cacls scripting help

Sp00n

Sp00n

Sp00n

Soldato
Joined
18 Oct 2002
Posts
18,296
Location
Brighton
I need to create a script that goes through a a folder and all subfolders and removes the delete permission for all specified users and groups (except for administrators) and then add in creator owner with full permissions.

This should, in my theory, stop everyone from being able to move/delete files unless they created it initially.

Does that sound right? Does that sound like something that is possible using cacls?
 
I use xcacls for a similar purpose, on some of my instalation packages I need to change folder permissions so that some (badly written :p) programs can run properly as a normal user.

It's even easier to do if you're running the script manually, my way was a bit more complex as it was being run by SMS/SCCM under a system account but got round that nicely.
 
Looking at that script, it seems to need specific usernames to work with the permissions.

I just want it to hunt through all of the folders, remove all delete permissions for explicit users and then add creator owner as full rights.

How do I do the first bit?

I would normally just do this manually but there are so many subfolders with various different levels of permissions for various different people that I need to automate it.
 
cacls is an inferior version of Xcacls so disregard it. Any scripted permissions modifications you want to make, do through xcacls.

Now, do you know exactly which users and groups need the permissions modifying? If so then yes, you can use xcacls to achieve the results you're after. If you want the script to go through and amend every user and group it comes across without specifying them though, you can't.
 
Last edited:
Basically the situation is I have a shared folder, under which has various different folders, some are open to everyone, some are open to specific people or specific groups.

So looking at what you said trojan, it can't be done because each folder has different permissions on it, **** :(
 
Where I used to work they wouldn't use folder perms for things partly for things like this, they used new shares and controlled access via global groups.

Messy in that you end up with a lot of shares, but access was very granular and it was easy to manage permissions wise :)
 
The best thing to do here, I would suggest, would be to take this opportunity to tidy up the way permissions are given in your directory. Stop assigning permissions to users as individuals and consolidate them into various groups. Then, use inheritance to your advantage to set as many groups at as high a level as possible. You can then block inheritance on an individual folder basis as required and reassign specific groups/permissions.

Ev0 said:
Where I used to work they wouldn't use folder perms for things partly for things like this, they used new shares and controlled access via global groups.

Messy in that you end up with a lot of shares, but access was very granular and it was easy to manage permissions wise :)
Click to expand...

Oooh I don't like the sound of that at all, that sounds terrible! Using NTFS permissions gives you a much more thorough and flexible security setup. Also, if the permissions are implemented well from the beginning, management is easy.
 
Trojan said:
Oooh I don't like the sound of that at all, that sounds terrible! Using NTFS permissions gives you a much more thorough and flexible security setup. Also, if the permissions are implemented well from the beginning, management is easy.
Click to expand...

It was interesting to say the least! Wife still works there and think it's still like that now.
 
I was thinking I could potentially create a script for each user and run it, obviously each user is not on every folder so when it hits a folder where they aren't specified, does it just skip over it to the next one? ...cacls i mean.

That fileacl looks pretty handy but over-whelming at the same time, I'm not used to all this vbs stuff :(

sux2bme :(
 
Last edited:
Sp00n said:
obviously each user is not on every folder so when it hits a folder where they aren't specified, does it just skip over it to the next one? ...cacls i mean.
Click to expand...

If you specify 'On Error Resume Next' at the beginning of your script then it will indeed skip over folders where the user isn't specified in the ACL. Use Xcacls though as it's much more powerful.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom