Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Folder Permissions / XCACLS??

Status
Not open for further replies.
jc909

jc909

Technical User
Aug 8, 2003
12
0
0
GB
Hi All,

Please help as this is really bugging me, as well as taking loads of my time.

I have a directory which has 500 user directories within it, each containing profile data etc. The permissions are set such that the administrator doesnt have any access and the only person with access is the user themselves. What I want to do is add the local administrator account to all folders and subfolders with full permissions.

I Dont think I can do it in the windows GUI that easily?
So I've tried to use XCACLS:

xcacls foldername /T /E /G administrators:F

All I get every time is 'Access Denied'. I've got it to add the administrator to one folder, but its leaving all the subfolders untouched with Access Denied Errors. Cant be that hard surely?

Help appreciated
Thx in advance
 
Sort by date Sort by votes
You cannot add permissions to child folders when you are denied permission at the parent.
 
Upvote 0 Downvote
OK, that possibly helps. I now have addded full control to administrators on each of the users root folders, so I'm not getting access denied messages at the parent level.

I am getting access denied messages at the child level though. If I have full control of the parent can I not somehow get the child to inherit these permissions using xcacls?

eg Admins have full control on Joe Bloggs folder. However Admins have no access to //Joe Bloggs/My documents for example.

 
Upvote 0 Downvote
This might be easier to view using the Security tab under Windows Explorer. If you look at the Advanced permissions sheet it likely will show permissions "For this folder only". This is particularly true if the folder you are trying to change permissions for are user profiles.

It is not automatic that child permissions are granted even to the parent, particularly in the case of System folders such as user profiles. Under the security tab you will see that even as Administrator there is a higher security principal of System with full rights to the "Folder and all subfolders."

MS notes: "it is important to note that the default security for roaming profiles has changed in Windows 2000. Administrators no longer have full control to all user profiles by default, only the user and the system. This means that if an administrator needs to obtain access to the contents of a user's profile, they will have to perform a "take ownership" operation upon the file system objects or registry hive directly. This is a more desirable approach from a security perspective as the "take ownership" operation is an audited event. To take ownership of profiles in Windows 2000:
In the Profile folder, right-click the appropriate user's profile folder, and then click properties.
Click the Security tab, and then click Advanced.
Click the Owner tab, click the user that you would like to take ownership in the Change owner to box, and then click Apply."


 
Upvote 0 Downvote
Right, I still havent done it which is nice. Going to try and use setacl by the looks of it......

Thx anyway
 
Upvote 0 Downvote
You could do it with xcacls, it is just not as flexible a tool as setacls.

xcacls c:\ /T/E/G Adminstrator:F;O
 
Upvote 0 Downvote
Won't work. I appreciate that I (a) need to take ownership of all the directories (b) Give admins full permissions on those directories.

I cant seem to take ownership of any folders using xcacls. I get access denied every time. I dont know whether I'm missing something fundamental here, but I dont see why I cant just take ownership of a folder using:

xcacls "Folder" /t /e /g administrators:O

I would do it in the GUI, but it will take a week.
 
Upvote 0 Downvote
Think your xcacls withh just give administrators permission to take ownership - not actually take ownership.

Have you tried bcastner's setacl suggestion?
 
Upvote 0 Downvote
FWIW, I'm having the same problem. If I don't already have some kind of permissions to the folder, I can't seem to use xcacls to give permissions. Here's my command:

xcacls *.* /T /C /E /G "GHG\Domain Admins":FO;FO

Which should give every folder and every file in the current directory and it's subdirectories full control and ownership to the Domain Admins group. Alas, it doesn't work.

David
 
Upvote 0 Downvote
While I cannot find a direct statement on this, I suspect that you cannot is xcacls change the ownership of the root directory.
 
Upvote 0 Downvote
subinacls worked great! First I change ownership, then I add the Domain Admins group with full control:

======= BEGIN CODE ========

SHELL "subinacl /subdirectories " + $frompath +" /setowner=" + CHR(34) + "GHG\DOMAIN ADMINS" + CHR(34)
SHELL "xcacls " + $frompath + " /T /C /E /G " + CHR(34) + "GHG\DOMAIN ADMINS" + CHR(34) + ":F"

======== END CODE =============
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shimmy613
  • Locked
  • Question
Systematically and safely deleting folder shortcuts seemingly to itself 1
Replies
6
Views
96
Mike Lewis
Mike Lewis
feipezi
  • Locked
  • Question
How to XCOPY all the folders/subfolders to a destination folder?
Replies
2
Views
65
Mike Lewis
Mike Lewis
lmcate
  • Locked
  • Question
Can't Access a Folder on Windows
Replies
2
Views
73
gbaughma
gbaughma
njadmin
  • Locked
  • Question
Create User folder image and restore it
Replies
1
Views
44
hairlessupportmonkey
hairlessupportmonkey
lmcate
  • Locked
  • Question
1 user lost access to a folder
Replies
3
Views
71
sysfix
sysfix

Part and Inventory Search

Sponsor

Back
Top