No announcement yet.

Change Permissions on bulk homedirs

  • Filter
  • Time
  • Show
Clear All
new posts

  • Change Permissions on bulk homedirs

    Hello all,
    I have Win2k3 R2 standard edition as file server.
    I have the next scernario:
    Users has folder redirection of "My Documents" and "Application Data" to this server that building themselfes under the user's homedir.
    Accidentally I forgot to remove the option of "Grant the user exclusive rights to My Documents" and the same thing on "Application Data", and now I can't get access to these folders in user's homedir.
    There are several groups of homedirs, every group of homedirs are under their Root directory.
    I would like to have some script that will inherit permissions FROM user's homedir TO the "My Documents" and "Application Data", or it's possible to inherit permissions to all subfolders and files, or it would be better to automate the option of " Replcae permission entries on all chikd objects with enttries shown here that apply to child objects" on all the homedirs.
    I guess the script should do the next:
    1. Scan / Read the current permissions of each directory / folder.
    2. Inherit permissions from the user's root homedir.
    3. Add the name of the folder to the security permissions with full control in adition to the inherited permissions that mentioned in paragraph 2 (The name of the folder is the username, there for I need to add the folder name to the security tab of the folder).

    I hope my explanation was clear and there is nothing missing.
    Hoping someone will help me ASAP.
    Thanks ahead,
    Boris Reuven
    Last edited by holler1; 26th September 2007, 15:38.

  • #2
    Re: Change Permissions on bulk homedirs

    i had success changing massive ntfs permission on home folders with hyena.


    • #3
      Re: Change Permissions on bulk homedirs

      One of the available options of Folder Redirection is:
      Grant the user exclusive rights to My Documents. If selected, this sets the NTFS security descriptor for the %username% folder to Full Control for the user and local system only; this means that administrators and other users do not have access rights to the folder. This option is enabled by default. Note: Changing this option after the policy has been applied to some users will only effect new users receiving the policy.
      1. The Ower (the user) and the buildin\system are the accounts that by default have full control over these folders, subfolders and content.

      2. To change NTFS permissions, you can use XCacls.vbs. Xcacls must be executed by one of those accounts from above.
        The Xcacls.vbs script should be run with Cscript.exe [ Cscript.exe xcacls.vbs /<switches and parameters> ]

      So besites taking ownerschip (not the finest option) it looks like there are two more options you can try first;

      Use xcacls in a user logon-script, and wait for the user to re-logon.

      Schedule a task on the server that stores these user folders to run Xcacls as the buildin\system

      When using Windows Scheduler, change the 'domain\Username' to 'System' and leave the password boxes empty! This way the task will run but hidden and not interactive. Or, you can use an AT.exe /Interactive command-line for the job.
      AT.exe hh:mm /interactive Cscript.exe xcacls.vbs /<switches and parameters>
      where hh:mm is the current time on the server plus 2 minutes.
      (btw instead of using a scheduler to run the job, you can also use PsExec -s -i <...> to run it directly)


      This posting is provided "AS IS" with no warranties, and confers no rights.


      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts