Share Directory Permissions Script

Good Morning,

I am not too familiar with creating scripts, but was wondering if i can have some assistance. I have servers which are on the Server 2008 R2 and Server 2012 R2 platform. I am trying to create a script for a shared directory in which the first 2 directory's on that share are set for domain users to have: Read & Execute, List Folder Contents, and Read Permissions. I would then like to have the directories after that (sub-folders) set for domain users to have: Modify

Example: G:\CH14\1234\ (Read & Execute, List Folder Contents, and Read Permissions) \Test\Test1\Test2 (Modify Permissions)

I've looked into programs such as xcacls and icacls as well.

Thank you for your help
transystemsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITCommented:
Questions:

> ...in which the first 2 directory's on that share
Do you mean...users can't create, rename,  or delete in either of these folder levels: G:\, G:\CH14, G:\CH14\1234, G:\CH15, or G:\CH15\folder?

- Do you want to let users create files and folders at the folder level G:\CH14\1234? e.g. they can:
-- Make folder G:\CH14\1234\user1
-- Make file G:\CH14\1234\test.txt
-- Make folder G:\CH14\1234\user1\sub1
-- Make file G:\CH14\1234\user1\test.txt
-- Make folder G:\Another1\5678\user1
-- Make file G:\Another1\5678\test.txt
0
transystemsAuthor Commented:
Hello,

That is correct. we don't want the domain users to be able to delete or create files in the G:\CH15\1234 directories. Any sub- folders after that they can can upload files to or create folders in with modify rights. This way, we can have a more organized file structure and not have the domain users be able to upload files everywhere on the server.

Thank you,
0
NVITCommented:
I've tested this code successfully on a local folder.

IMPORTANT: Do on a test folder first!
@echo off
SETLOCAL ENABLEDELAYEDEXPANSION
REM first 2 directory's on that share are set for domain users to have: Read 
REM & Execute, List Folder Contents, and Read Permissions. I would then like 
REM to have the directories after that (sub-folders) set for domain users to 
REM have: Modify 

REM Example: G:\CH14\1234\ (Read & Execute, List Folder Contents, and Read Permissions)
REM \Test\Test1\Test2 (Modify Permissions) 

REM - IMPORTANT: Do on a test folder first!
REM - IMPORTANT: Running this code now then at a later time, e.g. a few weeks or months later
REM   may affect existing permissions. As always, USE WITH CARE.
REM - Change these variables to your needs: RootDir, DomName
REM - Makes a log file in your TEMP folder

set RootDir=c:\local\test\icacls
set DomName=domainname
set fnlog=%temp%\%~n0.log

>> "%fnlog%" echo %date% %time% BEGIN

if not exist "%RootDir%" (>> "%fnlog%" echo %date% %time% Missing %RootDir%& pause& goto :end)

pushd "%RootDir%"

REM - Disable inheritance and copy the existing ACEs
echo.
echo *** Disable inheritance and copy the existing ACEs
icacls "%RootDir%" /inheritance:d
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Disable inheritance and copy the existing ACEs

REM - Remove users, including sub-folders. Else they would still be able to read... 
echo.
echo *** Remove users, including sub-folders. Else they would still be able to read... 
icacls "%RootDir%" /remove:g "Authenticated Users" /remove:g "domain users" /t /q
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Remove users, including sub-folders

REM - Grant Read & Execute (RX), List Folder Contents (X,RD,RA,REA,RC), Read (R)
echo.
echo *** Grant Read ^& Execute, List Folder Contents, Read
icacls "%RootDir%" /grant "%DomName%\domain users":^(OI^)^(CI^)RX /q
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Grant Read ^& Execute

icacls "%RootDir%" /grant "%DomName%\domain users":^(OI^)^(CI^)^(X,RD,RA,REA,RC^) /q
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Grant List Folder Contents

icacls "%RootDir%" /grant "%DomName%\domain users":^(OI^)^(CI^)R /q
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Grant Read

for /f %%a in ('dir /b *') do (
  pushd %%a
  echo ------- "%%~fa"

  REM - Grant modify rights to Subfolders and files only
  echo.
  echo *** Grant modify rights to Subfolders and files only
  icacls "%%~fa" /grant "%DomName%\domain users":^(OI^)^(CI^)M /q
  if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%%~fa" Grant modify rights to Subfolders and files
  popd
)

:end
>> "%fnlog%" echo %date% %time% END
popd

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

transystemsAuthor Commented:
I will give this a try and will let you know. Thank you for your help!

