none
Remove inherited NTFS permissions on 835 sub folders.

    質問

  • Hi,

    We have a root folder F:\Users

    Below this there are 835 user folders.

    These all inherit permissions from the parent folder.
    Thay each also have the user account added with Full permissions.

    I need to stop all 835 folders from inheriting permissions from the F:\Users parent folder.
    I also need each user folder to retain their current permissions.

    I can right click a folder - Properties - Security - Advanced - clear the Allow Inheritable Permissions check box - select Copy and I get the required result.
    I don't want to do this 835 times!
    If I select multiple user folders and try and view the Security tab I can't - Permission cannot be displayed because they are different....

    Is there a command line to accomplish this on all the sub folders?

    Cheers,

    Anthony.

    2010年7月30日 13:57

回答

  • You can use the CACLS command to do this.  Here is a copy of a batch file that will remove permissions, add back administrators, and add the user to their own directory... assuming the names match up with AD and the directory.  It will at least give u something to work from.

     

    @echo off

    set zLog=ResetHomePerms.log

    cls
    echo FIXHOME.BAT
    echo This script will reset permissions for all subdirectories
    echo in this folder.  It is assumed that the subdirectories
    echo are named the same as their respective username.
    echo.
    choice /C YN /M "Are you sure you want to proceed?"

    if errorlevel 2 GOTO :Exit
    if errorlevel 1 GOTO :MAIN

    :MAIN
    if exist %zLog% del %zlog% >NUL

    choice /C CF /M "Do you want users to have (C)hange or (F)ull control permissions?"

    if errorlevel 2 GOTO ResetF
    if errorlevel 1 GOTO ResetC

    :RESETF
    echo Granting users FULL permissions
    echo.
    REM echo Granting users FULL permissions >>%zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && echo y|cacls "%%i" /T /g Administrators:F >NUL && cacls "%%i" /T /e /g "%userdomain%\%%i":F >>%zLog% && echo **********User_NTFS_Set>>%Zlog%
    REM rem out or modify the following line if you do not want to give Domain Admins Full control
    rem for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\Domain Admins":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%
    goto :CLOSE

    :RESETC
    echo Granting users CHANGE permissions
    echo.
    REM echo Granting users CHANGE permissions >>%zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && echo y|cacls "%%i" /T /g Administrators:F >NUL && cacls "%%i" /T /e /g "%userdomain%\%%i":C >>%zLog% && echo **********User_NTFS_Set>>%Zlog%
    REM rem out or modify the following line if you do not want to give Domain Admins Full control
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\All_Staff":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\Domain Admins":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\HelpDesk":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%


    goto :CLOSE

    :CLOSE
    echo. >>%zLog%
    date /t >>%zlog% && time /t >>%zLog%
    echo.
    echo See %zlog% for details

    set zLog=
    set zLogError=

    :EXIT

    • 回答の候補に設定 Jason Sharp 2010年7月30日 17:47
    • 回答としてマーク Karen Ji 2010年8月4日 3:15
    2010年7月30日 14:21

すべての返信

  • You can use the CACLS command to do this.  Here is a copy of a batch file that will remove permissions, add back administrators, and add the user to their own directory... assuming the names match up with AD and the directory.  It will at least give u something to work from.

     

    @echo off

    set zLog=ResetHomePerms.log

    cls
    echo FIXHOME.BAT
    echo This script will reset permissions for all subdirectories
    echo in this folder.  It is assumed that the subdirectories
    echo are named the same as their respective username.
    echo.
    choice /C YN /M "Are you sure you want to proceed?"

    if errorlevel 2 GOTO :Exit
    if errorlevel 1 GOTO :MAIN

    :MAIN
    if exist %zLog% del %zlog% >NUL

    choice /C CF /M "Do you want users to have (C)hange or (F)ull control permissions?"

    if errorlevel 2 GOTO ResetF
    if errorlevel 1 GOTO ResetC

    :RESETF
    echo Granting users FULL permissions
    echo.
    REM echo Granting users FULL permissions >>%zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && echo y|cacls "%%i" /T /g Administrators:F >NUL && cacls "%%i" /T /e /g "%userdomain%\%%i":F >>%zLog% && echo **********User_NTFS_Set>>%Zlog%
    REM rem out or modify the following line if you do not want to give Domain Admins Full control
    rem for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\Domain Admins":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%
    goto :CLOSE

    :RESETC
    echo Granting users CHANGE permissions
    echo.
    REM echo Granting users CHANGE permissions >>%zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && echo y|cacls "%%i" /T /g Administrators:F >NUL && cacls "%%i" /T /e /g "%userdomain%\%%i":C >>%zLog% && echo **********User_NTFS_Set>>%Zlog%
    REM rem out or modify the following line if you do not want to give Domain Admins Full control
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\All_Staff":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\Domain Admins":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%
    for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\HelpDesk":F >>%zLog% && echo **********Admin_NTFS_Set>>%Zlog%


    goto :CLOSE

    :CLOSE
    echo. >>%zLog%
    date /t >>%zlog% && time /t >>%zLog%
    echo.
    echo See %zlog% for details

    set zLog=
    set zLogError=

    :EXIT

    • 回答の候補に設定 Jason Sharp 2010年7月30日 17:47
    • 回答としてマーク Karen Ji 2010年8月4日 3:15
    2010年7月30日 14:21
  • Thanks, Just what I was looking for. We have a C:\Staff$\%username%. People are able to browse to other users directories if they are smart enough to type the $. When I remove Inherit Permissions from "Users" on one folder it does the trick. Going to try this tomorrow and see if it works in my situation.

    2008 R2

    2012年8月22日 17:26
  • Hi Justin

    Jou can also use Scriptlogic Security Explorer

    I think that trial will do the trick

    Here is link for downolad

    http://www.scriptlogic.com/products/security-explorer/


    Best regards
    Dubravko Marak
    MCP
    Blog: Windows Server Administration
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Please VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread.

    2012年8月22日 17:41
  • Jason,

    Could you please let me know how do run this batch file ?

    I have hundred folders under a share folder d:\doceleves on a server where users create their home directory automaticaly after login.

    The name of thoses folders have the name of the user.

    I would like to give administrators Full right + User Full right too.

    WHere do I right the batch file ? In d:\doceleves.

    Please let me know.

    It will very helpfull for me.

    Merci

    2012年11月10日 3:48
  • Jason,

    Could you please let me know how do run this batch file ?

    I have hundred folders under a share folder d:\doceleves on a server where users create their home directory automaticaly after login.

    The name of thoses folders have the name of the user.

    I would like to give administrators Full right + User Full right too.

    WHere do I right the batch file ? In d:\doceleves.

    Please let me know.

    It will very helpfull for me.

    Merci

    2012年11月10日 3:48
  • This batch file works great for user folders. But I was wondering if it was possible for it to be modified for profile folders as well?Specially profile folders with the .v2 for windows 7 profiles.
    2012年11月28日 18:04