transystems
asked on
Share Directory Permissions Script
Good Morning,
I am not too familiar with creating scripts, but was wondering if i can have some assistance. I have servers which are on the Server 2008 R2 and Server 2012 R2 platform. I am trying to create a script for a shared directory in which the first 2 directory's on that share are set for domain users to have: Read & Execute, List Folder Contents, and Read Permissions. I would then like to have the directories after that (sub-folders) set for domain users to have: Modify
Example: G:\CH14\1234\ (Read & Execute, List Folder Contents, and Read Permissions) \Test\Test1\Test2 (Modify Permissions)
I've looked into programs such as xcacls and icacls as well.
Thank you for your help
I am not too familiar with creating scripts, but was wondering if i can have some assistance. I have servers which are on the Server 2008 R2 and Server 2012 R2 platform. I am trying to create a script for a shared directory in which the first 2 directory's on that share are set for domain users to have: Read & Execute, List Folder Contents, and Read Permissions. I would then like to have the directories after that (sub-folders) set for domain users to have: Modify
Example: G:\CH14\1234\ (Read & Execute, List Folder Contents, and Read Permissions) \Test\Test1\Test2 (Modify Permissions)
I've looked into programs such as xcacls and icacls as well.
Thank you for your help
ASKER
Hello,
That is correct. we don't want the domain users to be able to delete or create files in the G:\CH15\1234 directories. Any sub- folders after that they can can upload files to or create folders in with modify rights. This way, we can have a more organized file structure and not have the domain users be able to upload files everywhere on the server.
Thank you,
That is correct. we don't want the domain users to be able to delete or create files in the G:\CH15\1234 directories. Any sub- folders after that they can can upload files to or create folders in with modify rights. This way, we can have a more organized file structure and not have the domain users be able to upload files everywhere on the server.
Thank you,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will give this a try and will let you know. Thank you for your help!
I also used the G:\CH14\1234 as an example, on some of our servers G drives, there are different folder names and may not have CH14 as a folder. Is there a way to apply this to just the G drive?
I also used the G:\CH14\1234 as an example, on some of our servers G drives, there are different folder names and may not have CH14 as a folder. Is there a way to apply this to just the G drive?
ASKER
Good Morning,
I tested the .bat file, but it looks like it changed the permissions to being inherited, but domain users have modify rights still on the G:\CH14\1234 directory where we would like them to have: Read and Execute, List Folder Contents, and Read.
Just to verify i'm doing this right, I created a test Projects Folder on the desktop and gave it a G drive letter in which i shared it out with \\computername\Projects$
Thank you for your help
I tested the .bat file, but it looks like it changed the permissions to being inherited, but domain users have modify rights still on the G:\CH14\1234 directory where we would like them to have: Read and Execute, List Folder Contents, and Read.
Just to verify i'm doing this right, I created a test Projects Folder on the desktop and gave it a G drive letter in which i shared it out with \\computername\Projects$
Thank you for your help
ASKER
For the script you created, did you change that file to have a .bat extension?
Thank you
Thank you
Upload your .bat file for me to see.
ASKER
Attached is the .bat file i tried using.
For example, if I set the domain as: ABC
RootDir: G:\ (Network Share Drive Letter)
G-Drive-Test-Batch-file.txt
For example, if I set the domain as: ABC
RootDir: G:\ (Network Share Drive Letter)
G-Drive-Test-Batch-file.txt
A quick read of your .bat file shows an obvious need to change all occurrences of %G:\% to %RootDir%, as my posted code is.
The only value change should happen at the set RootDir=g:\ line
The only value change should happen at the set RootDir=g:\ line
ASKER
Thank you for your response, i changed the drive letter to point to a local folder on the C drive. Once i ran the .bat file, it removed "domain users" and kept "Project_setup" and "domain Admins" as having full rights.
> Once i ran the .bat file, it removed "domain users" and kept "Project_setup" and "domain Admins" as having full rights.
OK. This means it is working per your requirements and addresses your original issue.
OK. This means it is working per your requirements and addresses your original issue.
