Re: Isolate home directory shares

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

This is exactly what I needed thank you very much!

-Altria
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:OrDUXO1TJHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
This kb article indicates that inheritance can be turned off using the /I
switch of xcacls.vbs:

http://support.microsoft.com/kb/825751

The article includes a link to download an installer for xcacls.vbs. If
you need to use this on each user subfolder in the home$ share, that can
be scripted. I believe the command for one subfolder would be similar to:

cscript // nologo xcacls.vbs \\servername\home$\user1 /i disable /q

This assumes that the file xcacls.vbs is in the current folder. This
removes the inheritance flag but leaves existing permissions for the
folder, subfolders, and files. Since xcacls has the /q switch, there is no
need to echo a "Y" to the command. I have not tested, but I believe the
following should run this command for each subfolder in the share
(regardless of whether it has been assigned as a home directory):
==========
Option Explicit
Dim objFSO, strShare, objHomeFolder, objFolder
Dim objShell, strCmd, intError

strShare = "\\servername\home$
Set objShell = CreateObject("Wscript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHomeFolder = objFSO.GetFolder(strShare)

For Each objFolder In objHomeFolder.SubFolders
' Use xcacls.vbs to remove inheritance.
strCmd = "%comspec% /c cscript //nologo c:\scripts\xcacls.vbs """ &
objFolder.Path _
& """ /i disable /q"
intError = objShell.Run strCmd, 2, True
If (intError <> 0) Then
Wscript.Echo "Error removing inheritance for " & objFolder.Path
End If
Next
==========
If the path includes embedded spaces, it must be enclosed in quotes. To be
safe I included the quotes. A single double quote in a string must be
doubled. Every instance of "" in a quoted string resolves into ". Since
xcacls.vbs is a VBScript program, you must specify the path where it is
installed. In the above, I assume it is in the folder "c:\scripts\".

This can probably also be done in a batch file. In fact, you could easily
copy the command for a single subfolder and just change the names of the
subfolders in the batch file. For example:
=======
@echo off
cscript // nologo c:\scripts\xcacls.vbs "\\servername\home$\user1" /i
disable /q
cscript // nologo c:\scripts\xcacls.vbs "\\servername\home$\user2" /i
disable /q
cscript // nologo c:\scripts\xcacls.vbs "\\servername\home$\user3" /i
disable /q
cscript // nologo c:\scripts\xcacls.vbs "\\servername\home$\user4" /i
disable /q

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Altria" <urbantec92@xxxxxxx> wrote in message
news:uHEZ9vxTJHA.4680@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Richard for your fast reply!

Ok I do have one share, home$, then each user, user1. The creation of the
home directories are done with ADUC using profile tab:
\\servername\home$\%username%

I do not want to restrict UNC necessarily but wanted to remove a user's
ability to view other user's files/folders.
I was able to achieve what I wanted this by applying share permission on
the root share level for auth users to change and read, then setting SACL
to read,list,execute. After the creation of user's home directories which
by default has full permissions assigned, there I am able to remove
"allow inheritable permissions". Now only users can view and browse to
thier folders and create any files and folders they like.

Now the question is how can I automate the removal of "allow inheritable
permissions from parent" on all automatically created home directories?
There is not a way I can remove this on the root share as it is not
enabled on the root share but rather the user's home directory.

Thanks and I hope that makes sense.
Altria
"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:ekDanIxTJHA.5244@xxxxxxxxxxxxxxxxxxxxxxx
Thinking about this you probably have one share for home directories,
and you can remove "allow inheritable permissions" for this share in one
manual step. You just need to assign full permissions for each user to
their subfolder in this share. The following VBScript program shows how
this can be done for all users in an OU. This assumes there are no
permissions on the home folders themselves that need to be removed.
=============
Option Explicit

Dim objOU, objUser, strHomeDir, objShell, strCmd
Dim objNetwork, strNetBIOSDomain, intError

' Bind to the OU using Distinguished Name.
Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com";)

Set objShell = CreateObject("Wscript.Shell")

' Retrieve NetBIOS name of the domain.
Set objNetwork = CreateObject("Wscript.Network")
strNetBIOSDomain = objNetwork.UserDomain

' Enumerate all users in the OU.
objOU.Filter = Array("user")
For Each objUser In objOU
strHomeDir = objUser.homeDirectory
' Only deal with users that have a home directory.
If (strHomeDir <> "") Then
' Use the cacls command to grant full permission to the user.
strCmd = "%comspec% /c echo Y| cacls " & strHomeDir _
& " /T /E /C /G " _
& strNetBIOSDomain & "\" & objUser.sAMAccountName & ":F"
intError = objShell.Run strCmd, 2, True
If (intError <> 0) Then
Wscript.Echo "Error assigning permissions for user " &
objUser.sAMAccountName
End If
End If
Next
=========
You can get syntax help for cacls at a command prompt. The "echo Y|"
part of the command echos a "Y" character to answer "Yes" when the
command asks for confirmation. As with most administrative scripts, this
should be run at a command prompt using cscript.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--








.

Relevant Pages

  • Re: Isolate home directory shares
    ... This kb article indicates that inheritance can be turned off using the /I ... I believe the command for one subfolder would be similar to: ... home directories are done with ADUC using profile tab: ... by default has full permissions assigned, there I am able to remove "allow ...
    (microsoft.public.windows.server.general)
  • Directory permission utility
    ... I am running a Windows 2000 server. ... permissions list for all users' home directories. ... Administrator back, using the XCACLS command. ...
    (microsoft.public.win2000.security)
  • Re: ubuntu-users Digest, Vol 47, Issue 208
    ... Superuser confusion or maybe critically confused ... "Permissions" appears nowhere in Nautilus, so far as I can tell. ... I am attempting to learn to use command line. ...
    (Ubuntu)
  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... > Enable it on both computers and use the command ipconfig /all to make sure ... > permissions. ... > user account and/or change the password for a user account. ... It continuously states the windows ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows XP boots to background only, no start button, no icons
    ... I tried the cacls command for explorer.exe and it showed that users & power ... about not having the right permissions. ... but I can access my task manager. ... use your system CD to do a repair installation. ...
    (microsoft.public.windowsxp.general)