I also used the G:\CH14\1234 as an example, on some of our servers G drives, there are different folder names and may not have CH14 as a folder. Is there a way to apply this to just the G drive?
1
transystemsAuthor Commented:
Good Morning,

I tested the .bat file, but it looks like it changed the permissions to being inherited, but domain users have modify rights still on the G:\CH14\1234 directory where we would like them to have: Read and Execute, List Folder Contents, and Read.

Just to verify i'm doing this right, I created a test Projects Folder on the desktop and gave it a G drive letter in which i shared it out with \\computername\Projects$

Thank you for your help
1
transystemsAuthor Commented:
For the script you created, did you change that file to have a .bat extension?

Thank you
0
NVITCommented:
Upload your .bat file for me to see.
0
transystemsAuthor Commented:
Attached is the .bat file i tried using.

For example, if I set the domain as: ABC
RootDir: G:\ (Network Share Drive Letter)
G-Drive-Test-Batch-file.txt
0
NVITCommented:
A quick read of your .bat file shows an obvious need to change all occurrences of %G:\% to %RootDir%, as my posted code is.

The only value change should happen at the set RootDir=g:\ line
0
transystemsAuthor Commented:
Thank you for your response, i changed the drive letter to point to a local folder on the C drive. Once i ran the .bat file, it removed "domain users" and kept "Project_setup" and "domain Admins" as having full rights.
0
NVITCommented:
> Once i ran the .bat file, it removed "domain users" and kept "Project_setup" and "domain Admins" as having full rights.
OK. This means it is working per your requirements and addresses your original issue.
0
transystemsAuthor Commented:
Thank you, we would still like to have "domain users" have read, list, and read and execute permissions on:  G:\CH15\1234 but have modify rights in the subfolders after that. Is that something we would have to manually enter in on each directory?

Thank you for your help

transystems
Your Comment 2015-06-26 at 15:36:23ID: 40853898
Hello,

That is correct. we don't want the domain users to be able to delete or create files in the G:\CH15\1234 directories. Any sub- folders after that they can can upload files to or create folders in with modify rights. This way, we can have a more organized file structure and not have the domain users be able to upload files everywhere on the server.
0
NVITCommented:
It works fine here when I test it.

Maybe ICACLS is getting some kind of error.

Please review the .log it creates, if any. The errors would be shown as:
Error icacls "%RootDir%" Grant Read & Execute
Error icacls "%RootDir%" Grant List Folder Contents
Error icacls "%RootDir%" Grant Read
0
NVITCommented:
I made an error on my post ID: 40909970. It is not working because domain users don't have the correct rights set at that level.

I just reviewed your uploaded G-Drive-Test-Batch-file.txt. You also need to change all occurrences of %ABC% to %DomName%

Similar to the set RootDir line, the only value change in my posted code  should happen at the set DomName=ABC. To fit your needs, changes should occur only on these 2 lines, with your values after the = sign:
set RootDir=
set DomName=

Open in new window

0
transystemsAuthor Commented:
I'll give this a try and will let you know the results. Thank you for your help!
0
transystemsAuthor Commented:
I set the requested values and it now has domain users as having modify rights all the way down through the sub folders. Is there a way to have domain users set to have the first 2 folders as "Read, List, and Read and Execute" and then the folders after that to have them set to "Modify?"

For Example:

G:\CH14\1234 directory where we would like them to have: Read and Execute, List Folder Contents, and Read.

Folders after the \1234 directory to have Modify

Thank you very much for your help!
0
NVITCommented:
Please post your code for review.
0
transystemsAuthor Commented:
Sorry for the late response, just returned from vacation. Attached is the updated script. Thank you for your help!
0
transystemsAuthor Commented:
0
NVITCommented:
Compared to the original, your code looks fine. It runs fine here. Please upload the log it creates. It is in the %temp% folder of the profile that runs the .bat. If your .bat file is named G-Drive-Test-Batch-file--2-.bat, the log should be named G-Drive-Test-Batch-file--2-.log, i.e. it matches the filename of the .bat
0
transystemsAuthor Commented:
Attached is the requested log file. Thank you
G-Drive-Test-Batch-file--2-.log
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.