Bulk permissions to be applied to users home drives?

Client's users all have a personal/private 'Home' drive
The folders sit on a DFS file share as \\domain\shares\udata\%username%

File permission are a joke. At the \\domain\shares\udata root the 'Domain Users' group has modify permission to everything. So any user that figures it out can get into other users folder.

I need to:
Remove the root permission
Give each users full permission to just their folder

I do not want to have to do it manually as there are too many.

Any script I can use to do this?

LVL 13
Mark GalvinManaging Director / Principal ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
Of course, the top level folder needs to have NTFS and share permissions that allow administrators and the System to have full control.  

The recommended permissions settings for the top-level folder for users are:

NTFS - Add Special Permissions to "Authenticated Users" group:
        Traverse Folder / Execute File
        List Folder / Read Data
        Read Attributes
        Read Permission
You may need to disable permission inheritance and make sure that the special permissions don't apply to subfolders of the root folder ("Apply Onto:" "This Folder Only").
Share Permissions - Add: Change - permission to "Authenticated Users" group.

At the user folder level, each user has to have full control to his/her folder.  In addition, the System should have full control and, if allowed/required by company policy, an administrative user should have full control for management purposes.
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi hypercat

Thanks for the info.

That's all great and I will make sure that best practice is followed.

Is there an easy way to give ' each user has to have full control to his/her folder' en masse? Without having to do each one manually.
Hypercat (Deb)Commented:
It should already be set that way, because when you create the home folder, it does that automatically. If that permission has been removed, the only quicker way of assigning these permissions (other than the GUI) would be to use ICACLS from the command line.  Each folder still has to be done individually, but at least you can use F3 and just change the folder and user names each time. Or you could create a batch file with all of that in it and then run the batch file as a scheduled task or something so that you don't have to sit there and monitor as it runs.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Sorry, my bad - should have said this in the first post. Since the home folders were created they migrated the data and screwed up the file permissions. One of their younger IT heads then used the 'apply modify permissions to Domain Users' as a quick way to get users into their home folders following the migration.

I will look at the ICACLS with a bat file and see how that goes.

Hypercat (Deb)Commented:
Oh, yeah, migrating data without taking permissions into account is a good way to "screw the home folder pooch"!  Sounds like the only way to fix it will be ICACLS.  I would recommend replacing all the existing permissions on each folder with what I described above, as appropriate for your company.  In case you need it, here's a link to a command line reference article on ICACLS (I know I have to refer to it often):

Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Thanks. Will try this in the office tomorrow and let you know outcome!
If home directories are equal to user sAMAccountName, then you could try below code

SetAcl -on C:\home\user1 -ot file -actn ace -ace "n:domain\user1;p:full" -rec cont_obj -silent
SetAcl -on C:\home\user2 -ot file -actn ace -ace "n:domain\user2;p:full" -rec cont_obj -silent
SetAcl -on C:\home\user3 -ot file -actn ace -ace "n:domain\user3;p:full" -rec cont_obj -silent

replace domain with yours
replace username and home directory with yours
U need to prepare .bat file like above and execute it

Open in new window

Download SetAcl utility from below link

If you face any ownership issues, you may take home drive root folder and sub folder ownership 1st followed by grant access

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.