I'd like to have one that adds the perms back in the
right order: the attached one is supposed to reorder them, but doesn't.
The fix is simple but tedious -- open the security tab for each folder, and
Explorer will reorder them correctly. I modified this from one I found;
anyone have a better one?
Derek
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, February 17, 2006 8:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Setting up Home Folder Gives User Full Access
We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer that
they have the ability to read-write, but not to modify the permissions. Two
questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect permissions
already setup. Is there a script or utility that can be used to remove the "Full
Access" check box from the individual user accounts on the folders? (just for a
bit of background, only the domain admins and the user have access to each home
folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider
On Error Resume Next Dom = "Domain\" 'Enter your domain here strFolder = "e:\users" 'Root for user dirs
Set objFSO = CreateObject("Scripting.FileSystemObject") strFolder = objFSO.GetAbsolutePathName(strFolder) Set objFolder = objFSO.GetFolder(strFolder) Set colSubFolders = objFolder.SubFolders For Each objSubFolder In colSubfolders SubFolderName = objSubFolder.Name FullPath = strFolder & "\" & SubFolderName WScript.Echo FullPath Action = "ADD(" & Dom & SubFolderName & ":F)+DEL(EVERYONE:R)" EditACL FullPath,Action Next Function EditACL(filenm, permspart) ' Edit permissions on a single file or folder 'Set fs=Wscript.CreateObject("Scripting.FileSystemObject") chkfile=objFSO.fileexists(filenm) ' make sure the file exists or wscript will crash If chkfile=true Then ChangeACLS filenm, permspart, "EDIT", "FILE" Else chkfolder=objFSO.folderexists(filenm) ' if its not a file, is it a folder ? If chkfolder=true Then ChangeACLS filenm, permspart, "EDIT", "FOLDER" End If End If Set fs=nothing End Function Function ReplaceACL(filenm, permspart) '-- Replace ACL on single file or folder------- 'Set fs=Wscript.CreateObject("Scripting.FileSystemObject") chkfile=objFSO.fileexists(filenm) ' make sure file exists If chkfile=true Then ChangeACLS filenm, permspart, "REPLACE", "FILE" Else chkfolder=objFSO.folderexists(filenm) ' if its not a file, is it a folder? If chkfolder=true Then ChangeACLS filenm, permspart, "REPLACE", "FOLDER" End If End If Set fs=nothing End Function Function RecursiveEdit(rootfolder,permspart) '--- Edit ACL's on rootfolder and all its subfolders and files---- Set fs=Wscript.CreateObject("Scripting.FileSystemObject") Set rfldr=objFSO.getfolder(rootfolder) ChangeACLS rfldr.path, permspart, "EDIT", "FOLDER" 'edit rootfolder first For Each file In rfldr.files 'edit all files in root folder ChangeACLS rfldr.path & "\" & file.name, permspart, "EDIT", "FILE" Next For Each sfldr In rfldr.subfolders RecursiveEdit sfldr, permspart ' recurse through subfolders Next Set fs=nothing Set rfldr=nothing End Function Function RecursiveReplace(rootfolder,permspart) '--Replace ACLS on rootfolder and all its subfolders and files ---- Set fs=Wscript.CreateObject("Scripting.FileSystemObject") Set rfldr=objFSO.getfolder(rootfolder) ChangeACLS rfldr.path, permspart, "REPLACE","FOLDER" For Each file In rfldr.files ChangeACLS rfldr.path & "\" & file.name, permspart,"REPLACE","FILE" Next For Each sfldr In rfldr.subfolders RecursiveReplace sfldr, permspart Next Set fs=nothing Set rfldr=nothing End Function Function ChangeACLS(FILE,PERMS,REDIT,FFOLDER) '- Edit ACLS of specified file ----- Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Const ADS_ACETYPE_ACCESS_DENIED = 1 Const ADS_ACEFLAG_INHERIT_ACE = 2 Const ADS_ACEFLAG_SUB_NEW = 9 Set sec = Wscript.CreateObject("ADsSecurity") Set sd = sec.GetSecurityDescriptor("FILE://" & FILE) Set dacl = sd.DiscretionaryAcl 'if flagged Replace then remove all existing aces from dacl first If ucase(REDIT)="REPLACE" Then For Each existingAce In dacl dacl.removeace existingace Next End If 'break up Perms into individual actions cmdArray=split(perms,"+") For x=0 To UBound(cmdarray) tmpVar1=cmdarray(x) If ucase(left(tmpVar1,3))="DEL" Then ACLAction="DEL" Else ACLAction="ADD" End If tmpcmdVar=left(tmpVar1,len(tmpVar1)-1) tmpcmdVar=right(tmpcmdVar,len(tmpcmdVar)-4) cmdparts=split(tmpcmdVar,":") nameVar=cmdparts(0) rightVar=cmdparts(1) ' if flagged edit, delete ACE's belonging to user about to add an ace for If ucase(REDIT)="EDIT" Then For Each existingAce In dacl trusteeVar=existingAce.trustee If instr(trusteeVar,"\") Then trunameVar=right(trusteeVar,len(trusteeVar)-instr(trusteeVar,"\")) Else trunameVar=trusteeVar End If uctrunameVar=ucase(trunameVar) ucnameVar=ucase(nameVar) If uctrunameVar=ucnameVar Then dacl.removeace existingace End If Next End If ' if action is to del ace then following clause skips addace If ACLAction="ADD" Then If ucase(FFOLDER)="FOLDER" Then ' folders require 2 aces for user (to do with inheritance) addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE Else addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED,0 End If End If Next For Each ace In dacl ' for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl If instr(ucase(ace.trustee),"NT AUTHORITY\") Then newtrustee=right(ace.trustee, len(ace.trustee)-instr(ace.trustee, "\")) ace.trustee=newtrustee End If Next ' final sets and cleanup sd.DiscretionaryAcl = dacl sec.SetSecurityDescriptor sd Set sd=nothing Set dacl=nothing Set sec=nothing End Function Function addace(dacl,trustee, maskvar, acetype, aceflags) ' add ace to the specified dacl Const RIGHT_READ = &H80000000 Const RIGHT_EXECUTE = &H20000000 Const RIGHT_WRITE = &H40000000 Const RIGHT_DELETE = &H10000 Const RIGHT_FULL = &H10000000 Const RIGHT_CHANGE_PERMS = &H40000 Const RIGHT_TAKE_OWNERSHIP = &H80000 Set ace = CreateObject("AccessControlEntry") ace.Trustee = trustee Select Case ucase(MaskVar) ' specified rights so far only include FC & R. Could be expanded though Case "F" ace.AccessMask = RIGHT_FULL Case "C" ace.AccessMask = RIGHT_READ Or RIGHT_WRITE Or RIGHT_EXECUTE Or RIGHT_DELETE Case "R" ace.AccessMask = RIGHT_READ Or RIGHT_EXECUTE End Select ace.AceType = acetype ace.AceFlags = aceflags dacl.AddAce ace Set ace=nothing End Function