.

I'm sure I need some sort of script that has a variable, it may look like this:

John Doe logs in
John doe has \\SERV-01\profiles\johndoe in his profile tab
The Folder only has the old John Doe UID '<account unknown s-1-15-2-...>'
The script kicks into gear
Sets administrators owner to \\SERV-01\profiles\johndoe
Grants administrators full access to \SERV-01\profiles\johndoe
Identifies the new John Doe UID and adds it into \\SERV-01\profiles\johndoe

It's the bit with the variable that's tricky, that's why I think I need to query ldap and match the profile path name with the account UID and set that new account to the folder.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

No, I don't believe you need to give the Administrator ownership, you just need access to the data, correct?

icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F

should suffice, and this should allow the Admin to gain access to any profile's data.

For the 2nd part, to be clean, you would want to eventually remove that unknown account, but it's not entirely necessary.  All you should really need to do is to simply  apply the ACE for that existing/'new' user:

icacls profiles\johndoe /e /t /grant domain\johndoe:M
(assuming you want to limit the user to Modify rights, which should be the limit, so they can't befuddle what you've done to configure everything correctly)
levertmAuthor Commented:
Hi Sirbountry,

i had an issue with your initial command

icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F

Open in new window

I get an Invalid parameter "/e" error. Through my research I also found that the /grant option removes all existing ACL rather than appending. This doesnt work for me since I need to keep the current ACL (user home drive needs user access).

So i got the following:


Right now only user1 has access to user1 folder and so on with the other users. I need to add administrators to user1 folder but also be able to keep the current ACL which has the appropriate user for their folder.
levertmAuthor Commented:
I found an article that asks what I want to do -


Going to look into this.
levertmAuthor Commented:
Getting closer, I found this as well:

Cool, I'm getting closer, I am running the following command

for /f %i in (users.txt) do icacls.exe C:\test\*.* /grant %i:(OI)(CI)F /C /T

I have two accounts listed in users.txt   ( domain\user ) and I have a test folder created with two folders with the same name as the user account.

When I run the command above it adds the accounts but it adds both accounts to both folders. I'm sure the syntax is off but I'm not sure what I need to do to fix it.


I think this may work, I will have to test it. I may need to find out if I can /grant multiple users in 1 line though. Also I need to create this script and have no idea how to make it, do I just save as a batch file?
Yes, you should be able to grant multiple in one line, and yes save it as a bat or cmd extension.
The /e was my error - it's used with cacls, and it's for editing the acl, as opposed to replacing it.
I'd have to dig into icacls to find the equivalent.
levertmAuthor Commented:
Hmm the batch file isnt working, the command prompt opens and closes immedietly.

I have the following line in the .bat file:

for /f %i in (users2.txt) do icacls.exe D:\test\*.* /grant %i:(OI)(CI)F /C /T

Open in new window

The users2.txt has the following:


I also have the following folders in D:\test

levertmAuthor Commented:
I actually am 90% close to accomplishing this, my final batch file looks like this:

for /f "tokens=*" %%i (users2.txt) do icacls.exe D:\test\%%i /grant %%i:F Administrator:F\

NOW, my only poblem is if I Administrators dont have access to say JOHN folder the script fails with a access denied, albeit continues with the remaining folders.

How do I modify my script to take ownership of that folder first and then apply the new permissions? This may be a seperate batch file?
Yes, a batch file needs two % signs - running from the cmd line, only one.

I'm not sure icacls will do the trick, but within the same batch file, you could take ownership first via subinacl.exe (http://ss64.com/nt/subinacl.html) or takeown.exe (I appear to have this one natively on my win7 client).
levertmAuthor Commented:
Thank you sir bounty that did it. It also caused a new issue but you have answered my question.
Happy to have helped - thanx for the grade! :^)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.