Is there an easy way to set folder pemissions for many users? 3

[Forrest77]

I have a shared folder on a file server that allows all users to see the folder and all the subfolders of the individual clients. However each active directory user\client has a folder named after their login name inside this main shared folder. Is there a way to set permissions or security so that only the logged in user can access the folder named after their login name and not access the other folders inside the shared folder. I know I could set each individual folder to user's login but I have a couple of hundred and I wonder if "self" or some other setting in permissions or security can accomplish this. I will probably initiate a login script for each user to map to their specific folder but I would still like to set the access to the folders.
Thanks for your time and consideration.

 

[markdmac]

Yes, you can do this with XCACLS.

You will want to use vbscript to enumerate the folder names (which also match the user name) and set the appropriate permissions using that folder name.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[Forrest77]

Thank You Markdmac for your post. I am not familiar with xcacls at all. I found it, downloaded it and playing with it a little but am not experienced enough to determine if it will do what I want. I think it will but I am not sure what setting to put in the client folder that is generic setting that only allows the the user login id to have full access except to delete folder on the folder that matches their user id without putting the specific user id at each and every folder. I have read many of your posts Markdmac and you are light years ahead of me. I do appreaciate a wonderful new and different starting post about for scripting. Thank You

 

[markdmac]

Trust me, XCACLS will set the file permissions.

I am feeling generous so I wrote the code for you. Kindly keep the header information in the script.

You need to change the values in [red]RED[/red].

[green]
'==========================================================================
'
' NAME: AssignRights2HomeDirectories.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.TheSpidersParlor.com[/URL]
' COPYRIGHT (c) 2006 All Rights Reserved
' DATE  : 6/10/2006
'
' COMMENT: Assigns NTFS rights to a folder when username
'          matches the folder name.
'
'
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS 
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'    This script and many more can be found in the Admin Script Pack
'    by The Spider's Parlor [URL unfurl="true"]http://www.thespidersparlor.com/vbscript[/URL]
'==========================================================================

'Where are the user directories?  Local path on the server. 
'End with a backslash.[/green]
Path = [red]"E:\UserShares\"[/red][green]
'Where can I find XCACLS.EXE?  Keep a space at the end of this string.[/green]
sXpath =  [red]"\\server\util\xcacls.exe "[/red]

Dim fso,WSHShell,oFolder,oFile,oSubFolder,Partition, Partitions

Set fso = CreateObject("Scripting.FileSystemObject")
Set WSHShell= CreateObject("Wscript.Shell")

On Error Resume Next[green]
'Find the domain name[/green]
Set Partitions = GetObject("LDAP://CN=Partitions,CN=Configuration," & _
GetObject("LDAP://RootDSE").Get("DefaultNamingContext"))
For Each Partition In Partitions
	DomainString = Partition.Get("nETBIOSName") & "\"
	If Err.Number = 0 then Exit For
Next
Set Partitions = Nothing
[green]
'Now bind to the parent folder and then get the sub folders[/green]
Set oFolder = fso.GetFolder(Path)
Set colSubfolders = oFolder.Subfolders

For Each oSubfolder in colSubfolders
   	UserName = oSubFolder.Name[green]
   	'Set the permissions.  
       'XCACLS will wipe out previous permissions 
       'so be sure to set all that you want.[/green]
   	WSHShell.Run "cmd /c " & sXpath & Path & UserName & " /E /G " & DomainString & "Network System:F"
   	WSHShell.Run "cmd /c " & sXpath & Path & UserName & " /E /G " & DomainString & "Administrator:F"[green]
   	'Give the user Read, Change, take Ownership,
        'eXecute, rEad (special access), Write and Delete rights[/green]
   	WSHShell.Run "cmd /c " & sXpath & Path & UserName & " /E /G " & DomainString & UserName & ":RCOXEWD"
Next

Set oSubFolder = Nothing
Set oFolder = Nothing
Set fso = Nothing

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[LWComputingMVP]

I'm sure Mark's code will do the trick, but I prefer doing batch files. A lot less work most of the time. I also use CACLS since there's nothing to download for that.


(Not sure how to do the code box...)

REM -------------------------------------------
FOR /F "tokens=*" %%a in ('dir /b /ad') do (
cacls %%a /t /c /g %%a:F
cacls %%a /t /e /c /g "domain admins":f
cacls %%a /t /e /c /g system:f
)
REM -------------------------------------------
Copy and paste what's between the lines into a text file (notepad) and save it as "SETPERMS.CMD" within the folder with all the user accounts. Then from a command prompt, change into that folder and type SETPERMS.

The above script lists all folders within the current folder and takes the folder name and uses it as a variable. Then, for each folder, it changes the permissions so that (first CACLS line) the user has full control, then the (second CACLS line) Domain Admins have full control, and finally (third CACLS line) the system account has full control. If you need the folders shared, then you can add a NET SHARE %%a$=.\%%a line.,

 

[teckystuff]

Thanks for poiting me to this thread Mark
Question: Can I run this script on a Windows XP machine but point the users location as one sitting on a NT4 server?
Will your script only change the permissions on the folders that already exist or will it also create the folders.

I am also playing around with the batch file version.
LW: I cant seem to get your script to share the folders. I tried putting NET SHARE %%a$=.\%%a at the end but it didnt work. Is the batch file supposed to look like this?

FOR /F "tokens=*" %%a in ('dir /b /ad') do (
   cacls %%a /t /c /g %%a:F
   cacls %%a /t /e /c /g "domain admins":f
   cacls %%a /t /e /c /g system:f
NET SHARE %%a$=.\%%a
)

PS: to get the code box when posting put it between "code" and "/code"
Replace " with square brackets

*****************************************
Your mouse has moved - reboot for changes to take effect

 

[LWComputingMVP]

Yeah, I clicked the "process tgml" link after posting and realized that was all I had to do.

Sorry for the confusion. Turns out net share will only work with a full path specified - the . means current directory and I thought that would work.

I have tested this and this, I believe, is what you are looking for (note, replace the drive letter and path with the root drive letter and path to the users folders):

FOR /F "tokens=*" %%a in ('dir /b /ad') do (
   cacls %%a /t /c /g %%a:F
   cacls %%a /t /e /c /g "domain admins":f
   cacls %%a /t /e /c /g system:f
   net share %%a$=x:\path\to\folder\%%a
)

Also, I consider it a best practice to hide the individual user shares, which is why I used the $ - the $ hides the share from the browse list. If you want the share to appear, remove the $ from the code above.

 

[markdmac]

Techystuff,

No the script as written will not create a folder if it does not exist. If you study the script you will see that it looks at the existing folders and uses that to get the user name. At no point is this script actually enumerating the users on the domain. I have written other scripts that can do that. Do a little searching in the vbscript forum and you should find one of my solutions there.

You may also wish to take a look at my Admin Scritp Pack.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[teckystuff]

Thanks Guys - Mark how about the question of if I can run it on a XP machine against a NT4 server - is that a stupid question?


*****************************************
Your mouse has moved - reboot for changes to take effect

 

[markdmac]

Never a stupid question.

Yes you should be able to do that provided of course that the ID you execute the script under has rights to that server.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[teckystuff]

Brilliant - thanks to both of you

*****************************************
Your mouse has moved - reboot for changes to take effect