Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Giving Automatic Permissions to Folders Created Using a Batch File

05 Apr 2013   #1
bbuilders

Windows 7 Home Premium 64bit
 
 
Giving Automatic Permissions to Folders Created Using a Batch File

So I have a batch file set up to create folders and subfolders. These folders are created on a shared server that several employees access. The idea is to run the batch to create a set of folders for each new customer. This keeps all of the files for the customer in one spot rather than spreading it out in a folder for each department then the customer. Hopefully everyone followed that.

The batch file creates my folders perfectly except no one else can access them. The permissions are denied for all users besides me. This is a problem because we have several employees trying to access the new customer folder I have created.

I want to be able to run the batch and create folders that automatically allow anyone to delete, rename, add to, move, etc. All of these permissions are allowed when I manually create the folders. The idea is that anyone in the company can run the batch to create a customer folder and anyone else can edit it.

Any ideas?


My System SpecsSystem Spec
.
05 Apr 2013   #2
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi,

I'm not familiar with the option, but using the ICACLS command will allow you to modify the permissions.

Code:
C:\Windows\system32>icacls /?

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    stores the DACLs for the files and folders that match the name
    into aclfile for later use with /restore. Note that SACLs,
    owner, or integrity labels are not saved.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
                 [/C] [/L] [/Q]
    applies the stored DACLs to files in directory.

ICACLS name /setowner user [/T] [/C] [/L] [/Q]
    changes the owner of all matching names. This option does not
    force a change of ownership; use the takeown.exe utility for
    that purpose.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
    finds all matching names that contain an ACL
    explicitly mentioning Sid.

ICACLS name /verify [/T] [/C] [/L] [/Q]
    finds all files whose ACL is not in canonical form or whose
    lengths are inconsistent with ACE counts.

ICACLS name /reset [/T] [/C] [/L] [/Q]
    replaces ACLs with default inherited ACLs for all matching files.

ICACLS name [/grant[:r] Sid:perm[...]]
       [/deny Sid:perm [...]]
       [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
       [/setintegritylevel Level:policy[...]]

    /grant[:r] Sid:perm grants the specified user access rights. With :r,
        the permissions replace any previouly granted explicit permissions.
        Without :r, the permissions are added to any previously granted
        explicit permissions.

    /deny Sid:perm explicitly denies the specified user access rights.
        An explicit deny ACE is added for the stated permissions and
        the same permissions in any explicit grant are removed.

    /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
        :g, it removes all occurrences of granted rights to that Sid. With
        :d, it removes all occurrences of denied rights to that Sid.

    /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
        ACE to all matching files.  The level is to be specified as one
        of:
            L[ow]
            M[edium]
            H[igh]
        Inheritance options for the integrity ACE may precede the level
        and are applied only to directories.

    /inheritance:e|d|r
        e - enables inheritance
        d - disables inheritance and copy the ACEs
        r - remove all inherited ACEs


Note:
    Sids may be in either numerical or friendly name form. If a numerical
    form is given, affix a * to the start of the SID.

    /T indicates that this operation is performed on all matching
        files/directories below the directories specified in the name.

    /C indicates that this operation will continue on all file errors.
        Error messages will still be displayed.

    /L indicates that this operation is performed on a symbolic link
       itself versus its target.

    /Q indicates that icacls should supress success messages.

    ICACLS preserves the canonical ordering of ACE entries:
            Explicit denials
            Explicit grants
            Inherited denials
            Inherited grants

    perm is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                N - no access
                F - full access
                M - modify access
                RX - read and execute access
                R - read-only access
                W - write-only access
                D - delete access
        a comma-separated list in parentheses of specific rights:
                DE - delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights may precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don't propagate inherit
                (I) - permission inherited from parent container

Examples:

        icacls c:\windows\* /save AclFile /T
        - Will save the ACLs for all files under c:\windows
          and its subdirectories to AclFile.

        icacls c:\windows\ /restore AclFile
        - Will restore the Acls for every file within
          AclFile that exists in c:\windows and its subdirectories.

        icacls file /grant Administrator:(D,WDAC)
        - Will grant the user Administrator Delete and Write DAC
          permissions to file.

        icacls file /grant *S-1-1-0:(D,WDAC)
        - Will grant the user defined by sid S-1-1-0 Delete and
          Write DAC permissions to file.

