[Closed] msdos script for adding user permissions to "eponymous" folders

You could probably do something using subinacl

try this

for /f %d in (list.txt) do md %d & icacls "%d" /grant MyDomain\%d:(OI)(CI)F

Should give Full Control of the folder created. Obviously change MyDomain to your domain name.

I had to do something similar a while back and this solution worked for me then.

icacls is what you need. The syntax can be a bit impenetrable though.

https://technet.microsoft.com/en-us/library/2009.07.geekofalltrades.aspx

EDIT: curses, beaten to it by 21 seconds...!

Hack this apart, specifically teh bit below wehere it says "EDIT DOMAIN NAME"

'Creates profile folder and permissions as appropriate

Sub onPostCreate (Request)

If (LCase(Request.Class) <> "user") Then Exit Sub

arrbytGuid = request.get("objectGUID")
strHexGuid = OctetToHexStr(arrbytGuid)
strGuid = HexGuidToGuidStr(strHexGuid)

Set objUser = GetObject("EDMS://<GUID=" & strHexGuid & ">")

objUser.getinfo
strUserName = objUser.Get("sAMAccountName")
'EDIT PATH ADN USE FQDN
path = "\\zebsvr2k301\profiles$\" & strUserName
' Creates the Profile folder in the appropriate share.
Set shell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.CreateFolder (path)

'EDIT DOMAIN NAME
cmd = ("%COMSPEC% /c Echo Y| cacls " & path & " /T /E /C /G " & "zebin\" & strUserName & ":C")
Shell.Run cmd

End Sub

Function OctetToHexStr(arrbytOctet)
' Function To convert OctetString (Byte array) To Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

Function HexGuidToGuidStr(strGuid)
' Function To convert Hex Guid To display form.
Dim k

HexGuidToGuidStr = ""
For k = 1 To 4
HexGuidToGuidStr = HexGuidToGuidStr & Mid(strGuid, 9 - 2*k, 2)
Next
HexGuidToGuidStr = HexGuidToGuidStr & "-"
For k = 1 To 2
HexGuidToGuidStr = HexGuidToGuidStr & Mid(strGuid, 13 - 2*k, 2)
Next
HexGuidToGuidStr = HexGuidToGuidStr & "-"
For k = 1 To 2
HexGuidToGuidStr = HexGuidToGuidStr & Mid(strGuid, 17 - 2*k, 2)
Next
HexGuidToGuidStr = HexGuidToGuidStr & "-" & Mid(strGuid, 17, 4)
HexGuidToGuidStr = HexGuidToGuidStr & "-" & Mid(strGuid, 21)
End Function

In the dim and distant past I've used cacls. Is it icacls now?

both are still used.
cacls reports the current rights
icacls applies new rights

As an aside, if you're doing this sort of cmd script hackery on a regular basis, you might want to make a start on learning Powershell.

https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/

I've done a considerable amount of commandline scripting over the years, it's workable but the entire thing is a bunch of hacks to make what is essentially still DOS do things it was never designed to do. Powershell is a bit more wordy but it's terrifically powerful as a system scripting tool.

I agree Cougar. Powershell is great.

If you are still on Windows 7 though make sure to upgrade to Powershell V3, it comes with V2 installed but V3 is much better.

Windows 10 has V5 by default

^^what cougar said^^. Especially of you're dealing with data stored on SANs as some refuse to allow you to script into them to create shares or add/edit permissions without using their powershell interfaces.

Also look at some proper tooling. Our ActiveRoles product or my mate's Cayosoft suite do this OOTB. The ARS powershell cmdlets further simplify what you can do.

cheers fellas will have a look.

Not a regular thing, colleague who usually does it (manually using GUI on a per folder basis - [i]I think[/i]) is off so it's been given to me. Learning some powershell is probably a good shout genaerally tho.

I've no doubt the "proper" SAN is better setup, this is just a local file server bodged together

This should work, there or there about 🙂

$users = Import-Csv -Delimiter "," -Path C:\temp\list.txt
$FolderRoot = "\\your\folder\root"

Foreach($user in $users)
{
$path = "$FolderRoot\$($user.username)"
$folder = New-Item -ItemType Directory -Path $path
$acl = get-acl $folder
$NewRule = New-Object System.Security.AccessControl.FileSystemAccessRule($($user.username),'FullControl','ContainerInherit,ObjectInherit', 'None', 'Allow')
$acl.SetAccessRule($newrule)
Set-Acl -path $Path -AclObject $Acl
}

quick bit of sandbox testing suggests Jake25's script is spot on so kudos for that.

Haven't got the full user list yet anyway but will test a couple more times and then run it monday, fingers crossed 🙂

had to edit the script to

[i]for /f %d in (list.txt) do md %d & icacls "%d" /grant MyDomain\%d:(OI)(CI)(RD,WD,AD,REA,WEA,RA,WA,DC,X,RC)[/i]

to match the permissions as per our documentation, but I ran it this morning and it's all looking good. Thanks everyone.

Just as a wildcard.

Consider MacroExpress.
Its a keyboard emulator ( at its most basic ) & so its works across everything

spoke too soon. Tested with my account and it worked fine - but I have extra rights - tested with a user account: no access, set user to full access all fine. Seems my permissions edit is flawed.
back to testing.

Runas any use to you?

Is this for Home Folders or Profile type folders? I've got a script I've used to tidy these up / set ownership / etc but it does rely on the root folder having the permissions set up correctly. i.e.

Domain Users - [i]Traverse folder ... + List folder ... + Read attributes + Create folders ... + Read permissions [/i]- [b]This folder only[/b]

Edit: as per https://blogs.technet.microsoft.com/askds/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders/

permissions are a bit of a mess, it's fed in part by our own user account system that was written in house. Documentation not great. Just tried another test user and having different issues with that.
Guessing it's an issue to do with our systems own idiosyncrasies
I shall battle on

cheers for the tips tho