Hi Michael, If you remove admins etc (where etc includes system), you'll no longer be able to backup the user directories, so I wouldn't get too carried away. At the end of the day, admins can get access to users data one way or another. Someone has to be trusted. Anyway, this is how to do it: cd to root of user directories. This assumes each directory has the users login name and there are no spaces in the users name. A command line starting with: for /d %i in (*) do will allow you to execute something for each users directory. All you have to do is put the command after the "do" statement and include "%i" wherever the directory name (or userbane) is required. -------------- Xcacls is the easiest way to do this. Its avaliable from the win2k etc resource kits so you should be able to get a copy quite easily. It has the advantage over cacls that you can use the "/y" switch to remove access rights. Usage for xcacls: xcacls file name [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y] where file name indicates the name of the file or folder to which the ACL or access control entry (ACE) is typically applied. All standard wildcard characters can be used. /T recursively walks through the current folder and all of its subfolders, applying the chosen access rights to the matching files or folders. /E edits the ACL instead of replacing it. For example, only the administrator will have access to the Test.dat file if you run the XCACLS test.dat /G Administrator:F command. All ACEs applied earlier are lost. /C causes Xcacls.exe to continue if an "access denied" error message occurs. If /C is not specified, Xcacls.exe stops on this error. /G user:perm;spec grants a user access to the matching file or folder. * The perm (permission) variable applies the specified access right to files and represents the special file-access-right mask for folders. The perm variable accepts the following values: * R Read * C Change (write) * F Full Control * P Change Permissions (special access) * O Take Ownership (special access) * X EXecute (special access) * E REad (Special access) * W Write (Special access) * D Delete (Special access) * The spec (special access) variable applies only to folders and accepts the same values as perm, with the addition of the following special value: * T Not Specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right has to follow. Entries between a semicolon (;) and T are ignored. Notes * The access options for files (for folders, special file and folder access) are identical. For detailed explanations of these options, see the Windows 2000 operating system documentation. * All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Because of this, there are no special options for folder access rights, such as LIST or READ. /R user revokes all access rights for the specified user. /P user:perm;spec replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. /D user denies user access to the file or directory. /Y disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine stops responding until the right answer is entered. The /Y option was introduced to avoid this confirmation, so that Xcacls.exe can be used in batch mode. ---------- So something like: for /d %i in (*) do xcacls %i /c /t /y /e %i:F System:F would do what you want. regards, Rick Ulrich Mack Volante Systems Ltd 18 Heussler Terrace, Milton 4064 Queensland Australia. Ph: +61 7 3246 7704 email: rmack@xxxxxxxxxxxxxx web: www.volante.com.au -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Boggan Sent: Wednesday, 7 July 2004 1:10 AM To: ThinList Subject: [THIN] Easier way to do this I need to change NTFS permissions on 125 directories. Assigning only the user to each one and removing admins etc. Is there a way to do this with a script or command line using a variable such as %username%, or something? Thanks, Michael Boggan ##################################################################################### This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this email is prohibited. If you have received it in error please notify the sender immediately by reply email and destroy all copies of this email and any attachments. All liability for direct and indirect loss arising from this email and any attachments is hereby disclaimed to the extent permitted by law. #####################################################################################