Script – Fix ACL permissions on folders/files 1

From time to time our first line support guys were complaining that they have limited access to the users’ home drives. The access to their group is set on the root folder so that when the inheritance is enabled they should have Full Control. Unfortunately this is not always the case. Some of the deeper folders/files have custom NTFS settings where even local Administrators are not listed in the Security.

So, it’s been decided to make an order and fix all this. Obviously the number of folders/files is just huge, way over a million. Let’s see how scripting can help us here 🙂

First off all we need to clarify our requirements:
1. we want to have an NTFS configuration backup, just in case.
2. we need to ensure that current custom NTFS settings are going to remain.
3. we need to ensure that support team have access to all the folders and files no matter how deep they are in the structure.

To fulfill these wishes we are going to need several scripts. Let’s start with the backup [the root folder is D:\USERDATA]:

icacls D:\USERDATA\* /save aclbackup.txt

Assuming that our root folder is configured as we want, we are going to ensure that users’ folders has inheritance enabled. But there is one important thing here – we what to enable inheritance and at the same time preserve what is configured right now [we do not want users to loose their access]. ICACLS utility can give us this as it has /inheritance:e option –

Here is the script. The core of it is a for loop.

@echo off
REM !!!!Ensure that icacls support /inheritance key. Simply run "icacls /?" to find out.
REM This script sets the Owner of the folders to Administrator and then enables inheritance while preserving current ACL.
REM You have to set the target root folder for the "for" loop, ex. "D:\USERDATA\*"

SET "globAuto=0"


REM specify log file name
Set "LogFile=EnableInheritance_log.txt"

REM specify target root folder
Set "TargetFolder=D:\USERDATA\"
echo Target folder: %TargetFolder%

REM Backup current ACL and current network connections
echo Collecting current state in case of unexpected results - "EnableInheritance_Backup.txt"
net session >> EnableInheritance_Backup.txt
for /F "delims=¬" %%b in ('dir "%TargetFolder%" /B /A:D') do (
SET "AplankasB=%%b"
SET "KeliasB=!TargetFolder!!AplankasB!"
cacls "!KeliasB!" >> EnableInheritance_Backup.txt

echo %DATE% %TIME% >> %LogFile%
echo. >> %LogFile%

Set _date=%DATE:/=-%_%random%
echo Date: %_date%
echo Processing Folders:

REM I'm using dir as a source of folder full paths. For loop goes throw each path one by one
REM /S - include all subfolders
REM /B - output format as a full path
REM /A:D - show only Folders

for /F "delims=¬" %%f in ('dir "%TargetFolder%" /S /B /A:D') do (

SET "Aplankas=%%f"
SET "Kelias=!TargetFolder!!Aplankas!"

echo !Kelias!
echo !Kelias! >> %LogFile%

if "!globAuto!" == "0" (
call :Selection)
IF "!confirm!"=="n" (
goto :Abort)

REM Sometimes the owner of the folder is incorrect, therefore you would need to uncomment below line to assign the Administrators as owners
REM takeown /F "!Kelias!" /A >> %LogFile%
REM /A - gives ownership to the Administrators group

icacls "!Kelias!" /inheritance:e >> %LogFile%
REM /inheritance:e - enable inheritance
REM /C - continue on all errors

echo. >> %LogFile%

echo. >> %LogFile%
echo Completed. Check the script execution log file - EnableInheritance_log.txt !!!

exit /b

SET /p confirm=Enter n if you want to quit or a for auto:
IF "!confirm!"=="n" (
exit /b)
IF "!confirm!"=="a" (
echo --AUTO mode is enabled, to abort use "Ctrl+C"--
SET "globAuto=1"
echo !globAuto!)


exit /b

While developing this script I have faced some bat scripting limitations, therefore if you see some really weird logic here, know, this is not without the reason 🙂

You can easily modify this script to work with files by changing dir parameter to A:-D (not folders):

'dir "%TargetFolder%" /S /B /A:-D'

In the next post I’ll show you a reporting script. After all we need to double check whether our changes were successful.


Leave a Comment here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s