We help IT Professionals succeed at work.

Bulk permissions to be applied to users home drives?

Mark Galvin
Mark Galvin asked
Client's users all have a personal/private 'Home' drive
The folders sit on a DFS file share as \\domain\shares\udata\%username%

File permission are a joke. At the \\domain\shares\udata root the 'Domain Users' group has modify permission to everything. So any user that figures it out can get into other users folder.

I need to:
Remove the root permission
Give each users full permission to just their folder

I do not want to have to do it manually as there are too many.

Any script I can use to do this?

Watch Question

Of course, the top level folder needs to have NTFS and share permissions that allow administrators and the System to have full control.  

The recommended permissions settings for the top-level folder for users are:

NTFS - Add Special Permissions to "Authenticated Users" group:
        Traverse Folder / Execute File
        List Folder / Read Data
        Read Attributes
        Read Permission
You may need to disable permission inheritance and make sure that the special permissions don't apply to subfolders of the root folder ("Apply Onto:" "This Folder Only").
Share Permissions - Add: Change - permission to "Authenticated Users" group.

At the user folder level, each user has to have full control to his/her folder.  In addition, the System should have full control and, if allowed/required by company policy, an administrative user should have full control for management purposes.
Mark GalvinPrincipal Consultant


Hi hypercat

Thanks for the info.

That's all great and I will make sure that best practice is followed.

Is there an easy way to give ' each user has to have full control to his/her folder' en masse? Without having to do each one manually.
It should already be set that way, because when you create the home folder, it does that automatically. If that permission has been removed, the only quicker way of assigning these permissions (other than the GUI) would be to use ICACLS from the command line.  Each folder still has to be done individually, but at least you can use F3 and just change the folder and user names each time. Or you could create a batch file with all of that in it and then run the batch file as a scheduled task or something so that you don't have to sit there and monitor as it runs.
Mark GalvinPrincipal Consultant


Sorry, my bad - should have said this in the first post. Since the home folders were created they migrated the data and screwed up the file permissions. One of their younger IT heads then used the 'apply modify permissions to Domain Users' as a quick way to get users into their home folders following the migration.

I will look at the ICACLS with a bat file and see how that goes.

Oh, yeah, migrating data without taking permissions into account is a good way to "screw the home folder pooch"!  Sounds like the only way to fix it will be ICACLS.  I would recommend replacing all the existing permissions on each folder with what I described above, as appropriate for your company.  In case you need it, here's a link to a command line reference article on ICACLS (I know I have to refer to it often):

Mark GalvinPrincipal Consultant


Thanks. Will try this in the office tomorrow and let you know outcome!
Distinguished Expert 2019
If home directories are equal to user sAMAccountName, then you could try below code

SetAcl -on C:\home\user1 -ot file -actn ace -ace "n:domain\user1;p:full" -rec cont_obj -silent
SetAcl -on C:\home\user2 -ot file -actn ace -ace "n:domain\user2;p:full" -rec cont_obj -silent
SetAcl -on C:\home\user3 -ot file -actn ace -ace "n:domain\user3;p:full" -rec cont_obj -silent

replace domain with yours
replace username and home directory with yours
U need to prepare .bat file like above and execute it

Open in new window

Download SetAcl utility from below link

If you face any ownership issues, you may take home drive root folder and sub folder ownership 1st followed by grant access