How do i create a bat file to create user directory with proper rights and a script to reset it if something goes wrong

batch-filepermissionsscriptinguser-permissions

I need to create user and directories for the user and share it.
The rights are set on NTFS structure only.

The user must do all except change rights and take ownership this is not allowed
and this must apply to this folder and subfolders and files.

So far I got the bat to create the dir and share it for everyone. Now I just need to set the rights on the directory witch will be inherited down the structure in the user directory.

These rights must be on root NTFS structure with full control and must be in all folders.

builtin\administrators
system
domain\security
domain\backup

Last I need to have a script to run when things go wrong to reset the rights on all user folders if a technician or subadmin mess it up.

Bat file to create user and folders #

net user %1 /add /domain
md \\fileserve2\H$\Userhome\%1
rmtshare \\fileserve2\%1$=H:\Userhome\%1 /remark:"W-drive share for %1"
rmtshare \\fileserve2\%1$ /g Everyone:f
md \\fileserve2\H$\Userconf\%1
rmtshare \\fileserve2\%1$=H:\Userconf\%1 /remark:"Z-drive share for %1"
rmtshare \\fileserve2\%1$ /g Everyone:f

Bat file to delete user and folders #

net user %1 /delete /domain
rmtshare \\fileserve2\%1 /delete
rmtshare \\fileserve2\%1$ /delete
DEL \\fileserve2\H$\userconf\%1 /S /F /Q
RD \\fileserve2\H$\userconf\%1 /S /Q
DEL \\fileserve2\H$\Userhome\%1 /S /F /Q
RD \\fileserve2\H$\Userhome\%1 /S /Q

Hope for someone to help me out
and point me in the right direction.

Best Answer

To set the permissions on the folder you can use icacls.exe. In your example you can use:

icacls \\fileserve2\H$\Userhome\%1 /grant administrators:(oi)(ci)m /grant system:(oi)(ci)m /grant domain\security:(oi)(ci)m /grant domain\backup:(oi)(ci)m

Note that you can add multiple '/grants'. The '(oi)(ci)' ensures heritance to subdirectories and files. The 'm' stands for 'Modify'.

The follwowing script reads all direcories in \fileserve2\H$\Userhome and resets the permissions.

For /f %%a in ('dir \\fileserve2\H$\Userhome\ /b /a:d') do call :SetPermissions %%a
Goto :eof

:SetPermissions
icacls \\fileserve2\H$\Userhome\%1 /grant administrators:(oi)(ci)m /grant system:(oi)(ci)m /grant domain\security:(oi)(ci)m /grant domain\backup:(oi)(ci)m

For diseaster recovery, you can also use icacls /save to save the filepermissions to a file. This file can be used with icacls /restore to restore the permissions. Check http://zeda.nl/index.php/en/backup-file-permissions-en for a detailed explanation.

Related Solutions

Windows Server 2008 R2 – Giving local administrator full rights to all folders

You need to first set the owner to "Administrators" and then in a second step you can change the permissions. If you want to automate that or set permissions from the command line SetACL might be the tool of choice. Examples follow.

Setting the owner of an entire tree to administrators and enabling inheritance on the child objects:

SetACL.exe -on "C:\" -ot file -actn setprot -op "dacl:np;sacl:nc" 
           -rec cont_obj -actn setowner -ownr "n:S-1-5-32-544;s:y"

Adding full permissions for administrators:

SetACL.exe -on "C:\" -ot file -actn ace -ace "n:S-1-5-32-544;s:y;p:full"

Permissions Issue with Files Generated by PerfMon

Data Collector Sets can contain sensitive information about the computer, so access to them typically requires the user at least be a member of the Performance Log Users group. I don't believe you can make a DCS with automatically modified permissions (Everyone FullControl) like you're talking about.

How's this for a workaround:

Run this PS script as a Scheduled Task:

$Path = "C:\PerfLogs\Admin\New Data Collector Set"
$ACL  = (Get-Item $Path).GetAccessControl("Access")
$ACE  = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($ACE)
ForEach($_ In Get-ChildItem $Path -Recurse)
{
    Set-Acl -ACLObject $ACL $_.FullName
}

I tested this on Windows 7 with PS 2.0 (same as 2008R2) and confirmed that it does place an "Everyone Full Control" ACE on every object recursively under the directory defined in the $Path variable.

edit: At first I thought to use the Task tab in the Properties page of the DCS, "Run this scheduled task when the data collector set stops," but that is not for Scheduled Tasks, but rather WMI tasks.

edit #2: Alright, this is getting pretty crazy, but you could create a new Scheduled Task, and its trigger will be to start "On an event." Then click Custom, and click "New Event Filter." Then manually edit the XML filter:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
    <Select Path="Microsoft-Windows-TaskScheduler/Operational">
        *[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]
         and
        *[System[(EventID='102')]]
         and
        *[EventData[Data and (Data='YOUR DATA COLLECTOR SET NAME')]] 
    </Select>
  </Query>
</QueryList>

Now you will have created a scheduled task that will fire when your Data Collector Set finishes running, and it will modify the ACLs of the directory structure recursively to "Everyone Full Control."

Best Answer

Related Solutions

Windows Server 2008 R2 – Giving local administrator full rights to all folders

Permissions Issue with Files Generated by PerfMon

Related Topic