Resetting Permissions for Student Home Folders

[Zoom7000]

Our permissions have always been set weirdly and not working to how we want. So, finally we are looking at fixing it. Ideally we would like all students to have the following permissions on their home folders:

 

Administrators - Full Control

Creator Owner - Full Control

System - Full Control

%username& (The actual student) - Full Control

ViewStudentWork (A group to allow teachers to view the students work) - Read & Execute, List Folder Contents, Read

 

All of the above should be for "This Folder, Subfolders and Files"

 

Currently the Ownership of the folders are held by the students. Administrators are able to view some of the folders but not all, usually the My Pictures folder.

 

Is there a way that I can allocate "en mass" all the above permissions and fix the ownership to be set to the students (if it is messed up like we have seen in the past). If it helps, the students folders are set to the same as their usernames.

 

Can anyone point me to, or write me a script, that will make this possible?

 

Thanks in advance!

[plock]

I use CMD commands such as 'cacls' to set permissions.

[maniac]

there's two commands that will help you do this.

 

XCACLS will allow you to manipulate the Access Control lists on files and folders, and there's also SUBINACL which also allows you to control folder ownership aswell. You can use wildcards with them, so where you have one group that needs access to all the folders, you can accomplish this with a single line. Adding the individual users requires a seperate line for each user concerned. I use a batchfile that I use excel to contruct as a CSV, then use search and replace to remove the commas.

 

XCACLS

http://support.microsoft.com/kb/318754

 

SUBINACL

http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

 

Hope that helps.

 

Mike.

[ChrisH]

Modify this for you own setup. Run same level as your users folders:

 

for /D %%i in (*) do ( subinacl /file %%i /grant=yourdomain\%%i=C "/grant=yourdomain\domain admins=f" /grant=yourdomain\Teachers=r /setowner=yourdomain\%%i "/deny=fishermore\exam group=f"

subinacl /subdirectories %%i\* /grant=yourdomain\%%i=f "/grant=yourdomain\domain admins=f" /grant=yourdomain\Teachers=r /setowner=yourdomain\%%i "/deny=yourdomain\exam group=f" ) 

 

You will need to d/l subinacl.

[Zoom7000]

Thanks Chris, I'm gonna give that a try on the folders for students who have left.

[cookie_monster]

You can also use the free NTFSfix for this.

 

http://www.wisesoft.co.uk/Products/NTFSFix/

[sahmeepee]

Also be aware that subinacl can be very fussy about you using the correct version. Presumably they changed some of the syntax slightly along the way.

 

I scratched my head over a non-working script for quite a while before I figured that one out!

 

NTFSFix looks very easy to use.. you'll still need subinacl or similar to fix your ownership though.

[Ric_]

This has been discussed before if you do a search. I added my scripts to the wiki at http://edugeekwiki.rm-charlton.net/index.php/Scripts to help people out.

 

Admin bit... please search and check the wiki before asking questions

[Zoom7000]

Sorry Ric, I didn't even know that the Wiki existed. I'll have a look there first next time.

 

With all due respect though, we did get an alternate solution here from Chris. I'm only saying that because I understand .bat/.cmd better than .vbs

[ChrisH]

The subinacl method is better than the script you *cough* copied of my user creation script so therefore it is new and shiney and in need of sharing .

[azrael78]

Is there any particular reason your students NEED full control over their own home folders?

 

Ours here have modify - so they can still read/write, but not change permissions (even if they somehow got the security tab or via 3rd party tool).

 

I might be missing something, maybe there is some reason that students need full and not modify, but I've not run into it yet here.

[sahmeepee]

We had an issue with folder redirection where it would balk if the user only had modify. YMMV