Change Permissions on Multiple Folders

iPwn

iPwn

..m.0,0.m..,
Messages
3,999
Location
::1
Hello everyone!
So at my new place of work, I noticed some glaring security issues that need to be addressed. Most of them I already know how to do but this one, I'm at a loss.
Basically, there is NO user access control on ANY of our file share servers. Literally, a brand new warehouse employee can open the CEO's personal drive which houses some pretty sensitive information, very personal information at that. I locked down his folder, but still have about 422 folders left to apply security settings to. I need to remove the built-in user group "Everyone" from those folders ACL. How can I accomplish this without modifying individual folder permissions?


Thanks all.
 
Tossing this out there blindly:

In windows I can change it on the parent folder (or drive) and have the changes get propagated down to the sub-directories. Any chance that could work here?
 
From my understanding, it wont.
The parent folder is "Users" and the permissions allow:
Domain Admins
Everyone

Everyone needs to remain on this folder so that when new users logon for the first time, the sys will allow the creation of a new home folder under their account.
This then adds their domain account to the permissions (creator -> full permissions) but also inherits the Domain Admins (good) and Everyone (bad). I found a walkthrough on how to stop the future folders from inheriting the Everyone ACE, but still haven't found a solution to the 400+ existing folders.
 
Found it: If anyone else runs into this issue...
Remove inherited NTFS permissions on 835 sub folders.

Edit: Okay, so there was some tweaking that needed to be done. In the original batch file that is posted on the above microsoft site, the commands use a /e modifier which only modifies the ACL. You will want to remove the /e tag from the first command issued so that it replaces the ACL and removes the "Everyone" group. Otherwise, you're simply adding the user and domain admins with the batch file. Example below (extremely shortened version):
Code: 
@echo off
for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && echo y| cacls "%%i" /T /g "%userdomain%\Domain Admins":F
for /f "delims=:" %%i in ('dir /b /ad') do @echo %%i >>%zLog% && cacls "%%i" /T /e /g "%userdomain%\%%i":F
:EXIT

I removed some code from the end of each line that writes to the log file, but anyway... notice the /T /g in the first line and then the /T /e /g in the second.
The first line removes all ACL entries and replaces with the domain admins, then the second line edits (/e modifier) the ACL to add the user back in. The users AD account name MUST match the folder name for this to work.
 
You must log in or register to reply here.

Similar threads

J
Licensed money lender IT solution
Replies
0
Views
921
jrsml
J
M
Management Systems for Administrative and Analysis Tasks?
Replies
2
Views
1K
marwa
M
W
Covert Communication via modulated Ultrasonic Acoustic Pressure Waves
Replies
0
Views
1K
WhiteHatX74
W
S
Basic Linux Commands ..
Replies
4
Views
1K
Yami
Yami
J
Importance of a Help Desk software
Replies
1
Views
1K
HenryGibson
H
Back
Top Bottom