Permission Madness
We are in the process of migrating to a new domain. We are first migrating our field staff. Each field staff needs their own “home” folder to store documents. To keep this secure; we need to have read permission for everyone on the root folder and then only allow the user to view their individual issue. I had to accomplish the following:
- Create the folders by username
- Remove inheritance from the parent folder
- Remove “Domain Users” permission from each folder
- Add the user with change permissions on the folder
I had to do this for about 190 users; doing it manually would have been a pain.
To create the folders, I had a list of all the usernames by login. I put the names into a text file and used the following commands in a batch file to create the folders:
@echo off
for /f %%i in (file.txt) do mkdir %%i
Once the folders were created, the next step was to work with the permissions. I found a utility called SetACL. I replaced the “mkdir %%i” in the batch file with the following commands to complete the rest of the tasks:
- setacl -on %%i -ot file -actn setprot -op “dacl:p_c” (Remove inheritance)
- SetACL -on %%i -ot file -actn trustee -trst “n1:domain users;s1:n;ta:remtrst;w:dacl” (Remove Domain Users)
- setacl -on %%i -ot file -actn ace -ace n:%%i;p:change (Add the user with change permissions to their folder
