Re: Setting multiple home folders at once
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 20 Sep 2006 22:44:53 -0500
"Net Admin" <NetAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:372278BE-AEAF-44DD-A00E-046255F59750@xxxxxxxxxxxxxxxx
On my DC some newbie accidentally changed permissions to the home folders
for
all of my users from the parent folder and checked "Replace permissions
here
on all child objects....."
Moron, but is he worth keeping and training?
Now all user's home folders only have this newbie's name, domain admins,
and
system in the ACLs.
Removing is relatively easy, and adding one name is pretty
easy, but you will need to script if you need to add each user
to JUST that user's tree etc. If you have to also add Groups
you have a bigger mess.
XCALCS.exe and CALCS.exe are the standard command line
tools for scripting this. SetAcls from SourceForge.net is useful
but difficult to learn to use (it does pretty much everything so
figuring out all the switches takes time but I know a trick if you
go this way.) SubInAcl.exe (Reskit) can be use to swap one
ACL (SID) for another, like putting user back instead of moron
junion admin SID.
I have hundreds of users so if I try to select more than one account in AD
and change the home folder path to \\server\share\%username% then it
doesn't
work.
Why do you want to change the PATH when you have a PERMISSION
(ACL) problem?
And besides that does work if you use Win2003 but not in Win2000.
Home folder is in on the PROFILE tab which is one of the supported
tabs in Win2003 for MULTIPLE Selection.
It does work with one person but I have to click on yes when asked if I
want to give this user access to that folder because it already exists. Is
there some switch at the end of the %username% that I can use? Is there a
program I can use to replace permissions on all home folders that are all
named the same as the user account?
You need to learn the command line tools.
Something like this will work (but the following is UNTESTED and
LIKELY incomplete) run from a BATCH file:
cd /d D:\Homediretories\
for /d %%a (*) do xcacls %%a /c /e /g Domain\%%a:F
for /d %%a (*) do xcacls %%a /c /e /g Domain\MoronAdmin:F
for /d %%a (*) do cd D:\Homediretories\%%a && xcacls * /c /t /e /g
Domain\%%a:F && xcacls * a /c /t /e /g Domain\%%a:F
Remember it's UNTESTED -- I typed it from memory and that last
"for" is all one line. (Complicated XCACLS are generally difficult
to get right on first try anyway since it is VERY picky about its
switches and syntax.)
Obviously you have to put in the right "junior admin" name and the
correct path to "Homedirectories".
Also you might consider adding the "/X" instead of "/E" for the
USER ADD only. This is supposed to restrict to only ACLs OWNED
by that user but it is relatively new and I haven't had an opportunity
to check it.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thank You
.
- Follow-Ups:
- Re: Setting multiple home folders at once
- From: Net Admin
- Re: Setting multiple home folders at once
- Prev by Date: Re: Export AD Data
- Next by Date: Re: ADAM and Windows Address Book
- Previous by thread: Re: Export AD Data
- Next by thread: Re: Setting multiple home folders at once
- Index(es):
Relevant Pages
|
