Fun with icacls
We’ve been having some random problems at work with various software packages and have tracked it down to folder redirection policies and permissions. It appears that years ago people couldn’t get folder redirection working right and rigged it up with some registry hacks and scripts. It works fine in 2000, which most of our users use, but breaks in Vista because Vista doesn’t like to redirect to a drive letter. In particular we were noticing the Application Data was partially on the network share and partially on the local drive. The other thing we’ve noticed is the permissions on the folders aren’t set properly. Following Microsoft’s recommended settings for permissions and redirection policy, we tested and sure enough things started working.
None of us knew very much about icacls.exe, but we knew we’d have to use the command-line utility to set permissions on the over 2TB in home directories we have. Here’s what we came up with. My comments are in red.
—
::USAGE: fixstudentacl.cmd <year>
::This script should be run from the e:\users\ directory on the file server.
@echo off
:: all our users directories are in folders that match their username.
:: The directories are under classXXXX directories for each year.
set classdir=e:\users\class%1
cd %1
:: loop through all user directories in the classXXXX directory and run
:: the script that changes permissions.
for /d %%a in (*) do (
call \\scriptpath\changestudentacl.cmd %%a
:: %%a is replaced with the directory name found.
)
—
::changestudentacl.cmd
@echo off
set uuid=%1
TITLE Changing Permissions on %classdir%\%uuid%
:: make sure permissions on the classXXXX directory are set
:: according to Microsoft’s documentation before running script.
icacls %classdir%\%uuid% /reset /t /c
:: reset all permissions on folder to only inherited permissions.
icacls %classdir%\%uuid% /grant %uuid%:(OI)(CI)(F) /t /c
:: give each user full control over their directory
TITLE Changing Ownership on %classdir%\%uuid%
icacls %uuid% /setowner %uuid% /t /c
:: give the user ownership of their directory.
I was admiring your script and work for a college in Western Pennsylvania. We set the student’s directories to modify control on the NTFS permission and change control on the share permissions. I find that students will fool around with the permissions and lock themselves out of their own directories and me as well. I noticed that you are granting full permissions. Actually if the share is set to full control they will have NTFS permissions of change permissions regardless if they own the file.
Hey, I’m in western PA too!
Yeah, I’m sure there are better permission settings, but I was just following the Microsoft recommended settings. The permissions were really messed up when I started. I’ll look into using change instead of Full.
Yep the change from full permissions to modify will keep the users from changing their permissions with minimal or zero effect 99.5% of the time. The owner of the file also has the permissions to change the permissions at the NTFS level. So if you grant full control at the share level then the user has permissions regardless with the combined permissions. If you put modify permissions on the share the effective permissions are change and the share permissions will filter out the snafu of ownership. You have my email if you would like to chat. Oh I also just finished a blog entry about icacls you might be interested in. Since Windows 2008, Vista and 7 are moving that way, however it looks like you are familiar with icacls. http://www.bohack.com/2009/12/mastering-permissions-with-icacls-exe-command-thru-the-gui/