a command promt tool to modify permission on large number of folders using variables and batch file

This is windows 2003 file share server ; hosting the personal folder for all users. need to clean up the permission on all users using a command prompt to save time ; so NTFS permission is full control for domainadmins and modify for the %username% on their folders and subfolders
Hani NaserSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lionel MMSmall Business IT ConsultantCommented:
see this question which can be adapted to what you need using the icacls and takeown command line tools http://www.experts-exchange.com/questions/28711330/delete-user-account-and-associated-redirect-folders.html#a40967181
0
Craig BeckCommented:
Xcacls is what you need.

This will help...

https://support.microsoft.com/en-gb/kb/825751
0
NVITCommented:
> ...modify for the %username% on their folders and subfolders
What does the share folders look like? Is each folder named after the user? e.g.
\\share\users\user1
\\share\users\user2
\\share\users\user3
...

Open in new window


If so, make a .bat file of this and try it on a test folder:
@echo off
SETLOCAL ENABLEDELAYEDEXPANSION
REM Give user Modify right to their user folder.
REM User folder has same name as user

REM - IMPORTANT: Do on a test folder first!
REM - IMPORTANT: Running this code now then at a later time, e.g. a few weeks or months later
REM   may affect existing permissions. As always, USE WITH CARE.
REM - Change these variables to your needs: RootDir, DomName
REM - Makes a log file in your TEMP folder

set RootDir=d:\share\users
set DomName=domainname
set fnlog=%temp%\%~n0.log

>> "%fnlog%" echo %date% %time% BEGIN

if not exist "%RootDir%" (>> "%fnlog%" echo %date% %time% Missing %RootDir%& pause& goto :end)

pushd "%RootDir%"

REM - Disable inheritance and copy the existing ACEs
echo.
echo *** Disable inheritance and copy the existing ACEs
icacls "%RootDir%" /inheritance:d
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Disable inheritance and copy the existing ACEs

REM - Remove users, including sub-folders. Else they would still be able to read... 
echo.
echo *** Remove users, including sub-folders. Else they would still be able to read... 
icacls "%RootDir%" /remove:g "Authenticated Users" /remove:g "domain users" /t /q
if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%RootDir%" Remove users, including sub-folders

for /d %%a in (*) do (
  REM pushd %%a
  echo ------- "%%~fa"

  REM - Grant modify rights to Subfolders and files only
  echo.
  echo *** Grant modify rights to Subfolders and files only
  >> "%fnlog%" echo "%%~fa" "%DomName%\%%~na" Grant modify rights to Subfolders and files
  icacls "%%~fa" /grant "%DomName%\%%~na":^(OI^)^(CI^)M /q
  if %errorlevel% neq 0 >> "%fnlog%" echo %date% %time% Error icacls "%%~fa" "%DomName%\%%~na" Grant modify rights to Subfolders and files
  REM popd
)

:end
>> "%fnlog%" echo %date% %time% END
popd

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Hani NaserSystems AdministratorAuthor Commented:
I was able to do that in 2 lines
cacls (foldername) /e /T /p SYSTEM:f (will grant system full control over username folder)
icacls (foldername) /grant:r  e-academy\username:(OI)(CI)M /t (will grant uusername modify permission over his folder) ..
username and foldername have the same name

I did not test the solutions above , but will give points to each equally
0
NVITCommented:
> I was able to do that in 2 lines
Without additional code, how does line 2 take care of your request to "...modify for the %username% on their folders and subfolders"?
0
Lionel MMSmall Business IT ConsultantCommented:
also existing permissions remain since you did not remove inheritance from the parent folder(s)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.