Permissions on a 2008 r2 home directory

file-sharingpermissionsscriptingwindows-server-2008-r2

I have a windows 2008 r2 file server. It is setup so that users get there home drive mapped to it H:. It is at the following location \\servername\home\%username%

I have ben having issues with the mac users being able to see other users home drives (even with enumeration enabled).

I need to change the permissions on the directory and all the users subdirectories. Is there an easy way to do this in bulk there are over a thousand.

I have looked at Set-Acl http://helgeklein.com/setacl/examples/managing-file-system-permissions-with-setacl-exe/ however I dont see how it will do all users home drives that already exist.
If anyone knows of a good tool that would be great.

I want to apply the following permissions to the %username% folder

SYSTEM - Full control
local\Users special list and read attributes
local\administrators - Full control
%username% = modify

Thanks

Best Answer

Or if you prefer PowerShell, one of my techs wrote this which has worked well for us. I'm sure it can cleaned up some but I left in some testing lines to make it easier to play with and customize. This uses Quest tools which you no longer need, especially if you're on PowerShell v2 and SubInACL:

cls
#Add-PSSnapin quest*
#$dirlist = gci -name c:\test -Exclude *.* | sort #my original


$dirlist = gci \\servername\sharename -Exclude *.* | ? { $_.PSIsContainer }

$subinacl = "C:\utils\subinacl.exe"
foreach ($userdir in $dirlist)
        {
            $username = $userdir.name
            $adaccount = Get-QADUser $username
            #Verifies user is an active employee, renamed folder to be deleted if not
            If (($adaccount.AccountIsDisabled -eq $TRUE) -or (!$adaccount))
                {
                    write-host "$username is not a current employee"
                    #takeownership
                    #takeown /f $userdir /R /D Y /A
                    #rename folder to _DEL_originalname
                    $newname = "_DEL_$username"
                    rename-item -path $userdir -newname $newname
                }
            Else
                {
                #get full path            
                Write-Host $userdir.name
                #$currentDir = "c:\test\$userdir" #my original
                $currentDir = $userdir.FullName # this way you don't dupe the start folder
                #takeown /f $userdir /R /D Y /A

                #get ACL of folder
                $acl = Get-Acl $currentDir

                #variable to set new permissions for username of folder           
                #$permission = "domainname\$userdir",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow” #original
                $permission = "$username@domainname.com",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”

                $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission

                #actually set the permissions
                $acl.SetAccessRule($accessRule)
                #$acl | Set-Acl $currentDir #my original
                Set-Acl $currentDir $acl

                #use subinacl to set owner at parent level and below
                $params1 = "/file $currentDir /setowner=domainname\$username"
                $params2 = "/subdirectories $currentDir\*.* /setowner=domainname\$username"
                $params3 = "/subdirectories $currentDir\* /grant=domainname\$username"
                $params4 = "/subdirectories $currentDir\* /grant=domainname\administrators=F"
                Invoke-Expression "$subinacl $params1" | out-null
                Invoke-Expression "$subinacl $params2" | out-null
                Invoke-Expression "$subinacl $params3" | out-null
               # Invoke-Expression "$subinacl $params4" | out-null
                }
        }
Related Topic