I'm a pretty big fan of FileACL as well. http://www.gbordier.com/gbtools/fileacl.htm. The syntax is MUCH easier to deal with IMHO, but SetACL is definitely more flexible, allowing you to set perms on a wide range of objects: files and directories, registry keys, printers, services, network shares.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasinghe Sent: Tuesday, February 21, 2006 5:00 AM To: [email protected] Subject: Re: [ActiveDir] Setting up Home Folder Gives User Full Access Personally I wouldnt use cacls/xcacls or the vbscript based xcacls.vbs. cacls/xcacls are probably not granular enough for your purposes. Assuming you want to give just modify then cacls/xcacls are fine. But if you want to give full control except for the modify perms/takeonership bit, then you need to use a more granular tool. xcacls.vbs can do the job but is very slow. Even if you hack it to modify perms on a list of folders/subfolders I dont think you'll find it that fast. Ad hoc jobs are OK but for modifying 2000 folders its not my tool of choice. Setacl is the way to go (setacl.sourceforge.net). The syntax is a little hard to grasp initially but there are plenty of examples on the site. Once you figure it out ,you can use a for loop and coupled with setacl I think you'll get this done quicker. M@ On 21/02/06, joe <[EMAIL PROTECTED]> wrote: > To my knowledge you can not control what ACLs are placed on the folder. > > I would recommend what I usually recommend though, create users through a > provisioning script or tool, don't do it through ADUC. If you are at 2000 > users you are easily into the realm where the ADUC is not the greatest most > efficient way to do your management. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > ________________________________ > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, February 17, 2006 10:36 AM > To: [email protected] > Subject: [ActiveDir] Setting up Home Folder Gives User Full Access > > > We create a home folder for each of our users in ADUC by adding the server > path to the Profile Tab. When we setup the home folder, ADUC by default > grants the user "Full Control" to this folder, which we would like to stop. > We would prefer that they have the ability to read-write, but not to modify > the permissions. Two questions here: > > 1) How do we stop ADUC from automatically granting full access to the end > user on their home folder? > 2) We have about 2000 home folders that have already been created with the > incorrect permissions already setup. Is there a script or utility that can > be used to remove the "Full Access" check box from the individual user > accounts on the folders? (just for a bit of background, only the domain > admins and the user have access to each home folder). > > Any guidance would be much appreciated. > > > Bonnie Pohlschneider List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
