a command promt tool to modify permission on large number of folders using variables and batch file

Hani Naser
Hani Naser used Ask the Experts™
on
This is windows 2003 file share server ; hosting the personal folder for all users. need to clean up the permission on all users using a command prompt to save time ; so NTFS permission is full control for domainadmins and modify for the %username% on their folders and subfolders
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Lionel MMSmall Business IT Consultant
Commented:
see this question which can be adapted to what you need using the icacls and takeown command line tools http://www.experts-exchange.com/questions/28711330/delete-user-account-and-associated-redirect-folders.html#a40967181
Top Expert 2014
Commented:
Xcacls is what you need.

This will help...

https://support.microsoft.com/en-gb/kb/825751
End-user support
Commented:
> ...modify for the %username% on their folders and subfolders
What does the share folders look like? Is each folder named after the user? e.g.
\\share\users\user1
\\share\users\user2
\\share\users\user3
...

Open in new window


If so, make a .bat file of this and try it on a test folder:
@echo off
SETLOCAL ENABLEDELAYEDEXPANSION
REM Give user Modify right to their user folder.
REM User folder has same name as user

REM - IMPORTANT: Do on a test folder first!
REM - IMPORTANT: Running this code now then at a later time, e.g. a few weeks or months later
REM   may affect existing permissions. As always, USE WITH CARE.
REM - Change these variables to your needs: RootDir, DomName
REM - Makes a log file in your TEMP folder

set RootDir=d:\share\users
set DomName=domainname
set fnlog=%temp%\%~n0.log

>> "%fnlog%" echo %date% %time% BEGIN

if not exist "%RootDir%" (>> "%fnlog%" echo %date% %time% Missing %RootDir%& pause& goto :end)

pushd "%RootDir%"

REM - Disable inheritance and copy the existing ACEs
echo.
echo *** Disable inheritance and copy the existing ACEs
icacls "%RootDir%" /inheritance:d
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Disable inheritance and copy the existing ACEs

REM - Remove users, including sub-folders. Else they would still be able to read... 
echo.
echo *** Remove users, including sub-folders. Else they would still be able to read... 
icacls "%RootDir%" /remove:g "Authenticated Users" /remove:g "domain users" /t /q
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Remove users, including sub-folders

for /d %%a in (*) do (
  REM pushd %%a
  echo ------- "%%~fa"

  REM - Grant modify rights to Subfolders and files only
  echo.
  echo *** Grant modify rights to Subfolders and files only
  >> "%fnlog%" echo "%%~fa" "%DomName%\%%~na" Grant modify rights to Subfolders and files
  icacls "%%~fa" /grant "%DomName%\%%~na":^(OI^)^(CI^)M /q
  if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%%~fa" "%DomName%\%%~na" Grant modify rights to Subfolders and files
  REM popd
)

:end
>> "%fnlog%" echo %date% %time% END
popd

Open in new window

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Hani NaserSystems Administrator

Author

Commented:
I was able to do that in 2 lines
cacls (foldername) /e /T /p SYSTEM:f (will grant system full control over username folder)
icacls (foldername) /grant:r  e-academy\username:(OI)(CI)M /t (will grant uusername modify permission over his folder) ..
username and foldername have the same name

I did not test the solutions above , but will give points to each equally
NVITEnd-user support

Commented:
> I was able to do that in 2 lines
Without additional code, how does line 2 take care of your request to "...modify for the %username% on their folders and subfolders"?
Lionel MMSmall Business IT Consultant

Commented:
also existing permissions remain since you did not remove inheritance from the parent folder(s)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial