Giving Automatic Permissions to Folders Created Using a Batch File

bbuilders · 05 Apr 2013

So I have a batch file set up to create folders and subfolders. These folders are created on a shared server that several employees access. The idea is to run the batch to create a set of folders for each new customer. This keeps all of the files for the customer in one spot rather than spreading it out in a folder for each department then the customer. Hopefully everyone followed that.

The batch file creates my folders perfectly except no one else can access them. The permissions are denied for all users besides me. This is a problem because we have several employees trying to access the new customer folder I have created.

I want to be able to run the batch and create folders that automatically allow anyone to delete, rename, add to, move, etc. All of these permissions are allowed when I manually create the folders. The idea is that anyone in the company can run the batch to create a customer folder and anyone else can edit it.

Any ideas?

Golden · 05 Apr 2013

Hi,

I'm not familiar with the option, but using the ICACLS command will allow you to modify the permissions.

Code:

C:\Windows\system32>icacls /?

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    stores the DACLs for the files and folders that match the name
    into aclfile for later use with /restore. Note that SACLs,
    owner, or integrity labels are not saved.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
                 [/C] [/L] [/Q]
    applies the stored DACLs to files in directory.

ICACLS name /setowner user [/T] [/C] [/L] [/Q]
    changes the owner of all matching names. This option does not
    force a change of ownership; use the takeown.exe utility for
    that purpose.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
    finds all matching names that contain an ACL
    explicitly mentioning Sid.

ICACLS name /verify [/T] [/C] [/L] [/Q]
    finds all files whose ACL is not in canonical form or whose
    lengths are inconsistent with ACE counts.

ICACLS name /reset [/T] [/C] [/L] [/Q]
    replaces ACLs with default inherited ACLs for all matching files.

ICACLS name [/grant[:r] Sid:perm[...]]
       [/deny Sid:perm [...]]
       [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
       [/setintegritylevel Level:policy[...]]

    /grant[:r] Sid:perm grants the specified user access rights. With :r,
        the permissions replace any previouly granted explicit permissions.
        Without :r, the permissions are added to any previously granted
        explicit permissions.

    /deny Sid:perm explicitly denies the specified user access rights.
        An explicit deny ACE is added for the stated permissions and
        the same permissions in any explicit grant are removed.

    /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
        :g, it removes all occurrences of granted rights to that Sid. With
        :d, it removes all occurrences of denied rights to that Sid.

    /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
        ACE to all matching files.  The level is to be specified as one
        of:
            L[ow]
            M[edium]
            H[igh]
        Inheritance options for the integrity ACE may precede the level
        and are applied only to directories.

    /inheritance:e|d|r
        e - enables inheritance
        d - disables inheritance and copy the ACEs
        r - remove all inherited ACEs


Note:
    Sids may be in either numerical or friendly name form. If a numerical
    form is given, affix a * to the start of the SID.

    /T indicates that this operation is performed on all matching
        files/directories below the directories specified in the name.

    /C indicates that this operation will continue on all file errors.
        Error messages will still be displayed.

    /L indicates that this operation is performed on a symbolic link
       itself versus its target.

    /Q indicates that icacls should supress success messages.

    ICACLS preserves the canonical ordering of ACE entries:
            Explicit denials
            Explicit grants
            Inherited denials
            Inherited grants

    perm is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                N - no access
                F - full access
                M - modify access
                RX - read and execute access
                R - read-only access
                W - write-only access
                D - delete access
        a comma-separated list in parentheses of specific rights:
                DE - delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights may precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don't propagate inherit
                (I) - permission inherited from parent container

Examples:

        icacls c:\windows\* /save AclFile /T
        - Will save the ACLs for all files under c:\windows
          and its subdirectories to AclFile.

        icacls c:\windows\ /restore AclFile
        - Will restore the Acls for every file within
          AclFile that exists in c:\windows and its subdirectories.

        icacls file /grant Administrator:(D,WDAC)
        - Will grant the user Administrator Delete and Write DAC
          permissions to file.

        icacls file /grant *S-1-1-0:(D,WDAC)
        - Will grant the user defined by sid S-1-1-0 Delete and
          Write DAC permissions to file.

C:\Windows\system32>

Regards,
Golden

bbuilders · 08 Apr 2013

Thanks for your post.

After doing some research on icacls and doing some playing around, I have come up with:

Code:

icacls \\PESC1435-SERVER\share\_CUSTOMERS_\_2013\"__Last Name, First Name" * /T /C /grant(:r) Everyone:(OI)(CI)(F) /inheritance:e

It isn't working (big surprise) and since I have never used it before, I am not sure why. Keep in mind that this will need to apply to all of the folders and subfolders being created as well as not restricting the files to be added later.

Hopefully someone with more experience in this realm can shed some light on my shortcomings. I attached my batch file so someone can see what I am doing.

Note: If I try to change the permissions manually through the properties dbx, it doesn't seem to work either.

Golden · 08 Apr 2013

I'll see if I can rustle up some help. Keep visiting back here for replies.

Kari · 08 Apr 2013

You have small typos in your command syntax. As far as I know the correct syntax in your case should be:

Code:

icacls "\\PESC1435-SERVER\share\_CUSTOMERS_\_2013\__Last Name, First Name\"  /T /C /grant Everyone:(r)

This gives Everyone Read rights. For full access, change the value R to F.
Notice the small changes:

The full path containing spaces should be in between quotation marks, not only the part that contains spaces (I assume the __Last Name, First Name part is the folder name?)
The wildcard * is not needed as the switch /T already tells system to include all files and folders in current folder
The User parameter (Everyone in your case) comes after Grant parameter (as in /Grant Everyone), followed by a colon then values in parenthesis, not colon and values in parenthesis
Any inheritance rules AFTER the user:, BEFORE the value, as here the Object Inherit OI before the value Read R:

... /grant Everyone:(OI)(R) ...

Kari

bbuilders · 08 Apr 2013

Kari,

I made your suggested changes and it didn't work initially. So I recreated the _Customers_ and _2013 folders and manually set their permissions to full access. Then I ran the batch and it now works perfectly. I am not sure if the solution was the folder recreation or the combination of your code and the recreation. Either way, I am appreciative for the help!

Thanks all.

Kari · 08 Apr 2013

Good to know you got it working.