From time to time our first line support guys were complaining that they have limited access to the users’ home drives. The access to their group is set on the root folder so that when the inheritance is enabled they should have Full Control. Unfortunately this is not always the case. Some of the deeper folders/files have custom NTFS settings where even local Administrators are not listed in the Security.
So, it’s been decided to make an order and fix all this. Obviously the number of folders/files is just huge, way over a million. Let’s see how scripting can help us here 🙂
First off all we need to clarify our requirements:
1. we want to have an NTFS configuration backup, just in case.
2. we need to ensure that current custom NTFS settings are going to remain.
3. we need to ensure that support team have access to all the folders and files no matter how deep they are in the structure.
To fulfill these wishes we are going to need several scripts. Let’s start with the backup [the root folder is D:\USERDATA]:
icacls D:\USERDATA\* /save aclbackup.txt
Assuming that our root folder is configured as we want, we are going to ensure that users’ folders has inheritance enabled. But there is one important thing here – we what to enable inheritance and at the same time preserve what is configured right now [we do not want users to loose their access]. ICACLS utility can give us this as it has /inheritance:e option – http://ss64.com/nt/icacls.html.
Here is the script. The core of it is a for loop.
@echo off REM REM !!!!Ensure that icacls support /inheritance key. Simply run "icacls /?" to find out. REM This script sets the Owner of the folders to Administrator and then enables inheritance while preserving current ACL. REM You have to set the target root folder for the "for" loop, ex. "D:\USERDATA\*" REM SET "globAuto=0" setlocal ENABLEDELAYEDEXPANSION REM specify log file name Set "LogFile=EnableInheritance_log.txt" echo. REM specify target root folder Set "TargetFolder=D:\USERDATA\" echo Target folder: %TargetFolder% REM Backup current ACL and current network connections echo. echo Collecting current state in case of unexpected results - "EnableInheritance_Backup.txt" net session >> EnableInheritance_Backup.txt for /F "delims=¬" %%b in ('dir "%TargetFolder%" /B /A:D') do ( SET "AplankasB=%%b" SET "KeliasB=!TargetFolder!!AplankasB!" cacls "!KeliasB!" >> EnableInheritance_Backup.txt ) echo. echo %DATE% %TIME% >> %LogFile% echo. >> %LogFile% Set _date=%DATE:/=-%_%random% echo Date: %_date% echo. echo Processing Folders: REM I'm using dir as a source of folder full paths. For loop goes throw each path one by one REM /S - include all subfolders REM /B - output format as a full path REM /A:D - show only Folders for /F "delims=¬" %%f in ('dir "%TargetFolder%" /S /B /A:D') do ( SET "Aplankas=%%f" SET "Kelias=!TargetFolder!!Aplankas!" echo !Kelias! echo !Kelias! >> %LogFile% if "!globAuto!" == "0" ( call :Selection) IF "!confirm!"=="n" ( goto :Abort) REM Sometimes the owner of the folder is incorrect, therefore you would need to uncomment below line to assign the Administrators as owners REM takeown /F "!Kelias!" /A >> %LogFile% REM /A - gives ownership to the Administrators group icacls "!Kelias!" /inheritance:e >> %LogFile% REM /inheritance:e - enable inheritance REM /C - continue on all errors echo. >> %LogFile% ) echo. >> %LogFile% echo. echo Completed. Check the script execution log file - EnableInheritance_log.txt !!! :Abort2 exit /b :Selection SET /p confirm=Enter n if you want to quit or a for auto: IF "!confirm!"=="n" ( echo. echo --SCRIPT IS ABORTED-- echo. exit /b) IF "!confirm!"=="a" ( echo. echo --AUTO mode is enabled, to abort use "Ctrl+C"-- echo. SET "globAuto=1" echo !globAuto!) endlocal :Abort exit /b
While developing this script I have faced some bat scripting limitations, therefore if you see some really weird logic here, know, this is not without the reason 🙂
You can easily modify this script to work with files by changing dir parameter to A:-D (not folders):
'dir "%TargetFolder%" /S /B /A:-D'
In the next post I’ll show you a reporting script. After all we need to double check whether our changes were successful.