Re: xcacls + subfolders and files only

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/10/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 10 Dec 2002 00:37:06 -0500

Maybe I'm confused, but I don't see it that way. The commands I gave should
change the default permissions on all folders whether they exist or not. I
still think that CACLS will do what you are wanting to do.

I don't see any way other than to change the permissions on new folders
either manually or by a script. If you create a new user joe and a new
folder named joe's folder, I would never expect any OS to know the correct
permissions to apply to the new folder using the new ID, that would be some
magic trick. However, using a batch file or other script to both create the
folder and set up permissions should work... something like:

REM THIS IS A BATCH FILE TO CREATE NEW FOLDERS
X:
CD\rootfolder
MD %1
cacls %1 /T

Then, save the batch file in the windowsroot folder as NEWFOLDER.BAT and
then run the command NEWFOLDER username such as NEWFOLDER JOE
to create a new folder named Joe with the correct permissions.

In order to prevent users from changing permissions, I can't see why you
can't use the CACLS command to revoke Full control permission from all
normal users, such as:

CACLS foldername /T /C /R joe:F frank:F john:F etc.
CACLS joefolder /T /C /G joe:C
CACLS frankfolder /T /C /G frank:C

Additionally, changing the permissions on the root folder that contains all
these folders so that only Administrators have Full Control should also
affect any new folders that are created, which should prevent any new
folders from having the problem where users have too many permissions.

"frederic henry" <frederichenry@hotmail.com> wrote in message
news:014901c29fbc$91d9e700$d5f82ecf@TK2MSFTNGXA12...
> not really.
>
> that would work on directories that already have data in
> them, but this is part of an automated process in which
> the default perms. on homespace (created through active
> directory) will be changed upon the creation of an account.
>
> i've seen a few posts in older newsgroups around people
> trying to do this, but apparently with little reply or
> success.
>
> the problem i'm trying to circumvent is that users have
> figured out that they can add people to their homespace,
> or remove admin. priviledges on them (big headache).
>
> it's been affecting backup systems, account management and
> the like.
>
> if i can remove the user's ability to change perms. on the
> root level of their homespace (to new and existing
> accounts) then it would save hours of maintenance time.
>
> fh.
> >-----Original Message-----
> >Well, I could be wrong, but does this do what you need?
> I don't have the
> >XCACLS documentation in front of me, but I would try
> something like the
> >following executed from the parent directory that
> contains the target
> >directory you are modifying:
> >
> >CACLS foldername /T /C /P user:perm [for subfolder
> permissions]
> >CACLS foldername /C /P user:perm [for root folder
> permissions]
> >
> >
> >
> >
> >"frederic henry" <frederichenry@hotmail.com> wrote in
> message
> >news:00a701c29fb0$b5202b40$d5f82ecf@TK2MSFTNGXA12...
> >> i've tested with both cacls and xcacls and i can't
> figure
> >> out how to get the "only subfolders and files" option.
> >>
> >> basically, this is the perms. i need (i did this through
> >> windows, then ran an xcacls on the directory - which
> >> returned these results):
> >>
> >> <folder location> <domain name>\<username>:(special
> >> access:) READ_CONTROL
> >> SYNCHRONIZE
> >> FILE_GENERIC_READ
> >> FILE_GENERIC_EXECUTE
> >> FILE_READ_DATA
> >> FILE_WRITE_DATA
> >> FILE_APPEND_DATA
> >> FILE_READ_EA
> >> FILE_EXECUTE
> >> FILE_READ_ATTRIBUTES
> >>
> >> <domain name>\<username>:(OI)(CI)
> (IO)F
> >> BUILTIN\Administrators:(OI)(CI)F
> >>
> >> no matter what i've tried it always defaults to "files
> >> only" or "this folder, subfolder and files".
> >>
> >> do you know the command line args. for these perms.?
> >>
> >> fh.
> >>
> >> >-----Original Message-----
> >> >PS test using CACLS or XCACLS first. There are some
> >> known issues. I am
> >> >thinking here of the issue where the ACLs are
> improperly
> >> ordered after
> >> >running CACLS, so that a user gets an error message the
> >> first time accessing
> >> >the folder and gets a dialog box with two buttons, one
> of
> >> which I believe
> >> >resets the folder security to Everyone Full.
> >> >
> >> >
> >> >"frederic henry" <frederichenry@hotmail.com> wrote in
> >> message
> >> >news:078301c29fa5$b3695480$d6f82ecf@TK2MSFTNGXA13...
> >> >> (originally posted in access.security by mistake).
> >> >>
> >> >> hey,
> >> >>
> >> >> i'm having trouble trying to figure out how to grant
> >> >> rights to "subfolder and files only" using xcacls.
> >> >>
> >> >> basically, i want users to have full control of all
> >> >> folders/files in a specific directory, but not on the
> >> >> root. easy enough to do with the acl/ace editor in
> >> >> windows, but i need to do this on roughly 50,000+
> >> >> directories, which is why i need to use xcacls.
> >> >>
> >> >> if anyone knows how to do this, or knows another
> product
> >> >> for this, any information would be appreciated.
> thanks.
> >> >>
> >> >> fh.
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >