Set Permissions on multiple folders

 

Do you need to edit permissions on multiple files or folders? If so use the following script and modify it to suit your needs.

You must generate a list of the folder directories first. I used

http://www.karenware.com/powertools/ptdirprn.asp

and saved the directories in a .txt file named “list.txt”

Then copy and paste the commands below in notepad and save them as a .bat file.

Link to setacl.exe – http://setacl.sourceforge.net/index.html

To remove inherited permissions using setacl.exe from sourceforge.net

@echo off
for /f %%i in (e:\home\list.txt) do setacl -on %%i -ot file -actn setprot -op “dacl:p_c”
pause

To remove authenticated user permissions using setacl.exe from sourceforge.net

@echo off
for /f %%i in (e:\home\list.txt) do setacl -on %%i -ot file -actn ace -ace “n:authenticated users;m:revoke”

pause

Other helpful steps

1. Create Share for Home DirectoriesOn your file server, create a share that will hold all your home directories. Be sure to allow Domain Users to have read access to this share
2. Get a list of all usersWe wanted the home directories to have the same name as the user’s login name. I was able to export a list from Active Directory of all the login names. Save this as a text file with the name file.txt
3. Batch file to create directoriesMake a batch file with the following lines to create the home directories:

@echo off

for /f %%i in (file.txt) do mkdir %%i

Place this batch file in the root of the share along with the file.txt. Run the batch to create the folders.

4. Removing InheritanceWe don’t want user’s to be able to see the contents of other user’s home directories. First we need to break inheritance. I found a program called SetACL and it can be found athttp://setacl.sourceforge.net/index.html

Modify the batch file you created and remove “mkdir %%i” and place the following in its place:

setacl -on %%i -ot file -actn setprot -op “dacl:p_c”

5. Removing Domain UsersModify the batch file again and place the following after the “do” to remove Domain Users from being able to read the folders:

SetACL -on %%i -ot file -actn trustee -trst “n1:domain users;s1:n;ta:remtrst;w:dacl”

6. Adding the user with modify permissionsReplace what is after the “do” statement in the batch file with the following command to give the user modify access to their home folder:

setacl -on %%i -ot file -actn ace -ace n:%%i;p:change

 

Advertisements