Go Back   Computer Forums > General Computing > Server Administration
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 10-05-2011, 02:50 PM   #1
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default Change Permissions on Multiple Folders

Hello everyone!
So at my new place of work, I noticed some glaring security issues that need to be addressed. Most of them I already know how to do but this one, I'm at a loss.
Basically, there is NO user access control on ANY of our file share servers. Literally, a brand new warehouse employee can open the CEO's personal drive which houses some pretty sensitive information, very personal information at that. I locked down his folder, but still have about 422 folders left to apply security settings to. I need to remove the built-in user group "Everyone" from those folders ACL. How can I accomplish this without modifying individual folder permissions?


Thanks all.
__________________

__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 10-05-2011, 04:12 PM   #2
Site Team
 
celegorm's Avatar
 
Join Date: Sep 2006
Posts: 10,713
Send a message via AIM to celegorm
Default re: Change Permissions on Multiple Folders

Tossing this out there blindly:

In windows I can change it on the parent folder (or drive) and have the changes get propagated down to the sub-directories. Any chance that could work here?
__________________

__________________
"as a fanboy i refuse to admit it and will pull countless things out of my butt to disprove it"

Team Thelegorm! Total Kills: 21 (i iz in uor profile, editsing your sigz)
celegorm is offline   Reply With Quote
Old 10-05-2011, 04:26 PM   #3
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default re: Change Permissions on Multiple Folders

From my understanding, it wont.
The parent folder is "Users" and the permissions allow:
Domain Admins
Everyone

Everyone needs to remain on this folder so that when new users logon for the first time, the sys will allow the creation of a new home folder under their account.
This then adds their domain account to the permissions (creator -> full permissions) but also inherits the Domain Admins (good) and Everyone (bad). I found a walkthrough on how to stop the future folders from inheriting the Everyone ACE, but still haven't found a solution to the 400+ existing folders.
__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 10-06-2011, 12:20 PM   #4
..m.0,0.m..
Site Team
 
iPwn's Avatar
 
Join Date: May 2010
Location: USA
Posts: 3,870
Default re: Change Permissions on Multiple Folders

Found it: If anyone else runs into this issue...
Remove inherited NTFS permissions on 835 sub folders.

Edit: Okay, so there was some tweaking that needed to be done. In the original batch file that is posted on the above microsoft site, the commands use a /e modifier which only modifies the ACL. You will want to remove the /e tag from the first command issued so that it replaces the ACL and removes the "Everyone" group. Otherwise, you're simply adding the user and domain admins with the batch file. Example below (extremely shortened version):
Code:
@echo off
for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && echo y| cacls "%%i" /T /g "%userdomain%\Domain Admins":F
for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\%%i":F
:EXIT
I removed some code from the end of each line that writes to the log file, but anyway... notice the /T /g in the first line and then the /T /e /g in the second.
The first line removes all ACL entries and replaces with the domain admins, then the second line edits (/e modifier) the ACL to add the user back in. The users AD account name MUST match the folder name for this to work.
__________________
Me: You'd think as the dominant species we wouldn't be so effing stupid.
J: We're just intelligent enough to be completely effing stupid.
iPwn is offline   Reply With Quote
Old 10-11-2011, 07:34 PM   #5
Solid State Member
 
Join Date: Oct 2011
Posts: 7
Default Re: Change Permissions on Multiple Folders

Cool, sounds like a nice little script iPwn, good catch by the way.
Jericho123 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 06:51 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0