Bulk permissions to be applied to users home drives?

Client's users all have a personal/private 'Home' drive
The folders sit on a DFS file share as \\domain\shares\udata\%username%

File permission are a joke. At the \\domain\shares\udata root the 'Domain Users' group has modify permission to everything. So any user that figures it out can get into other users folder.

I need to:
Remove the root permission
Give each users full permission to just their folder

I do not want to have to do it manually as there are too many.

Any script I can use to do this?

Thanks
Mark
LVL 13
Mark GalvinManaging Director / Principal ConsultantAsked:
Who is Participating?
 
MaheshArchitectCommented:
If home directories are equal to user sAMAccountName, then you could try below code

SetAcl -on C:\home\user1 -ot file -actn ace -ace "n:domain\user1;p:full" -rec cont_obj -silent
SetAcl -on C:\home\user2 -ot file -actn ace -ace "n:domain\user2;p:full" -rec cont_obj -silent
SetAcl -on C:\home\user3 -ot file -actn ace -ace "n:domain\user3;p:full" -rec cont_obj -silent

replace domain with yours
replace username and home directory with yours
U need to prepare .bat file like above and execute it

Open in new window


Download SetAcl utility from below link
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/

If you face any ownership issues, you may take home drive root folder and sub folder ownership 1st followed by grant access
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_17526-NTFS-File-System-Folder-ownership-problems-and-resolution.html
0
 
Hypercat (Deb)Commented:
Of course, the top level folder needs to have NTFS and share permissions that allow administrators and the System to have full control.  

The recommended permissions settings for the top-level folder for users are:

NTFS - Add Special Permissions to "Authenticated Users" group:
        Traverse Folder / Execute File
        List Folder / Read Data
        Read Attributes
        Read Permission
             
You may need to disable permission inheritance and make sure that the special permissions don't apply to subfolders of the root folder ("Apply Onto:" "This Folder Only").
 
Share Permissions - Add: Change - permission to "Authenticated Users" group.

At the user folder level, each user has to have full control to his/her folder.  In addition, the System should have full control and, if allowed/required by company policy, an administrative user should have full control for management purposes.
0
 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi hypercat

Thanks for the info.

That's all great and I will make sure that best practice is followed.

Is there an easy way to give ' each user has to have full control to his/her folder' en masse? Without having to do each one manually.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Hypercat (Deb)Commented:
It should already be set that way, because when you create the home folder, it does that automatically. If that permission has been removed, the only quicker way of assigning these permissions (other than the GUI) would be to use ICACLS from the command line.  Each folder still has to be done individually, but at least you can use F3 and just change the folder and user names each time. Or you could create a batch file with all of that in it and then run the batch file as a scheduled task or something so that you don't have to sit there and monitor as it runs.
0
 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Sorry, my bad - should have said this in the first post. Since the home folders were created they migrated the data and screwed up the file permissions. One of their younger IT heads then used the 'apply modify permissions to Domain Users' as a quick way to get users into their home folders following the migration.

I will look at the ICACLS with a bat file and see how that goes.

Thanks
Mark
0
 
Hypercat (Deb)Commented:
Oh, yeah, migrating data without taking permissions into account is a good way to "screw the home folder pooch"!  Sounds like the only way to fix it will be ICACLS.  I would recommend replacing all the existing permissions on each folder with what I described above, as appropriate for your company.  In case you need it, here's a link to a command line reference article on ICACLS (I know I have to refer to it often):

https://technet.microsoft.com/en-us/library/cc753525.aspx
0
 
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Thanks. Will try this in the office tomorrow and let you know outcome!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.