Script to set user permissions

I've had to set up a new server after a disk crash. We had backups of all of
the home directories of our users, but we lost all of the ACLs because these
were not backed up in any form.

The situation is that I now have 250 home directories all named by a user,
and none of those users can access their own directory unless I set their
permissions on each one.

Since I don't want to have to do 250 permissions entries by hand, I need a
script that can do it for me. The following is what is relevant to the
script:

1. We can easily put all of the affected accounts into a special OU just for
this script, so that the script doesn't need to have any filtering in it for
what users it is working on.
2. The user's home directory is stored in their ADUC account as the Home
Folder, whereby we have configured for drive H to be connected to this
folder. It should therefore be possible to read this attribute to find the
path that the ACE needs to be set on.
3. The permissions need to be Modify, and need to be made inheritable, and
to propagate automatically to existing files.

I think that covers enough info to be able to put a script together. I
haven't done any scripting for years, although I'm an experienced
programmer, and have mislaid the original scripts I wrote way back when we
needed to create many of those user accounts automatically from a CSV file.

Therefore any assistance this group can give in the form of a script outline
would be most appreciated.

TIA

--

"NZSchoolTech" <> wrote in message
news:...
> I've had to set up a new server after a disk crash. We had backups of all
> of the home directories of our users, but we lost all of the ACLs because
> these were not backed up in any form.
>
> The situation is that I now have 250 home directories all named by a user,
> and none of those users can access their own directory unless I set their
> permissions on each one.
>
> Since I don't want to have to do 250 permissions entries by hand, I need a
> script that can do it for me. The following is what is relevant to the
> script:
>
> 1. We can easily put all of the affected accounts into a special OU just
> for this script, so that the script doesn't need to have any filtering in
> it for what users it is working on.
> 2. The user's home directory is stored in their ADUC account as the Home
> Folder, whereby we have configured for drive H to be connected to this
> folder. It should therefore be possible to read this attribute to find the
> path that the ACE needs to be set on.
> 3. The permissions need to be Modify, and need to be made inheritable, and
> to propagate automatically to existing files.
>
> I think that covers enough info to be able to put a script together. I
> haven't done any scripting for years, although I'm an experienced
> programmer, and have mislaid the original scripts I wrote way back when we
> needed to create many of those user accounts automatically from a CSV
> file.
>
> Therefore any assistance this group can give in the form of a script
> outline would be most appreciated.

If the name of the folder is identical to the sAMAccountName of the user
account, there is a simpler method. First, apply the standard admin
permissions to the folder containing the user home folders, and force this
to be replicated to all contained folders. Then run a batch script such as
this:

for /d %%D in ("D:\users\*.*") do (
echo/cacls "%%~dpnxF" /g %%~nF:C /t
)

if you are happy with the cacls commands displayed, change "echo/cacls" to
"cacls".

/Al

"acray" <> wrote in message
news:...
>
> fyi, cacls does not correctly traverse sub directories to apply
> permissions, at least not in all situations. So it should not be relied
> upon to fully set the permissions on all the files.

Interesting. Can you give an example or quote an authoritative source for
this claim?

"acray" <> wrote in message
news:...
>
> fyi, cacls does not correctly traverse sub directories to apply
> permissions, at least not in all situations. So it should not be relied
> upon to fully set the permissions on all the files.

That is why I suggested the first step of setting background admin
permissions and replicating them from windows explorer - in the hope that
this would configure subfolders to inherit all permissions.

/Al

> However, I believe a For loop similar to what Al Dunbar provided could
> be used to call SetACL, simplifying my vbscript approach.
>
> Remember, if my VBscript was retrofitted to use SetACL, the first pass
> (first occurrence of WScript.Run) would not be needed at all.
>
>
> --
> acray
> ------------------------------------------------------------------------
> acray's Profile: http://forums.techarena.in/members/acray.htm
> View this thread: http://forums.techarena.in/server-scripting/1112376.htm
>
> http://forums.techarena.in
>