I'd like to have one that adds the perms back in the
right order: the attached one is supposed to reorder them, but doesn't.
The fix is simple but tedious -- open the security tab for each folder, and
Explorer will reorder them correctly. I modified this from one I found;
anyone have a better one?
Derek
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, February 17, 2006 8:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Setting up Home Folder Gives User Full Access
We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer that
they have the ability to read-write, but not to modify the permissions. Two
questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect permissions
already setup. Is there a script or utility that can be used to remove the "Full
Access" check box from the individual user accounts on the folders? (just for a
bit of background, only the domain admins and the user have access to each home
folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider
On Error Resume Next Dom = "Domain\" 'Enter your domain here strFolder = "e:\users" 'Root for user dirs
Set objFSO = CreateObject("Scripting.FileSystemObject")
strFolder = objFSO.GetAbsolutePathName(strFolder)
Set objFolder = objFSO.GetFolder(strFolder)
Set colSubFolders = objFolder.SubFolders
For Each objSubFolder In colSubfolders
SubFolderName = objSubFolder.Name
FullPath = strFolder & "\" & SubFolderName
WScript.Echo FullPath
Action = "ADD(" & Dom & SubFolderName & ":F)+DEL(EVERYONE:R)"
EditACL FullPath,Action
Next
Function EditACL(filenm, permspart)
' Edit permissions on a single file or folder
'Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
chkfile=objFSO.fileexists(filenm) ' make sure the file exists or wscript
will crash
If chkfile=true Then
ChangeACLS filenm, permspart, "EDIT", "FILE"
Else
chkfolder=objFSO.folderexists(filenm) ' if its not a file, is it a
folder ?
If chkfolder=true Then
ChangeACLS filenm, permspart, "EDIT", "FOLDER"
End If
End If
Set fs=nothing
End Function
Function ReplaceACL(filenm, permspart)
'-- Replace ACL on single file or folder-------
'Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
chkfile=objFSO.fileexists(filenm) ' make sure file exists
If chkfile=true Then
ChangeACLS filenm, permspart, "REPLACE", "FILE"
Else
chkfolder=objFSO.folderexists(filenm) ' if its not a file, is it a
folder?
If chkfolder=true Then
ChangeACLS filenm, permspart, "REPLACE", "FOLDER"
End If
End If
Set fs=nothing
End Function
Function RecursiveEdit(rootfolder,permspart)
'--- Edit ACL's on rootfolder and all its subfolders and files----
Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
Set rfldr=objFSO.getfolder(rootfolder)
ChangeACLS rfldr.path, permspart, "EDIT", "FOLDER" 'edit rootfolder first
For Each file In rfldr.files
'edit all files in root folder
ChangeACLS rfldr.path & "\" & file.name, permspart, "EDIT", "FILE"
Next
For Each sfldr In rfldr.subfolders
RecursiveEdit sfldr, permspart ' recurse through subfolders
Next
Set fs=nothing
Set rfldr=nothing
End Function
Function RecursiveReplace(rootfolder,permspart)
'--Replace ACLS on rootfolder and all its subfolders and files ----
Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
Set rfldr=objFSO.getfolder(rootfolder)
ChangeACLS rfldr.path, permspart, "REPLACE","FOLDER"
For Each file In rfldr.files
ChangeACLS rfldr.path & "\" & file.name, permspart,"REPLACE","FILE"
Next
For Each sfldr In rfldr.subfolders
RecursiveReplace sfldr, permspart
Next
Set fs=nothing
Set rfldr=nothing
End Function
Function ChangeACLS(FILE,PERMS,REDIT,FFOLDER)
'- Edit ACLS of specified file -----
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACEFLAG_INHERIT_ACE = 2
Const ADS_ACEFLAG_SUB_NEW = 9
Set sec = Wscript.CreateObject("ADsSecurity")
Set sd = sec.GetSecurityDescriptor("FILE://" & FILE)
Set dacl = sd.DiscretionaryAcl
'if flagged Replace then remove all existing aces from dacl first
If ucase(REDIT)="REPLACE" Then
For Each existingAce In dacl
dacl.removeace existingace
Next
End If
'break up Perms into individual actions
cmdArray=split(perms,"+")
For x=0 To UBound(cmdarray)
tmpVar1=cmdarray(x)
If ucase(left(tmpVar1,3))="DEL" Then
ACLAction="DEL"
Else
ACLAction="ADD"
End If
tmpcmdVar=left(tmpVar1,len(tmpVar1)-1)
tmpcmdVar=right(tmpcmdVar,len(tmpcmdVar)-4)
cmdparts=split(tmpcmdVar,":")
nameVar=cmdparts(0)
rightVar=cmdparts(1)
' if flagged edit, delete ACE's belonging to user about to add an ace
for
If ucase(REDIT)="EDIT" Then
For Each existingAce In dacl
trusteeVar=existingAce.trustee
If instr(trusteeVar,"\") Then
trunameVar=right(trusteeVar,len(trusteeVar)-instr(trusteeVar,"\"))
Else
trunameVar=trusteeVar
End If
uctrunameVar=ucase(trunameVar)
ucnameVar=ucase(nameVar)
If uctrunameVar=ucnameVar Then
dacl.removeace existingace
End If
Next
End If
' if action is to del ace then following clause skips addace
If ACLAction="ADD" Then
If ucase(FFOLDER)="FOLDER" Then
' folders require 2 aces for user (to do with inheritance)
addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED,
ADS_ACEFLAG_SUB_NEW
addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED,
ADS_ACEFLAG_INHERIT_ACE
Else
addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED,0
End If
End If
Next
For Each ace In dacl
' for some reason if ace includes "NT AUTHORITY" then existing ace does
not get readded to dacl
If instr(ucase(ace.trustee),"NT AUTHORITY\") Then
newtrustee=right(ace.trustee,
len(ace.trustee)-instr(ace.trustee, "\"))
ace.trustee=newtrustee
End If
Next
' final sets and cleanup
sd.DiscretionaryAcl = dacl
sec.SetSecurityDescriptor sd
Set sd=nothing
Set dacl=nothing
Set sec=nothing
End Function
Function addace(dacl,trustee, maskvar, acetype, aceflags)
' add ace to the specified dacl
Const RIGHT_READ = &H80000000
Const RIGHT_EXECUTE = &H20000000
Const RIGHT_WRITE = &H40000000
Const RIGHT_DELETE = &H10000
Const RIGHT_FULL = &H10000000
Const RIGHT_CHANGE_PERMS = &H40000
Const RIGHT_TAKE_OWNERSHIP = &H80000
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = trustee
Select Case ucase(MaskVar)
' specified rights so far only include FC & R. Could be expanded though
Case "F"
ace.AccessMask = RIGHT_FULL
Case "C"
ace.AccessMask = RIGHT_READ Or RIGHT_WRITE Or RIGHT_EXECUTE Or
RIGHT_DELETE
Case "R"
ace.AccessMask = RIGHT_READ Or RIGHT_EXECUTE
End Select
ace.AceType = acetype
ace.AceFlags = aceflags
dacl.AddAce ace
Set ace=nothing
End Function
