1.

Solve : Setting user permissions on a directory?

Answer»

First let me say hi to you all since I just registered and this is my first post.

This is the situation I am working with right now:

\\SERVER\HOME\(USERNAME)       - Directory where all users exist

Everytime when I create a new account in the AD, users and computers,
I have to manually create a directory with the username (for example \\SERVER\HOME\JL120).

I have tried to do this in a batch file, which works like a charm, of COURSE.

Alas, I also have to put permissions on that directory, with previously mentioned example JL120 having every permission on the directory JL120. When I create a directory in DOS, domain admins and other admins have all the permissions, which is good, but I can't seem to figure out how to put read/write/alter permissions for a single user on a single directory in DOS. Is there even a way?


I thank you in advance!
C:\test>attrib  /?
Displays or changes file attributes.

ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I]
       [drive:][path][filename] [/S [/D] [/L]]

  +   Sets an attribute.
  -   Clears an attribute.
  R   Read-only file attribute.
  A   Archive file attribute.
  S   System file attribute.
  H   Hidden file attribute.
  I   Not content indexed file attribute.
  [drive:][path][filename]
      Specifies a file or files for attrib to process.
  /S  Processes matching files in the current folder
      and all subfolders.
  /D  Processes folders as well.
  /L  Work on the attributes of the Symbolic Link versus
      the target of the Symbolic Link


C:\test>Thanks for your reply!

Your above solution works, of course, but that is also part of the problem.

If I decide to change the attributes of a directory with attrib, it will change the attributes of the folder for everyone, rather than changing it for a single user.

My goal is to create a folder, and give 1 single user (of my preference) permissions on it (such as "allowed to read - not write, or allowed to read and write etc.).

Thanks for the effort though! Quote from: GKamst on July 16, 2010, 04:33:07 AM

Thanks for your reply!

Your above solution works, of course, but that is also part of the problem.

If I decide to change the attributes of a directory with attrib, it will change the attributes of the folder for everyone, rather than changing it for a single user.

My goal is to create a folder, and give 1 single user (of my preference) permissions on it (such as "allowed to read - not write, or allowed to read and write etc.).

Thanks for the effort though!

What you NEED, is to change the Access Control List.

It doesn't actually change any attributes, but it's an important part of a multi-user network setup. the "cacls" utility is included in XP Pro (if I remember correctly):

cacls /T /G username:

REPLACE the folder and username with your values of course;

  is one of R(read),W(write),C(change), or F(Full Control).

Quote from: BC_Programmer on July 16, 2010, 05:06:55 AM
What you need, is to change the Access Control List.

It doesn't actually change any attributes, but it's an important part of a multi-user network setup. the "cacls" utility is included in XP Pro (if I remember correctly):

cacls <folder> /T /G username:<permissions>

replace the folder and username with your values of course;

<permissions>  is one of R(read),W(write),C(change), or F(Full Control).



Thanks a bunch, this actually works!

This however, brought up another issue that I need to deal with now,
which is the following:

I have a batch file that does the following:

set /P username=Enter a username:
mkdir [fileserver]\userdirectories\%username%
echo Y|cacls [fileserver]\userdirectories\%username%  /T /G [domain]\administrators:F
echo Y|cacls [fileserver]\userdirectories\%username%  /T /G [domain]\%username%:F <---Which I needed the COMMAND I requested for in the first place


When I run the batch file, the directory is created as it should, and the administrators (and other "hard" usernames (such as domaincontrollers, and basically everything that isnt derived from a variable like %username% is permitted to do whatever I gave permissions for.


Except, when the batch reaches the point where it needs to give [domain]\%username% permissions, I seem to get an error that says: "No mapping between account names and security IDs was done".

I am oblivious of what this means  Thanks for your time though, you have helped me great so far!I think I have got it!!!

In my original file, I tried to set permissions on a directory on a one-user-per-command kind of base.

So...


echo Y|cacls [domain]\userdirectories\%username% /T /G [domain]\administrator:F
echo Y|cacls [domain]\userdirectories\%username% /T /G [domain]\my-admin-account;F
echo Y|cacls [domain]\userdirectories\%username% /T /G [domain]\domaincontrollers:F
echo Y|cacls [domain]\userdirectories\%username% /T /G [domain]\%username%:F

BUT because cacls always overwrites previously set permissions when you declare new ones,
everytime I set a new permission, it would wipe the old ones.


This means, that when the command line finally got to the "Give %username% permissions on this map", it would REMOVE my own permissions, thus making me unable to actually GIVE permission on that folder for someone else, seeing as I didn't have any permissions of my OWN anymore.

So now, I tried to do this:

echo Y|cacls [domain]\userdirectories\%username% /T /G [domain]\account1:F [domain]\account2:f [domain]\account3:F.... and so on and so on

in ONE command line.

This actually does the job!


I owe you much, thanks for your help!!


Discussion

No Comment Found

Related InterviewSolutions