Script to reset home directory permissons on a windows share

Has anyone used a script to reset the permissions on a directory of Home Directories? I'm thinking some combination of FOR loops and CACLS to add an inheritable Modify permission to a folder using the same domain username as the folder name.

We're migrating user shares from one server to another and the existing shares do not all have the proper permissions set. I'm considering copying all the folders without copying permissions and then resetting the permissions via script so that only the username that matches the folder has access. I can then re-apply any additional permissions needed for users having access to another users' folder.


Solution 1:

Assuming you're running this on Windows Server 2003 or newer you'll have both the TAKEOWN and ICACLS commands. I'm also assuming the that top level folder permission is set sanely (i.e. "Authenticated Users - List Folder Contents - This folder only", proper "Administrator" permissions if you like them being able to get into user folders, etc).

@echo off
FOR /D %%i in (*) do (
  TAKEOWN /f "%%i" /r /d y
  ICACLS "%%i" /reset /T
  ICACLS "%%i" /grant:r "DOMAIN\%%i":(OI)(CI)F
  rem Unremark this line to set the owner to the user, if you like that
  rem ICACLS "%%i" /setowner "DOMAIN\%%i" /T
)

That'll take ownership, clean up all the permissions and restore inheritance, add the user w/ Full Control rights to the directory, and then optionally give back ownership if you un-rem the last line.

My condolences for having to deal with users sharing files between each other out of home directories. That's a real pain.