AD & dont Inherit Folder Permission

[Ouch]

i am trying to write a script to turn of the Inherit Permissions of the folder security.

i have a script that creates users in AD and sets their home folder to //server/users/%username%

but when they try to access it the folder hasnt been created.

so i added a script to create the folder and set the users to have permissions as owner. but i cant turn of the Inherit Permissions in the script so users cant access each others folder

Can anyone help?

 

[wibbe]

Hi Ouch,

I have the same problem. Have you found a solution?

Best Regards
Wibbe

 

[Ouch]

I use xcacls from the resource kit and that does it.

 

[mrmovie]

there is a adssecurity dll available as part of the adsi resource kit, you may want to look at it if you are scripting ntfs security on files and folders. its is the nuts. great for generating audit info on file and folder permissions during server migrations, if you are brave enough you can use the old audits to set permissions on the new servers etc.

Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_ACETYPE_ACCESS_ALLOWED = 0

Set sec = CreateObject("ADsSecurity&quot

Set sd = sec.GetSecurityDescriptor("FILE://c:\public\specs&quot
Set dacl = sd.DiscretionaryAcl

'-- Show the ACEs in the DACL ----
For Each ace In dacl
wscript.echo ace.Trustee
wscript.echo ace.AccessMask
wscript.echo ace.AceType
Next

Set ace = CreateObject("AccessControlEntry&quot
ace.Trustee = "ARCADIABAY\jsmith"
ace.AccessMask = ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_EXECUTE
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED

dacl.AddAce ace
sd.DiscretionaryAcl = dacl
sec.SetSecurityDescriptor sd