[THIN] Re: Easier way to do this
- From: "Rick Mack" <Rick.Mack@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 7 Jul 2004 07:22:32 +1000
Hi Michael,
If you remove admins etc (where etc includes system), you'll no longer
be able to backup the user directories, so I wouldn't get too carried
away. At the end of the day, admins can get access to users data one way
or another. Someone has to be trusted.
Anyway, this is how to do it:
cd to root of user directories. This assumes each directory has the
users login name and there are no spaces in the users name.
A command line starting with:
for /d %i in (*) do
will allow you to execute something for each users directory. All you
have to do is put the command after the "do" statement
and include "%i" wherever the directory name (or userbane) is required.
--------------
Xcacls is the easiest way to do this. Its avaliable from the win2k etc
resource kits so you should be able to get a copy quite easily. It has
the advantage over cacls that you can use the "/y" switch to remove
access rights.
Usage for xcacls:
xcacls file name [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P
user:perm;spec [...]] [/D user [...]] [/Y]
where file name indicates the name of the file or folder to which the
ACL or access control entry (ACE) is typically applied. All standard
wildcard characters can be used.
/T recursively walks through the current folder and all of its
subfolders, applying the chosen access rights to the matching files or
folders.
/E edits the ACL instead of replacing it. For example, only the
administrator will have access to the Test.dat file if you run the
XCACLS test.dat /G Administrator:F command. All ACEs applied earlier are
lost.
/C causes Xcacls.exe to continue if an "access denied" error message
occurs. If /C is not specified, Xcacls.exe stops on this error.
/G user:perm;spec grants a user access to the matching file or folder.
* The perm (permission) variable applies the specified access
right to files and represents the special file-access-right mask for
folders. The perm variable accepts the following values:
* R Read
* C Change (write)
* F Full Control
* P Change Permissions (special access)
* O Take Ownership (special access)
* X EXecute (special access)
* E REad (Special access)
* W Write (Special access)
* D Delete (Special access)
* The spec (special access) variable applies only to folders and
accepts the same values as perm, with the addition of the following
special value:
* T Not Specified. Sets an ACE for the directory itself
without specifying an ACE that is applied to new files created in that
directory. At least one access right has to follow. Entries between a
semicolon (;) and T are ignored. Notes
* The access options for files (for folders,
special file and folder access) are identical. For detailed explanations
of these options, see the Windows 2000 operating system documentation.
* All other options, which can also be set in
Windows Explorer, are subsets of all possible combinations of the basic
access rights. Because of this, there are no special options for folder
access rights, such as LIST or READ.
/R user revokes all access rights for the specified user.
/P user:perm;spec replaces access rights for user. The rules for
specifying perm and spec are the same as for the /G option.
/D user denies user access to the file or directory.
/Y disables confirmation when replacing user access rights. By default,
CACLS asks for confirmation. Because of this feature, when CACLS is used
in a batch routine, the routine stops responding until the right answer
is entered. The /Y option was introduced to avoid this confirmation, so
that Xcacls.exe can be used in batch mode.
----------
So something like:
for /d %i in (*) do xcacls %i /c /t /y /e %i:F System:F
would do what you want.
regards,
Rick
Ulrich Mack
Volante Systems Ltd
18 Heussler Terrace, Milton 4064
Queensland Australia.
Ph: +61 7 3246 7704
email: rmack@xxxxxxxxxxxxxx
web: www.volante.com.au
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Boggan
Sent: Wednesday, 7 July 2004 1:10 AM
To: ThinList
Subject: [THIN] Easier way to do this
I need to change NTFS permissions on 125 directories. Assigning
only the user to each one and removing admins etc. Is there a way to do
this with a script or command line using a variable such as %username%,
or something?
Thanks,
Michael Boggan
#####################################################################################
This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this email has been
sent to you in error. If you are not the intended recipient any use,
disclosure or copying of this email is prohibited. If you have received it in
error please notify the sender immediately by reply email and destroy all
copies of this email and any attachments. All liability for direct and
indirect loss arising from this email and any attachments is hereby disclaimed
to the extent permitted by law.
#####################################################################################
Other related posts:
