Permissions Have Gone!

[OhDear]

Hi All,

We seem to have lost the permisons of work folders for some of our students, only Domain Admins have access not the user

Is there a script/command that will add the filename (the username) to the security of the folder and give them full control?

Thanks for your help, dont really want to go through hundreds of folders

[old_n07]

If you are windows based this powershell script will get a list of all folders in your users share and add the following permissions

Domain administrators - Full
Local Admins = Full
System = Full
User = Modify

Change the path and domain accordingly.

Code:

##  Script to set permisions on folders in a directory where 
##  folder name is same as users SAMAccounName

$path = "d:\users" #edit as necessary to reflect path where folders are located
$shortdom = "somedomain" #enter your domain name

#Variables
$FC = "FullControl"
$Mod = "Modify"
$domAdmin = $shortdom + "\domain admins"
$locadmin = "builtin\Administrators"
$sys = "NT Authority\System"

#Search directory for folders
$items = get-childitem -path $path

#For each item found
$items | ForEach-Object {

#only perform on directories
if ($_.mode -match "d"){ 
$folder = $path + "\" + $_
$user = $Shortdom + "\" + $_

            $acl = Get-Acl $folder
            if ($acl.AreAccessRulesProtected) { $acl.Access | % {$acl.purgeaccessrules($_.IdentityReference)} }
            else {
            		$isProtected = $true 
            		$preserveInheritance = $false
            		$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
            	 }
                 

#Set permissions routine                
            $inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
            $propagation=[System.Security.AccessControl.PropagationFlags]::None
            $allowdeny=[System.Security.AccessControl.AccessControlType]::Allow            
            
            $account1 = $domadmin
            $rights1=[System.Security.AccessControl.FileSystemRights]::$FC
            $dirACE1=New-Object System.Security.AccessControl.FileSystemAccessRule ($account1,$rights1,$inheritance,$propagation,$allowdeny)
            $ACL.AddAccessRule($dirACE1)

            $account2 = $locadmin
            $rights2=[System.Security.AccessControl.FileSystemRights]::$FC
            $dirACE2=New-Object System.Security.AccessControl.FileSystemAccessRule ($account2,$rights2,$inheritance,$propagation,$allowdeny)
            $ACL.AddAccessRule($dirACE2)

            $account3 = $sys
            $rights3=[System.Security.AccessControl.FileSystemRights]::$FC
            $dirACE3=New-Object System.Security.AccessControl.FileSystemAccessRule ($account3,$rights3,$inheritance,$propagation,$allowdeny)
            $ACL.AddAccessRule($dirACE3)

            $account4 = $user
            $rights4=[System.Security.AccessControl.FileSystemRights]::$Mod
            $dirACE4=New-Object System.Security.AccessControl.FileSystemAccessRule ($account4,$rights4,$inheritance,$propagation,$allowdeny)
            $ACL.AddAccessRule($dirACE4)
            
            $acl.setowner([System.Security.Principal.NTAccount] “Administrators”) #Sets the folder owner


            Set-Acl -aclobject $ACL -Path $folder #write permissions to folder
            
}
}

[apeman]

Is there a script/command that will add the filename (the username) to the security of the folder and give them full control?

You dont want to give your users full control

[dana_lehman]

You dont want to give your users full control

Just curious, why would you not want this, something obvious I'm missing?

To the question, I like ntfsfix by wisesoft
NTFSFix

[old_n07]

Just curious, why would you not want this, something obvious I'm missing?

To the question, I like ntfsfix by wisesoft
NTFSFix

Because they can then take ownership of the directory and change the permissions to lock anybody else out of it then you have to go through the process of taking ownership yourself to get back in etc.

[Davit2005]

Because they can then take ownership of the directory and change the permissions to lock anybody else out of it then you have to go through the process of taking ownership yourself to get back in etc.

Unfortunately, some software notably serif, likes the user to have full control
You can allways set the users GPO to hide the permissions tab.

If you are on Server 2003 you can use the following, you can modify to give certain staff read access, Domain Admin Full access etc. just copy the syntax for the administrator replacing the permission value.

----------------------------------------------
echo off
setlocal

set folder=[FOLDER PATH]
set log=errorlog.txt

for /F "tokens=*" %%G in ('dir "%folder%" /A /B') do (
echo Y|cacls "%folder%\%%G" /T /C /G "%%G":F administrators:F > NUL 2>>"%log%"
subinacl /errorlog="%log%" /file "%folder%\%%G" /setowner="%%G" > NUL 2>&1
subinacl /errorlog="%log%" /subdirectories "%folder%\%%G\*" /setowner="%%G" > NUL 2>&1
)

--------------------------------
Anyone tell me how to stop getting the Big Grin instead of text.

[OhDear]

Thanks for all your replys, I ended up using ICACLS to sort them out. Worked a treat!