C:\Windows\system32>
Regards,
Golden
My System SpecsSystem Spec
08 Apr 2013   #3
bbuilders

Windows 7 Home Premium 64bit
 
 

Thanks for your post.

After doing some research on icacls and doing some playing around, I have come up with:
Code:
icacls \\PESC1435-SERVER\share\_CUSTOMERS_\_2013\"__Last Name, First Name" * /T /C /grant(:r) Everyone:(OI)(CI)(F) /inheritance:e
It isn't working (big surprise) and since I have never used it before, I am not sure why. Keep in mind that this will need to apply to all of the folders and subfolders being created as well as not restricting the files to be added later.

Hopefully someone with more experience in this realm can shed some light on my shortcomings. I attached my batch file so someone can see what I am doing.

Note: If I try to change the permissions manually through the properties dbx, it doesn't seem to work either.


Attached Files
File Type: bat __CREATE FOLDERS__.bat (4.8 KB, 53 views)
My System SpecsSystem Spec
.

08 Apr 2013   #4
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 



I'll see if I can rustle up some help. Keep visiting back here for replies.
My System SpecsSystem Spec
08 Apr 2013   #5
Kari

Microsoft Community Contributor Award Recipient

 

You have small typos in your command syntax. As far as I know the correct syntax in your case should be:
Code:
icacls "\\PESC1435-SERVER\share\_CUSTOMERS_\_2013\__Last Name, First Name\"  /T /C /grant Everyone:(r)
This gives Everyone Read rights. For full access, change the value R to F.
Notice the small changes:
  • The full path containing spaces should be in between quotation marks, not only the part that contains spaces (I assume the __Last Name, First Name part is the folder name?)
  • The wildcard * is not needed as the switch /T already tells system to include all files and folders in current folder
  • The User parameter (Everyone in your case) comes after Grant parameter (as in /Grant Everyone), followed by a colon then values in parenthesis, not colon and values in parenthesis
  • Any inheritance rules AFTER the user:, BEFORE the value, as here the Object Inherit OI before the value Read R:
    ... /grant Everyone:(OI)(R) ...

Kari
My System SpecsSystem Spec
08 Apr 2013   #6
bbuilders

Windows 7 Home Premium 64bit
 
 

Kari,

I made your suggested changes and it didn't work initially. So I recreated the _Customers_ and _2013 folders and manually set their permissions to full access. Then I ran the batch and it now works perfectly. I am not sure if the solution was the folder recreation or the combination of your code and the recreation. Either way, I am appreciative for the help!

Thanks all.
My System SpecsSystem Spec
08 Apr 2013   #7
Kari

Microsoft Community Contributor Award Recipient

 

Good to know you got it working.
My System SpecsSystem Spec
Reply

 Giving Automatic Permissions to Folders Created Using a Batch File




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
[Help] Batch File move every 15.000 files to another folders
Hi guys I'm new here, please help I have about 2 million email files that i want to convert into mbox files. but the tool i used only can convert every 15.000 files. so i need a batch file that can move this 2 million files into another folder (15.000 files each folder) and the folder name...
General Discussion
Protected Folders Batch File Backup
So I am trying to create a batch file that will copy certain folders from the My Documents and Program Files 86 folders. Of course these are protected. I can make a batch file and use robocopy to copy other files just fine. How can I set admin privileges? Or whatever it is I need to do to make it...
Backup and Restore
Is there a Script or batch file that can create folders by date range
I was wondering if there was a way to create a set of folders in a specific directory according to a date range that i input. ie. Select start date 2011 10 01 select end date 2012 10 01 Select Output path of c:\users\XXXX\desktop\export data
General Discussion
a simple batch file for copy files and folders
I want to write a batch file that do this for me: - makes a directory with the "yy.mm.dd.hh.mm" as the directory name, - copies files and folders from a TEST directory to above destination, - copies only new (or modified) files from the TEST directory to a separate folder. Any Idea?
General Discussion
Another batch file permissions problem
Just recently there was a batch file permissions problem posted here. I'm also trying to run a command window, but my problem is a bit different. I have a batch file that cleans out programs' cache before shutting down the system, that I use every night to sign off. Since I demoted my normal...
General Discussion
Sharing folders with homegroup, using a batch file?
Hello, Due to some drives being portable, windows unshares them all the time on reboot, so I'm wondering if there is a command line option (batch command) to share folders with a homegroup. I already did some checking, and found that when you share a folder, it starts the process...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:04.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App