Link to home
Start Free TrialLog in
Avatar of Christian Knell
Christian KnellFlag for Germany

asked on

icalcs /reset and icacls /grant in *one* go

We have a *very* large file system and a standardised permission set:


- DepartmentA (Admins:F for subfiles and subfolders, DepartmentUsersA:RX for folder only)
  - Subdepartment A1 (Admins:<inherited>, SubdepartmentUsersA1:M for subfiles and Subfolders)
  - Subdepartment A2 (Admins:<inherited>, SubdepartmentUsersA2:M for subfiles and Subfolders)
  - ...
- DepartmentB
- ...

Open in new window


Sometimes users move files/folders between subdepartments (which keeps file/folder permissions), so we want to reassign permissions from time to time by script:


...
1. icacls \\?\F:\DepartmentA\SubdepartmentA1 /T /Q /C /RESET (all necessary admin permissions are inherited, "wild" extra permissions are removed)
2. icacls \\?\F:\DepartmentA\SubdepartmentA1 /grant AD\SubdepartmentUserA1:(OI)(CI)M /Q
...

Open in new window


This works fine. Unfortunately between command 1. (which removes all unwanted known or unknown permissions) and command 2. nobody from the department can access any files. Due to the size this process takes several hours which is unsuitable for users working at night/weekends.


I'm looking for a way to reset and reassign permissions in *one* step instead of two.


Any ideas?


Best regards!

Chris


ASKER CERTIFIED SOLUTION
Avatar of NVIT
NVIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Christian Knell

ASKER

Thanks a lot for your reply, FOX and NVIT!

NVIT: It's a brilliant idea to work backwards!

In our case we can be sure, that a top folder like F:\DepartmentA\SubdepartmentA1 already has the correct permissions. Resetting the folder itself would have resulted in a loss of access for all users within the subdepartment, as long as the succeeding grant command hadn't run yet.

Instead, resetting only subfolders and -files would reenable inheriting and remove unwanted permissions from files/folders which were moved underneath the folder structure (thus keeping former/unwanted permissions). So we have no time gap to handle.

I'll try to find out how to loop icacls /reset on all subfolders/-files.

Thanks and best regards!
Chris
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Running the following, pointing towards the top/parent folder, should produce a list of subfolders only:

dir /s/ad/b "F:\DepartmentA\SubdepartmentA1" > folders.txt 2>errors.txt

Open in new window


If you want to then reverse the order of the output, we could leverage powershell:

powershell -ep bypass -c "Get-Content .\folders.txt | Sort-Object -Descending | Set-Content .\reversed.txt"

Open in new window


Then you can loop through the reversed folders as so:

for /f "delims=" %f in (reversed.txt) do (
	takeown /f "%f"
	icacls "%f" /c /q /reset
	icacls "%f" /grant %userdomain%\SubdepartmentUserA1:"(OI)(CI)M" /q
) 2>> errors.txt

Open in new window

Thanks a lot, Giovanni!
@Christian
Glad it worked out for you.

Question:
Call me a nitpick haha but... Since the icacls /T switch traverses a given folder, isn't this process then redundant for prior (lower level) processed folders, since you're working backwards?
@NVIT: I also thought that 😊. Unfortunately the only way to remove "wild" permissions on formerly moved folders within a structure is icacls /reset. If I run icacls /reset on a top folder I, users lose the permission of that top folder they need and they have to wait until icacls /grant is run afterwards. If I run icacls /reset on subfolders/files only, they can still rely on the permission of the top folder, just the unwanted "wild" permissons within the substructure are removed.

It would be best, if microsoft changed the behaviour oft /grant:r /t, so that all permissions in a substructure would be *completely* replaced. Another alternative would be to allow /reset and /grant in one single statement.