ASKER
Thank you, we would still like to have "domain users" have read, list, and read and execute permissions on: G:\CH15\1234 but have modify rights in the subfolders after that. Is that something we would have to manually enter in on each directory?
Thank you for your help
transystems
Your Comment 2015-06-26 at 15:36:23ID: 40853898
Hello,
That is correct. we don't want the domain users to be able to delete or create files in the G:\CH15\1234 directories. Any sub- folders after that they can can upload files to or create folders in with modify rights. This way, we can have a more organized file structure and not have the domain users be able to upload files everywhere on the server.
Thank you for your help
transystems
Your Comment 2015-06-26 at 15:36:23ID: 40853898
Hello,
That is correct. we don't want the domain users to be able to delete or create files in the G:\CH15\1234 directories. Any sub- folders after that they can can upload files to or create folders in with modify rights. This way, we can have a more organized file structure and not have the domain users be able to upload files everywhere on the server.
It works fine here when I test it.
Maybe ICACLS is getting some kind of error.
Please review the .log it creates, if any. The errors would be shown as:
Error icacls "%RootDir%" Grant Read & Execute
Error icacls "%RootDir%" Grant List Folder Contents
Error icacls "%RootDir%" Grant Read
Maybe ICACLS is getting some kind of error.
Please review the .log it creates, if any. The errors would be shown as:
Error icacls "%RootDir%" Grant Read & Execute
Error icacls "%RootDir%" Grant List Folder Contents
Error icacls "%RootDir%" Grant Read
I made an error on my post ID: 40909970. It is not working because domain users don't have the correct rights set at that level.
I just reviewed your uploaded G-Drive-Test-Batch-file.tx t. You also need to change all occurrences of %ABC% to %DomName%
Similar to the set RootDir line, the only value change in my posted code should happen at the set DomName=ABC. To fit your needs, changes should occur only on these 2 lines, with your values after the = sign:
I just reviewed your uploaded G-Drive-Test-Batch-file.tx
Similar to the set RootDir line, the only value change in my posted code should happen at the set DomName=ABC. To fit your needs, changes should occur only on these 2 lines, with your values after the = sign:
set RootDir=
set DomName=
ASKER
I'll give this a try and will let you know the results. Thank you for your help!
ASKER
I set the requested values and it now has domain users as having modify rights all the way down through the sub folders. Is there a way to have domain users set to have the first 2 folders as "Read, List, and Read and Execute" and then the folders after that to have them set to "Modify?"
For Example:
G:\CH14\1234 directory where we would like them to have: Read and Execute, List Folder Contents, and Read.
Folders after the \1234 directory to have Modify
Thank you very much for your help!
For Example:
G:\CH14\1234 directory where we would like them to have: Read and Execute, List Folder Contents, and Read.
Folders after the \1234 directory to have Modify
Thank you very much for your help!
Please post your code for review.
ASKER
Sorry for the late response, just returned from vacation. Attached is the updated script. Thank you for your help!
Compared to the original, your code looks fine. It runs fine here. Please upload the log it creates. It is in the %temp% folder of the profile that runs the .bat. If your .bat file is named G-Drive-Test-Batch-file--2 -.bat, the log should be named G-Drive-Test-Batch-file--2 -.log, i.e. it matches the filename of the .bat
ASKER
Attached is the requested log file. Thank you
G-Drive-Test-Batch-file--2-.log
G-Drive-Test-Batch-file--2-.log
> ...in which the first 2 directory's on that share
Do you mean...users can't create, rename, or delete in either of these folder levels: G:\, G:\CH14, G:\CH14\1234, G:\CH15, or G:\CH15\folder?
- Do you want to let users create files and folders at the folder level G:\CH14\1234? e.g. they can:
-- Make folder G:\CH14\1234\user1
-- Make file G:\CH14\1234\test.txt
-- Make folder G:\CH14\1234\user1\sub1
-- Make file G:\CH14\1234\user1\test.tx
-- Make folder G:\Another1\5678\user1
-- Make file G:\Another1\5678\test.txt