Set Individual User Permissions on Folders Based on Username
On a recent endeavor, I needed to create 1400+ folders on a file share named staffweb (part of our domain migration). Essentially, the permissions on the staffweb folder enable www access to each individual’s published content (via IIS). The server OS which houses the share is Server 08 R2, which was particularly frustrating at first because I could not use the standard xcacls.exe to set the permissions when the folders were created. Where the script worked fine on Server 03, it just wouldn’t work on Server 08. By using a combination of scripts, I accomplished the task, but ironically, I had to break out some old school scripting techniques to set the ACL’s properly. Below are both scripts…
The script to create the folders is as follows:
ON ERROR RESUME NEXT
‘Set AD Connection Parameters, get info.
Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objCommand.ActiveConnection = objConnection
objCommand.Properties(“Page Size”) = 80000
objCommand.CommandText = _
“<LDAP://ou=Staff,ou=District,dc=my,dc=work,dc=domain,dc=here>;” & _
“(&(objectCategory=person)(objectClass=user));” & _
“ADsPath, sAMAccountName, userAccountControl;subtree”
Set objRecordSet = objCommand.Execute
Set fso = CreateObject(“Scripting.FileSystemObject”)
Const ADS_UF_ACCOUNTDISABLE = 2
While Not objRecordset.EOF
strUserName = objRecordset.Fields(“sAMAccountName”)
strADsPath = objRecordset.Fields(“ADsPath”)
strWebDir = “\\test\staffweb\” & strUsername
intUAC = ObjRecordset.Fields(“userAccountControl”)
if intUAC AND ADS_UF_ACCOUNTDISABLE Then
Wscript.Echo strUsername & “: Account Disabled”
‘Create Web Folder
If Not fso.FolderExists(strWebDir) Then
Set fldUserWebdir = fso.CreateFolder(strWebDir)
Set wshShell = WScript.CreateObject(“Wscript.Shell”)
Wscript.Echo strUsername & “: Web Folder Created at ” & strWebDir
Wscript.Echo strUsername & “: Web Folder already exists”
Wscript.Echo ” ”
Wscript.Echo objRecordSet.RecordCount & ” user accounts checked.”
The above script (Special thanks to JShaw) reads AD for pertinent information and creates the folders on a server named “test” and in the share named “staffweb” according to the username found. I have removed the lines where I attempt to have XCACLS set the ACL’s.
The next script needs to be setup as a batch file (filename.bat), set into the root of the staffweb shared folder. It matches folder names against directory names and then edits the permissions to add both the username (in this case firstname.lastname) and administrator with change and full permissions respectively. The /E flag preserves inheritance by adding, not replacing permissions. Run the script from the command prompt.
For /D %%I in (*) DO CACLS.exe “%%I” /T /E /P “mydomain\%%I”:C “mydomain\Administrator”:F
That’s it, all folders are created based on usernames and permissions are set accordingly.
UPDATE: Server 2008 R2 File Servers:
CACLS is depricated in Server 2008 R2 and the above batch script no longer works. Instead, use ICACLS and adjust the script accordingly:
For /D %%I in (*) DO ICACLS.exe %%I /GRANT MyDomain\%%I:(CI)(OI)M /GRANT MyDomain\Administrator:(CI)(OI)F
Do read the ICACLS help file for the inheritance parameters. The above script keeps inheritance from the container (CI) and object(OI).