1

I need to create user and directories for the user and share it.
The rights are set on NTFS structure only.

The user must do all except change rights and take ownership this is not allowed and this must apply to this folder and subfolders and files.

So far I got the bat to create the dir and share it for everyone. Now I just need to set the rights on the directory witch will be inherited down the structure in the user directory.

These rights must be on root NTFS structure with full control and must be in all folders.

builtin\administrators
system
domain\security
domain\backup

Last I need to have a script to run when things go wrong to reset the rights on all user folders if a technician or subadmin mess it up.

Bat file to create user and folders #

net user %1 /add /domain
md \\fileserve2\H$\Userhome\%1
rmtshare \\fileserve2\%1$=H:\Userhome\%1 /remark:"W-drive share for %1"
rmtshare \\fileserve2\%1$ /g Everyone:f
md \\fileserve2\H$\Userconf\%1
rmtshare \\fileserve2\%1$=H:\Userconf\%1 /remark:"Z-drive share for %1"
rmtshare \\fileserve2\%1$ /g Everyone:f

Bat file to delete user and folders #

net user %1 /delete /domain
rmtshare \\fileserve2\%1 /delete
rmtshare \\fileserve2\%1$ /delete
DEL \\fileserve2\H$\userconf\%1 /S /F /Q
RD \\fileserve2\H$\userconf\%1 /S /Q
DEL \\fileserve2\H$\Userhome\%1 /S /F /Q
RD \\fileserve2\H$\Userhome\%1 /S /Q

Hope for someone to help me out and point me in the right direction.

Hubert Kario
  • 6,361
  • 6
  • 36
  • 65
Martin M Noob
  • 11
  • 3

1 Answers1

0

To set the permissions on the folder you can use icacls.exe. In your example you can use:

icacls \\fileserve2\H$\Userhome\%1 /grant administrators:(oi)(ci)m /grant system:(oi)(ci)m /grant domain\security:(oi)(ci)m /grant domain\backup:(oi)(ci)m

Note that you can add multiple '/grants'. The '(oi)(ci)' ensures heritance to subdirectories and files. The 'm' stands for 'Modify'.

The follwowing script reads all direcories in \fileserve2\H$\Userhome and resets the permissions.

For /f %%a in ('dir \\fileserve2\H$\Userhome\ /b /a:d') do call :SetPermissions %%a
Goto :eof

:SetPermissions
icacls \\fileserve2\H$\Userhome\%1 /grant administrators:(oi)(ci)m /grant system:(oi)(ci)m /grant domain\security:(oi)(ci)m /grant domain\backup:(oi)(ci)m

For diseaster recovery, you can also use icacls /save to save the filepermissions to a file. This file can be used with icacls /restore to restore the permissions. Check http://zeda.nl/index.php/en/backup-file-permissions-en for a detailed explanation.

ZEDA-NL
  • 846
  • 1
  • 6
  • 13
  • Hmmm, I just answered a ancient question. I hope it will still be useful for that single person that reads this. – ZEDA-NL Sep 11 '15 at 13:58