+ Post New Thread
Results 1 to 7 of 7
Scripts Thread, Permissions Have Gone! in Coding and Web Development; Hi All, We seem to have lost the permisons of work folders for some of our students, only Domain Admins ...
  1. #1

    Join Date
    Sep 2012
    Location
    United Kingdom
    Posts
    94
    Thank Post
    22
    Thanked 4 Times in 4 Posts
    Rep Power
    4

    Permissions Have Gone!

    Hi All,

    We seem to have lost the permisons of work folders for some of our students, only Domain Admins have access not the user

    Is there a script/command that will add the filename (the username) to the security of the folder and give them full control?

    Thanks for your help, dont really want to go through hundreds of folders

  2. #2
    old_n07's Avatar
    Join Date
    Jun 2012
    Location
    North Staffordshire
    Posts
    97
    Thank Post
    10
    Thanked 16 Times in 14 Posts
    Rep Power
    7
    If you are windows based this powershell script will get a list of all folders in your users share and add the following permissions

    Domain administrators - Full
    Local Admins = Full
    System = Full
    User = Modify

    Change the path and domain accordingly.

    Code:
    ##  Script to set permisions on folders in a directory where 
    ##  folder name is same as users SAMAccounName
    
    $path = "d:\users" #edit as necessary to reflect path where folders are located
    $shortdom = "somedomain" #enter your domain name
    
    #Variables
    $FC = "FullControl"
    $Mod = "Modify"
    $domAdmin = $shortdom + "\domain admins"
    $locadmin = "builtin\Administrators"
    $sys = "NT Authority\System"
    
    #Search directory for folders
    $items = get-childitem -path $path
    
    #For each item found
    $items | ForEach-Object {
    
    #only perform on directories
    if ($_.mode -match "d"){ 
    $folder = $path + "\" + $_
    $user = $Shortdom + "\" + $_
    
                $acl = Get-Acl $folder
                if ($acl.AreAccessRulesProtected) { $acl.Access | % {$acl.purgeaccessrules($_.IdentityReference)} }
                else {
                		$isProtected = $true 
                		$preserveInheritance = $false
                		$acl.SetAccessRuleProtection($isProtected, $preserveInheritance) 
                	 }
                     
    
    #Set permissions routine                
                $inheritance=[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
                $propagation=[System.Security.AccessControl.PropagationFlags]::None
                $allowdeny=[System.Security.AccessControl.AccessControlType]::Allow            
                
                $account1 = $domadmin
                $rights1=[System.Security.AccessControl.FileSystemRights]::$FC
                $dirACE1=New-Object System.Security.AccessControl.FileSystemAccessRule ($account1,$rights1,$inheritance,$propagation,$allowdeny)
                $ACL.AddAccessRule($dirACE1)
    
                $account2 = $locadmin
                $rights2=[System.Security.AccessControl.FileSystemRights]::$FC
                $dirACE2=New-Object System.Security.AccessControl.FileSystemAccessRule ($account2,$rights2,$inheritance,$propagation,$allowdeny)
                $ACL.AddAccessRule($dirACE2)
    
                $account3 = $sys
                $rights3=[System.Security.AccessControl.FileSystemRights]::$FC
                $dirACE3=New-Object System.Security.AccessControl.FileSystemAccessRule ($account3,$rights3,$inheritance,$propagation,$allowdeny)
                $ACL.AddAccessRule($dirACE3)
    
                $account4 = $user
                $rights4=[System.Security.AccessControl.FileSystemRights]::$Mod
                $dirACE4=New-Object System.Security.AccessControl.FileSystemAccessRule ($account4,$rights4,$inheritance,$propagation,$allowdeny)
                $ACL.AddAccessRule($dirACE4)
                
                $acl.setowner([System.Security.Principal.NTAccount] “Administrators”) #Sets the folder owner
    
    
                Set-Acl -aclobject $ACL -Path $folder #write permissions to folder
                
    }
    }
    Last edited by old_n07; 4th September 2012 at 09:00 PM.

  3. #3

    Join Date
    Jul 2010
    Posts
    106
    Thank Post
    0
    Thanked 14 Times in 14 Posts
    Rep Power
    11
    Quote Originally Posted by OhDear View Post

    Is there a script/command that will add the filename (the username) to the security of the folder and give them full control?
    You dont want to give your users full control

  4. #4
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    325
    Thank Post
    5
    Thanked 33 Times in 28 Posts
    Rep Power
    23
    Quote Originally Posted by apeman View Post
    You dont want to give your users full control
    Just curious, why would you not want this, something obvious I'm missing?

    To the question, I like ntfsfix by wisesoft
    NTFSFix

  5. #5
    old_n07's Avatar
    Join Date
    Jun 2012
    Location
    North Staffordshire
    Posts
    97
    Thank Post
    10
    Thanked 16 Times in 14 Posts
    Rep Power
    7
    Quote Originally Posted by dana_lehman View Post
    Just curious, why would you not want this, something obvious I'm missing?

    To the question, I like ntfsfix by wisesoft
    NTFSFix
    Because they can then take ownership of the directory and change the permissions to lock anybody else out of it then you have to go through the process of taking ownership yourself to get back in etc.

  6. #6

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    738
    Thank Post
    172
    Thanked 56 Times in 54 Posts
    Rep Power
    35
    Quote Originally Posted by old_n07 View Post
    Because they can then take ownership of the directory and change the permissions to lock anybody else out of it then you have to go through the process of taking ownership yourself to get back in etc.

    Unfortunately, some software notably serif, likes the user to have full control
    You can allways set the users GPO to hide the permissions tab.

    If you are on Server 2003 you can use the following, you can modify to give certain staff read access, Domain Admin Full access etc. just copy the syntax for the administrator replacing the permission value.

    ----------------------------------------------
    echo off
    setlocal

    set folder=[FOLDER PATH]
    set log=errorlog.txt

    for /F "tokens=*" %%G in ('dir "%folder%" /A /B') do (
    echo Y|cacls "%folder%\%%G" /T /C /G "%%G":F administrators:F > NUL 2>>"%log%"
    subinacl /errorlog="%log%" /file "%folder%\%%G" /setowner="%%G" > NUL 2>&1
    subinacl /errorlog="%log%" /subdirectories "%folder%\%%G\*" /setowner="%%G" > NUL 2>&1
    )

    --------------------------------
    Anyone tell me how to stop getting the Big Grin instead of text.
    Last edited by Davit2005; 5th September 2012 at 09:23 AM.

  7. #7

    Join Date
    Sep 2012
    Location
    United Kingdom
    Posts
    94
    Thank Post
    22
    Thanked 4 Times in 4 Posts
    Rep Power
    4
    Thanks for all your replys, I ended up using ICACLS to sort them out. Worked a treat!

SHARE:
+ Post New Thread

Similar Threads

  1. Frog : All Accordion Menus have gone belly up...
    By duncane in forum Virtual Learning Platforms
    Replies: 2
    Last Post: 9th January 2010, 07:29 AM
  2. Printers Have Gone Funny
    By ICTNUT in forum Wireless Networks
    Replies: 7
    Last Post: 9th April 2008, 11:45 AM
  3. Replies: 16
    Last Post: 13th February 2008, 07:06 PM
  4. Replies: 0
    Last Post: 26th February 2007, 08:09 PM
  5. we have gone global...
    By russdev in forum General Chat
    Replies: 11
    Last Post: 28th September 2005, 02:29 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •