I'm trying to reset permissions on user directories and having a bit of trouble with the last step of my script. My script basically takes ownership of the entire user directory, resets the permissions on all files and folders for the directory, explicitly grants the permissions I need, stops all inheritance of permissions from parent folders, sets the rightful owner (specified user) for all files and folders, and then removes the permission I gave to myself so that I could operate on the files. I need this last step to remove myself from ALL files and subfolders, but at the moment it just removes me from the %userDir% and leaves all the inherited permissions below. This is an apparent shortcoming in ICACLS. Does anyone know of any other way to accomplish this?
set /p userDir=Enter the login of the user's directory you're modifying permissions for. (i.e. jDoe)
TAKEOWN /f "E:\Home Directories\%userDir%" /r /d y
ICACLS "E:\Home Directories\%userDir%" /reset /T
ICACLS "E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F /grant:r "SYSTEM":(OI)(CI)F /grant:r "MYDOMAIN\%username%":(OI)(CI)F
ICACLS "E:\Home Directories\%userDir%" /inheritance:r
ICACLS "E:\Home Directories\%userDir%" /setowner "MYDOMAIN\%userDir%" /T
ICACLS "E:\Home Directories\%userDir%" /remove "MYDOMAIN\%username%"
An observation first: Every time you block inheritance you're cutting yourself off from future flexibility. I avoid blocking inheritance at all costs.
If you need users to be able to list the contents of the top-level "E:\Home Directories" folder, for example, consider the following permission:
The last permission doesn't inherit down into the subfolders. At each subfolder, inheritance remains enabled and you simply specify the user with "Modify" or "Full Control" rights (depending on how you feel about users being able to set permissions inside their home directory). (Typically I set that last permission by adding "Authenticated Users" in the non-"Advanced" Security properties sheet, unchecking the "Read" and "Read and Execute" check boxes. I then proceed into the "Advanced" dialog and change the "Apply onto" setting for that ACE to "This folder only". That's about the easiest way, in terms of number of clicks, to set it.)
Then, your script becomes:
I strongly suspect that the addition of the "Authenticated Users" permission I've described above w/ the inheritance set to "This folder only" will give you what you're looking for in functionality and will give you future flexibility if you find out that you have to set a permission that might need to inherit into all the user home directories in the future.
This is my SOP for user home directories, redirected "My Documents", "Desktop", etc folders, and for roaming user profile directories. It works great.
Edit
re: your comment about BUILTIN\Administrators access
I've had various arguments with people about my take on granting BUILTIN\Administrators access over the years, and my take is this:
It's easier to solve a certain class of user problems if you can get to their files. It's a pain to "take ownership" and can be quite slow if there are a large number of files present, too.
As you've seen with ICACLS, BUILTIN\Administrators can "assign" ownership (besides "taking" it) so there's no "security" added by not having the files accessible to BUILTIN\Administrators in the first place.
Unless you're using auditing (and sifting through a potentially huge number of false-positive entries) there won't be an audit trail when a BUILTIN\Administrators user takes ownership of files they shouldn't be accessing, copies them, and then returns the files back to their "proper" owner and permission.
In the Microsoft world, Encrypting filesystem (EFS) is meant to solve the problem of keeping unauthorized BUILTIN\Administrators access from happening. NTFS ACLs don't solve that problem. (Obviously, EFS isn't the only show in town. Encryption is the real answer to solving the "limit the network Administrator's access" problem no matter how you slice it.)
To my mind, not specifying BUILTIN\Administrators with access to user home directories (and, in fact, any folder) means that you're increasing the complexity and time needed to resolve issues while providing less than no real security ("less than none" because it imparts a false sense of security where there is none).
I've given up trying to win the argument with people by way of logic. It seems to be an emotional issue with some people. It's like the silly "Deny / Receive As" ACE that gets placed at the root of an Exchange organization to prevent certain privileged groups from opening users mailboxes. It offers no real security (since w/o auditing one could remove / re-apply the ACE as necessary), a false sense of security, and gets in the way when solving real problems.
Even if you don't like my argument about BUILTIN\Administrators having access you want to keep the inheritance hierarchy intact by using "This folder only" inheritance where appropriate. Blocking inheritance in permission hierarchies is a sure sign that something about the design is "broken" (inverted, etc).
First, thanks for your script excerpt. I've been working on the same thing but was stuck in a different place. On my SBS 2008 box, the below code works for me (assuming it's run elevated, of course). I did an icacls %userdir% /t of a brand new (default) user folder created by the OS, and compared it to the icacls %userdir% /t of a folder after running this script and it looks like all the "O's and I's" are correct. Hopefully it'll work for you as well.
Best Regards,
I need your help to modify this command according to my requirement if that is technically possible.
Here is the structure
\Server\Parent\UserA\unix
\Server\Parent\UserB\unix
\Server\Parent\UserC\unix.... and so on..
Under each of User$ folder there is a folder named "unix".
I want to add a user or group with full permissions on all the User$ folders listed under "Parent" folder (names taken as of above structure) but want to exclude permissions only on "unix" folder.
I have this command which works fine for me in perspective of applicability of required permissions but I cannot add exclude function in this.
icacls "\\Server\Parent\UserA" /grant Domain\Group:(OI)(CI)F /T
Will you be able to guide in this scenario?