/ Sign-up
Your question

Scripted directory permission configuration

  • Security
  • Windows Server
  • Configuration
  • Windows 7
Last response: in Windows 7
October 4, 2010 8:46:25 PM

I know the Windows Server forum is ---> somewhere...
though I figured I'd throw this thread under Win7 'cause it still applies.


I have 100+ users, all with AD accounts.
I would like to create a script, or at least find a dynamic way to create user-directories in a shared resource to the following (beyond 'home folders'):
(ex: path - permissions)
\<username> - <group>=read/execute, owner=full
\<username>\Public - <group>=read/write/exectue, owner=full
\<username>\Dropbox - <group>=write only (drop-box), owner=full

  • The idea is such that the users' root directory would contain content intended to be shared by the owner, and without potential to become filled with unintentional content
  • Pub is for shared / collaborated content, extra stuff, subjected to extra 'junk'...
  • The Dropbox would be left for providing a protected space to only the owner, with expectation of privacy.

    I can manually grind out this configuration one user at a time, however I would like to know if anyone knows of any AD tools that might be out there to do this...
    If anyone knows of DOS /command-switches that would allow creating, and modifying directory-structure security permissions to which I could use %'s and auto-input from a text-list of user-names...

    Thanks in advance
  • More about : scripted directory permission configuration

    a b $ Windows 7
    a b 8 Security
    October 4, 2010 8:53:14 PM

    Look at the "cacls" command.
    October 4, 2010 11:13:35 PM

    Awesome, I don't know how I didn't know about it...


    cacls \<username> /g <domain>\<username>:f

    I believe I could automate nightly (or even hourly) which would poll my AD group to generate a list of names into a txt file, then write a batch to import those names to create new entries, omitting any existing directories, and to disable any non-existant names to preserve integrity against moved / unauthorized objects (accounts).

    Gonna give it a try.... Thanks!