Mark Galvin
asked on
Bulk permissions to be applied to users home drives?
Client's users all have a personal/private 'Home' drive
The folders sit on a DFS file share as \\domain\shares\udata\%use rname%
File permission are a joke. At the \\domain\shares\udata root the 'Domain Users' group has modify permission to everything. So any user that figures it out can get into other users folder.
I need to:
I do not want to have to do it manually as there are too many.
Any script I can use to do this?
Thanks
Mark
The folders sit on a DFS file share as \\domain\shares\udata\%use
File permission are a joke. At the \\domain\shares\udata root the 'Domain Users' group has modify permission to everything. So any user that figures it out can get into other users folder.
I need to:
Remove the root permission
Give each users full permission to just their folder
I do not want to have to do it manually as there are too many.
Any script I can use to do this?
Thanks
Mark
ASKER
Hi hypercat
Thanks for the info.
That's all great and I will make sure that best practice is followed.
Is there an easy way to give ' each user has to have full control to his/her folder' en masse? Without having to do each one manually.
Thanks for the info.
That's all great and I will make sure that best practice is followed.
Is there an easy way to give ' each user has to have full control to his/her folder' en masse? Without having to do each one manually.
It should already be set that way, because when you create the home folder, it does that automatically. If that permission has been removed, the only quicker way of assigning these permissions (other than the GUI) would be to use ICACLS from the command line. Each folder still has to be done individually, but at least you can use F3 and just change the folder and user names each time. Or you could create a batch file with all of that in it and then run the batch file as a scheduled task or something so that you don't have to sit there and monitor as it runs.
ASKER
Sorry, my bad - should have said this in the first post. Since the home folders were created they migrated the data and screwed up the file permissions. One of their younger IT heads then used the 'apply modify permissions to Domain Users' as a quick way to get users into their home folders following the migration.
I will look at the ICACLS with a bat file and see how that goes.
Thanks
Mark
I will look at the ICACLS with a bat file and see how that goes.
Thanks
Mark
Oh, yeah, migrating data without taking permissions into account is a good way to "screw the home folder pooch"! Sounds like the only way to fix it will be ICACLS. I would recommend replacing all the existing permissions on each folder with what I described above, as appropriate for your company. In case you need it, here's a link to a command line reference article on ICACLS (I know I have to refer to it often):
https://technet.microsoft.com/en-us/library/cc753525.aspx
https://technet.microsoft.com/en-us/library/cc753525.aspx
ASKER
Thanks. Will try this in the office tomorrow and let you know outcome!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The recommended permissions settings for the top-level folder for users are:
NTFS - Add Special Permissions to "Authenticated Users" group:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Permission
You may need to disable permission inheritance and make sure that the special permissions don't apply to subfolders of the root folder ("Apply Onto:" "This Folder Only").
Share Permissions - Add: Change - permission to "Authenticated Users" group.
At the user folder level, each user has to have full control to his/her folder. In addition, the System should have full control and, if allowed/required by company policy, an administrative user should have full control for management purposes.