Set Individual User Permissions on Folders Based on Username

On a recent endeavor, I needed to create 1400+ folders on a file share named staffweb (part of our domain migration). Essentially, the permissions on the staffweb folder enable www access to each individual’s published content (via IIS).  The server OS which houses the share is Server 08 R2, which was particularly frustrating at first because I could not use the standard xcacls.exe to set the permissions when the folders were created. Where the script worked fine on Server 03, it just wouldn’t work on Server 08. By using a combination of scripts, I accomplished the task, but ironically, I had to break out some old school scripting techniques to set the ACL’s properly. Below are both scripts…

The script to create the folders is as follows:


‘Set AD Connection Parameters, get info.
Set objConnection = CreateObject(“ADODB.Connection”)
objConnection.Open “Provider=ADsDSOObject;”

Set objCommand = CreateObject(“ADODB.Command”)
objCommand.ActiveConnection = objConnection
objCommand.Properties(“Page Size”) = 80000

objCommand.CommandText = _
“<LDAP://ou=Staff,ou=District,dc=my,dc=work,dc=domain,dc=here>;” & _
“(&(objectCategory=person)(objectClass=user));” & _
“ADsPath, sAMAccountName, userAccountControl;subtree”

Set objRecordSet = objCommand.Execute
Set fso = CreateObject(“Scripting.FileSystemObject”)


While Not objRecordset.EOF
strUserName = objRecordset.Fields(“sAMAccountName”)
strADsPath = objRecordset.Fields(“ADsPath”)

strWebDir = “\teststaffweb” & strUsername
intUAC = ObjRecordset.Fields(“userAccountControl”)

Wscript.Echo strUsername & “: Account Disabled”
End If

‘Create Web Folder
If Not fso.FolderExists(strWebDir) Then
Set fldUserWebdir = fso.CreateFolder(strWebDir)
Set wshShell = WScript.CreateObject(“Wscript.Shell”)

Wscript.Echo strUsername & “: Web Folder Created at ” & strWebDir
Wscript.Echo strUsername & “: Web Folder already exists”
End If


Wscript.Echo ” ”
Wscript.Echo objRecordSet.RecordCount & ” user accounts checked.”


The above script (Special thanks to JShaw) reads AD for pertinent information and creates the folders on a server named “test” and in the share named “staffweb” according to the username found. I have removed the lines where I attempt to have XCACLS set the ACL’s.

The next script needs to be setup as a batch file (filename.bat), set into the root of the staffweb shared folder. It matches folder names against directory names and then edits the permissions to add both the username (in this case firstname.lastname) and administrator with change and full permissions respectively. The /E flag preserves inheritance by adding, not replacing permissions. Run the script from the command prompt.

For /D %%I in (*) DO CACLS.exe “%%I” /T /E /P “mydomain%%I”:C “mydomainAdministrator”:F

That’s it, all folders are created based on usernames and permissions are set accordingly.

UPDATE: Server 2008 R2 File Servers:

CACLS is depricated in Server 2008 R2 and the above batch script no longer works. Instead, use ICACLS and adjust the script accordingly:

For /D %%I in (*) DO ICACLS.exe %%I /GRANT MyDomain%%I:(CI)(OI)M /GRANT MyDomainAdministrator:(CI)(OI)F

Do read the ICACLS help file for the inheritance parameters. The above script keeps inheritance from the container (CI) and object(OI).

Leave a Reply

Your email address will not be published. Required fields are marked *