Home / server / Questions / 227441
Accepted
JohnyV
Asked: 2011-01-27 20:18:07 +0800 CST

permissions on a 2008 r2 home directory

  • 772

I have a windows 2008 r2 file server. It is setup so that users get there home drive mapped to it H:. It is at the following location \\servername\home\%username%

I have ben having issues with the mac users being able to see other users home drives (even with enumeration enabled).

I need to change the permissions on the directory and all the users subdirectories. Is there an easy way to do this in bulk there are over a thousand.

I have looked at Set-Acl http://helgeklein.com/setacl/examples/managing-file-system-permissions-with-setacl-exe/ however I dont see how it will do all users home drives that already exist. If anyone knows of a good tool that would be great.

I want to apply the following permissions to the %username% folder

SYSTEM - Full control
local\Users special list and read attributes
local\administrators - Full control
%username% = modify

Thanks

scripting file-sharing permissions windows-server-2008-r2

2 Answers

  1. This script is one I've used on win 2008 to reset the user security on a directory called e:\users. It resets the ownership to the correct owner and sets a standard security profile. It uses the builtin takeown and icacls that come with 2008 so no external tools needed.

    It assumes that the usernames and the directory names are the same. i.e e:\users\j.doe is owned by mydomain\j.doe

    If you pass it a parameter like j.doe it only 'corrects' that directory so you can test it on one directory. Check the security permissions are what you want before live use. I used this to correct things after a migration where I had been copying files in scripts.

    @echo off
setlocal enabledelayedexpansion
set mydom=mydomainname
set domadmins=%mydom%\Domain Admins
set domadmin=%mydom%\administrator


for /d %%A in (e:\users\%1*) do (
        echo %%~nA%%~xA         %%A

        echo.
        echo takeown
        takeown /f %%A /r /d y

        echo.
        echo reset security
        icacls %%A\*.* /reset /t

        echo.
        echo reset user access
        icacls %%A\*.* /grant:r "%mydom%\%%~nA%%~xA:(oi)(ci)F"

        echo.
        echo Add domainadmins
        icacls %%A\*.* /grant:r "%domadmins%:(oi)(ci)f" /grant:r "%mydom%\%%~nA%%~xA:(oi)(ci)F" /grant:r "%domadmin%:(oi)(ci)f" /grant:r "SYSTEM:(OI)(CI)F" /t /c

        rem echo.
        rem echo add user full access
        rem icacls %%A /grant:r "%mydom%\%%~nA%%~xA:(oi)(ci)F" /t /c
        icacls %%A\*.* /inheiritance:r

        echo.
        echo reset user ownership
        @echo on
        icacls %%A\*.* /setowner %mydom%\%%~nA%%~xA /t /c
        @echo off)

echo finished

    I've made some minor changes while posting so there may be a syntax error.

    • 0
  2. Best Answer

    Or if you prefer PowerShell, one of my techs wrote this which has worked well for us. I'm sure it can cleaned up some but I left in some testing lines to make it easier to play with and customize. This uses Quest tools which you no longer need, especially if you're on PowerShell v2 and SubInACL:

    cls
#Add-PSSnapin quest*
#$dirlist = gci -name c:\test -Exclude *.* | sort #my original


$dirlist = gci \\servername\sharename -Exclude *.* | ? { $_.PSIsContainer }

$subinacl = "C:\utils\subinacl.exe"
foreach ($userdir in $dirlist)
        {
            $username = $userdir.name
            $adaccount = Get-QADUser $username
            #Verifies user is an active employee, renamed folder to be deleted if not
            If (($adaccount.AccountIsDisabled -eq $TRUE) -or (!$adaccount))
                {
                    write-host "$username is not a current employee"
                    #takeownership
                    #takeown /f $userdir /R /D Y /A
                    #rename folder to _DEL_originalname
                    $newname = "_DEL_$username"
                    rename-item -path $userdir -newname $newname
                }
            Else
                {
                #get full path            
                Write-Host $userdir.name
                #$currentDir = "c:\test\$userdir" #my original
                $currentDir = $userdir.FullName # this way you don't dupe the start folder
                #takeown /f $userdir /R /D Y /A

                #get ACL of folder
                $acl = Get-Acl $currentDir

                #variable to set new permissions for username of folder           
                #$permission = "domainname\$userdir",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow” #original
                $permission = "[email protected]",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”

                $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission

                #actually set the permissions
                $acl.SetAccessRule($accessRule)
                #$acl | Set-Acl $currentDir #my original
                Set-Acl $currentDir $acl

                #use subinacl to set owner at parent level and below
                $params1 = "/file $currentDir /setowner=domainname\$username"
                $params2 = "/subdirectories $currentDir\*.* /setowner=domainname\$username"
                $params3 = "/subdirectories $currentDir\* /grant=domainname\$username"
                $params4 = "/subdirectories $currentDir\* /grant=domainname\administrators=F"
                Invoke-Expression "$subinacl $params1" | out-null
                Invoke-Expression "$subinacl $params2" | out-null
                Invoke-Expression "$subinacl $params3" | out-null
               # Invoke-Expression "$subinacl $params4" | out-null
                }
        }
    • 0