Folder/file permission

GJUK · 12 Jul 2011 at 14:37

Hi

I got about 1500 home folders to create in a Active Directory that we are moving are users into (We are still using NT4) but Head Office (Denmark) are moving all the other countries into one AD...

All the users exist in the AD but no files server..Yet, I have built a windows 2008 server and added to the domain...so I need to start creating Home Directories setting permissions and then setting the home path in the properties..

I have a batch file that I used in our NT environment that I'm trying to modify..

I can create the folder from my laptop with a basic md Command...

%1=server name
%2=Username

md \\%1\d$\USERS\%2

next up I use the rmtshare utility to share the folder (works a treat)
rmtshare \\%1\%2=D:\USERS\%2 /unlimited /grant ourdomain\%2:change /grant administrators:full

now this is where is goes a little wrong..I used the setacl command to remove permission the folder, turn inherited rights off then set the rights how I wanted them....this just fails

so my question is how do you configure rights on folders remotely in an AD?

GJUK

anything I don't mind · 12 Jul 2011 at 15:27

I would just do it so that the home directories are created by a script after the user logs on. Then copy the contents from the old home directory to the new one, using xcopy. This could be done silently. Then you don't need to do permissions or make folders.

If you set the permissions correct on the home directory root folder then the scripts run under user accounts should be able to create a folder with permissions so that only they have access.

Then you can just script it to map a drive to the new location.

You are definitely talking to home folders and not profile?

GJUK · 12 Jul 2011 at 15:36

home folder.....

I not the best at scripting and on Google search there such a mind field of scripting option sites etc, i getting a headache just looking at Google searches lol

I need the folder there because I need to move the data before the users logged in, as we will be moving there PC to the AD from the NT4 Domain, so while the PC being reconfigured I want to be moving the files....

GJUK

chrislip · 12 Jul 2011 at 16:31

GJUK said:
now this is where is goes a little wrong..I used the setacl command to remove permission the folder, turn inherited rights off then set the rights how I wanted them....this just fails

so my question is how do you configure rights on folders remotely in an AD?

GJUK

What is the setacl command you are trying to run that is failing, and what permissions do you want on teh home folders?

GJUK · 12 Jul 2011 at 21:28

chrislip said:
What is the setacl command you are trying to run that is failing, and what permissions do you want on teh home folders?

I will post the command line tomorrow....

But I need Administrators to have full access and the users to have change access

folders are stored and a folder called Users each folder is then shared and that what the user maps a letter to...

I post more info tomorrow once I back in work ;-)

GJUK

JonnyT · 13 Jul 2011 at 00:04

From a quick read of the website, this would be the syntax I'd try... (all on one line, Ive separated for clarity - my comments after the stars on each line):

Code:

SetACL.exe -on "\\%1\d$\USERS\%2" -ot file -actn ace * Start SetACL and tell it it's a file/folder we want to work on
-ace "n:ourdomain\%2;p:change" * specify permissions for the user
-ace "n:S-1-5-32-544;p:full;s:y" * specify permissions for the Local Administrator SID (us this instead of a username in case your local admin is renamed)
-ace "n:SYSTEM;p:full" * specify SYSTEM permissions
-actn setprot -op "dacl:p_nc" * disables inheritance of permissions, permissions not copied

GJUK · 13 Jul 2011 at 10:31

JonnyT said:

From a quick read of the website, this would be the syntax I'd try... (all on one line, Ive separated for clarity - my comments after the stars on each line):

Code:

SetACL.exe -on "\\%1\d$\USERS\%2" -ot file -actn ace * Start SetACL and tell it it's a file/folder we want to work on
-ace "n:ourdomain\%2;p:change" * specify permissions for the user
-ace "n:S-1-5-32-544;p:full;s:y" * specify permissions for the Local Administrator SID (us this instead of a username in case your local admin is renamed)
-ace "n:SYSTEM;p:full" * specify SYSTEM permissions
-actn setprot -op "dacl:p_nc" * disables inheritance of permissions, permissions not copied

Oh thanks for that....I try that now and post the results

GJUK

GJUK · 13 Jul 2011 at 14:50

JonnyT said:

From a quick read of the website, this would be the syntax I'd try... (all on one line, Ive separated for clarity - my comments after the stars on each line):

Code:

SetACL.exe -on "\\%1\d$\USERS\%2" -ot file -actn ace * Start SetACL and tell it it's a file/folder we want to work on
-ace "n:ourdomain\%2;p:change" * specify permissions for the user
-ace "n:S-1-5-32-544;p:full;s:y" * specify permissions for the Local Administrator SID (us this instead of a username in case your local admin is renamed)
-ace "n:SYSTEM;p:full" * specify SYSTEM permissions
-actn setprot -op "dacl:p_nc" * disables inheritance of permissions, permissions not copied

Hi

I got that working nicely....so thanks for that...so so far I can

Create the user folder, share folder and set share permissions, noe I can also set folders permission...net up setting users home folder path and setting the drive letter we use...

GJUK