xcacls

[TJ_2006]

Hi i have a massive directory containing the home directories, all
permissions are screwy and what i effectively want to do is set the
permisions for each home dir (obviously not alowing inhertiable
permisions) then the objects contained within that directory to
inherit them. the problem is if i enable policy inheritance it gives
it to the home drive itself making it insecure nd if i dont then if i
drill down a few dirs and it doesnt touch them.


any help would be greatly appreciated.

 

[Pegasus]

Hi i have a massive directory containing the home directories, all
permissions are screwy and what i effectively want to do is set the
permisions for each home dir (obviously not alowing inhertiable
permisions) then the objects contained within that directory to
inherit them. the problem is if i enable policy inheritance it gives
it to the home drive itself making it insecure nd if i dont then if i
drill down a few dirs and it doesnt touch them.


any help would be greatly appreciated.

You could do this:
1. Knock out all permissions at the parent directory and all
subdirectories.
2. Seize ownership of the parent directory and all subdirectories.
3. Give full access to domain admins and "System" account at
the parent directory level, and turn on inheritance.
4. Run this command while inside the parent directory:
for /d %a in (*.*) do cacls %a /t /e /g %a:F

This command assumes that the folder names are identical
to the account names and that the folder names contain no
embedded spaces.

I note that your Subject line reads "xcacls". You can, of
course, use that command too but you will need to resolve
its syntax rules.

 

[TJ_2006]

You could do this:
1. Knock out all permissions at the parent directory and all
subdirectories.
2. Seize ownership of the parent directory and all subdirectories.
3. Give full access to domain admins and "System" account at
the parent directory level, and turn on inheritance.
4. Run this command while inside the parent directory:
for /d %a in (*.*) do cacls %a /t /e /g %a:F

This command assumes that the folder names are identical
to the account names and that the folder names contain no
embedded spaces.

I note that your Subject line reads "xcacls". You can, of
course, use that command too but you will need to resolve
its syntax rules.

I have done all of the suggested all i need to do is run a swtich (or
combination of switches) that will force policy inheritence on all the
child objects below is the script i have created to add the correct
username to the correct directory.
Option Explicit
On Error Resume Next

Dim fileSystem
Dim shell
Dim parentDirectory
Dim childDirectory

Const NetworkDomainName = "etc"
Const ExecutePath = """{ROOT_PATH}\xcacls.vbs"" ""{DIRECTORY_NAME}"" /
g {DOMAIN_USER}:M /f /g etc\techies:f /f /g etc\staff:m /f /o /r etc
\students /r etc\online /g etc\administrator:f /f /l /q /s /i enable"

Set fileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set shell = WScript.CreateObject("WScript.Shell")
Set parentDirectory = fileSystem.GetFolder(shell.CurrentDirectory)

For Each childDirectory In parentDirectory.SubFolders
shell.Run Replace(Replace(Replace(ExecutePath, "{DIRECTORY_NAME}",
shell.CurrentDirectory & "\" & childDirectory.Name), "{DOMAIN_USER}",
NetworkDomainName & "\" & childDirectory.Name), "{ROOT_PATH}",
shell.CurrentDirectory), 0, True
Next

 

[TJ_2006]

I have done all of the suggested all i need to do is run a swtich (or
combination of switches) that will force policy inheritence on all the
child objects below is the script i have created to add the correct
username to the correct directory.
Option Explicit
On Error Resume Next

Dim fileSystem
Dim shell
Dim parentDirectory
Dim childDirectory

Const NetworkDomainName = "etc"
Const ExecutePath = """{ROOT_PATH}\xcacls.vbs"" ""{DIRECTORY_NAME}"" /
g {DOMAIN_USER}:M /f /g etc\techies:f /f /g etc\staff:m /f /o /r etc
\students /r etc\online /g etc\administrator:f /f /l /q /s /i enable"

Set fileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set shell = WScript.CreateObject("WScript.Shell")
Set parentDirectory = fileSystem.GetFolder(shell.CurrentDirectory)

For Each childDirectory In parentDirectory.SubFolders
shell.Run Replace(Replace(Replace(ExecutePath, "{DIRECTORY_NAME}",
shell.CurrentDirectory & "\" & childDirectory.Name), "{DOMAIN_USER}",
NetworkDomainName & "\" & childDirectory.Name), "{ROOT_PATH}",
shell.CurrentDirectory), 0, True
Next- Hide quoted text -

- Show quoted text -

Would i be right in saying that the inheritence doesnt update itself,
so all i need to do is setup the parent directory with domain admins,
system, etc and then force the policy inheritance, apply my script
granting individual user rights to there directory and then adding the
group which they are in to the parent which wont allow them access
because it doesnt constantly mirror but does it at the time when
policy inheritence is first enabled


is this correct thanks!

 

[TJ_2006]

Would i be right in saying that the inheritence doesnt update itself,
so all i need to do is setup the parent directory with domain admins,
system, etc and then force the policy inheritance, apply my script
granting individual user rights to there directory and then adding the
group which they are in to the parent which wont allow them access
because it doesnt constantly mirror but does it at the time when
policy inheritence is first enabled

is this correct thanks!- Hide quoted text -

- Show quoted text -

Ok ive figured it out instead of turning policy inheritance on i copy
the setting over thanks for your help much appreciated