Doel
Batch file als voorbeeld om lees, schrijf of volledige controle in te stellen op directories in een domein of PC met veel gebruikers, waar b.v. op data mappen selectief permissies gezet kunnen worden.
Aanleiding/overwegingen
Voorbereiding
- Ik plaats de voorbeeld batchfiles standaard in C:\ICTWebUtils\Batch
- Voor lokaal testen gaat het bestand uit van aanwezige E: schijf. Pas dit zo nodig aan. Evenzo de gebruikers en gebruikersgroepen. Zomaar draaien heeft geen zin.
- Ik documenteer al mijn bestanden met steenkolen Engels.
- Verdere uitleg en tips worden onder het venster gegeven met verwijzing naar de regelnummers.
- Pak met muis van het code venster de hoek rechs onder om het te verbreden.
@Echo off
::: Template batchfile to set permissions in shared directories
::: Jan Peppink - https://ict.peppink.nl
::: Prepare ::::::::::::::::::::::::::::::::::::::::::::::
::: %~0 - Remove any surrounding quotes (")
::: %~f0 - expands to fully qualified pathname with filename.
::: %~d0 - expands to drive letter
::: %~p0 - expands to path
::: %~n0 - expands to filname without extension
Set ThisBatch=%~0
Set LogFile=%~d0%~p0%~n0.log
Set OldLogFile=%~d0%~p0%~n0-old.log
If exist "%LogFile%" Echo Save %LogFile% to %OldLogFile%
If exist "%LogFile%" Move /y "%LogFile%" "%OldLogFile%" >nul
::: Start new empty logfile :::::::::::::::::::::::::::::::
Echo %date% %time:~0,5% ::: Start %ThisBatch%
Echo %date% %time:~0,5% ::: Start %ThisBatch% > %LogFile%
If "%1"=="-h" Goto Help
::: Set Environment :::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: For Help information type: help icacls
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: - (OI)(CI):F means Full Control for This folder, Subfolders and Files
::: - (OI)(CI):M means Modify for This folder, Subfolders and Files
::: - (OI)(CI):RX means Read for This folder, Subfolders and Files
:::
::: (OI) This folder and Files
::: (CI) This folder and Subfolders.
::: (OI)(CI) This folder, Subfolders, and Files.
::: (OI)(CI)(IO) Subfolders and Files only.
::: (CI)(IO) Subfolders only.
::: (OI)(IO) Files only.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Echo Define Options for Only Target or including subdirs and Files ::::::::::::
Set OPT_RECURSE=/c /inheritance:r /grant:r
Set MAINDIR=\\MyServer\MyShare\
Set TARGETDIR=""
:::JUST TO TEST SET PATH TO TESTDRIVE AND CREATE DIRECTORIES
Set MAINDIR=E:\Temp\
If not exist E:\ Goto Error
If not exist E:\Temp mkdir E:\Temp
If not exist "%MAINDIR%\DIR1" mkdir "%MAINDIR%\DIR1"
If not exist "%MAINDIR%\DIR1\SubMap1" mkdir "%MAINDIR%\DIR1\SubMap1"
If not exist "%MAINDIR%\DIR1\Sub Map 2" mkdir "%MAINDIR%\DIR1\Sub Map 2"
If not exist "%MAINDIR%\DIR1\Sub Map 2\SubMap3" mkdir "%MAINDIR%\DIR1\Sub Map 2\SubMap3"
If not exist "%MAINDIR%\DIR1\SubMap4" mkdir "%MAINDIR%\DIR1\SubMap4"
If not exist "%MAINDIR%\DIR2" mkdir "%MAINDIR%\DIR2"
Echo Define Default Permissions for ALL Directories :::::::::::::::::::::::::::
::: for local PC
::: for Domain
Set DEFAULT="BUILTIN\Administrators":(OI)(CI)F "NT AUTHORITY\SYSTEM":(OI)(CI)F "CREATOR OWNER":(OI)(CI)F "MYDOMAIN\MY-ADMINGROUP":(OI)(CI)F
Echo Define AD groups :::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: First to give Read permission, Second to give Mofify permission, Thirt is used to remove the permissions.
::: Call Existing group for All Domain users
Set MYDOMAINRead="MYDOMAIN\Domain Users":(OI)(CI)RX
Set MYDOMAINWrite="MYDOMAIN\Domain Users":(OI)(CI)M
Set RM_MYDOMAIN="MYDOMAIN\Domain Users"
::: First to give Read permission, Second to give Mofify permission, Thirt is used to remove the permissions.
::: Call Existing AD group
Set MYADGROUPRead="MYDOMAIN\MYADGROUP":(OI)(CI)RX
Set MYADGROUPWrite="MYDOMAIN\MYADGOURP":(OI)(CI)M
Set RM_MYADGROUP="MYDOMAIN\MYADGROUP"
Echo Define Special specified groups - combination of users and/or groups :::::
::: First to give Read permission, Second to give Mofify permission, Thirt is used to remove the permissions.
::: Self defined group
Set MYUSERSWrite="MYDOMAIN\User1":(OI)(CI)M "MYDOMAIN\User2":(OI)(CI)M "MYDOMAIN\User3":(OI)(CI)M
Set MYUSERSRead="MYDOMAIN\User1":(OI)(CI)RX "MYDOMAIN\User2":(OI)(CI)RX "MYDOMAIN\User3":(OI)(CI)RX
Set RM_MYUSERS="MYDOMAIN\User1" "MYDOMAIN\User2" "MYDOMAIN\User3"
Echo Define specific Users or Groups to deny access :::::::::::::::::::::::::::
Set DENIEDUSERS=/deny "MYDOMAIN\User4":(OI)(CI)F
Set RM_DENIEDUSERS="MYDOMAIN\User4"
:::: Color First Background Second ForeGround
::: 0 = Black 8 = Gray
::: 1 = Blue 9 = Light Blue
::: 2 = Green A = Light Green
::: 3 = Aqua B = Light Aqua
::: 4 = Red C = Light Red
::: 5 = Purple D = Light Purple
::: 6 = Yellow E = Light Yellow
::: 7 = White F = Bright White
Set MyColor=0E
Set MyWarningColor=CE
Color %MyColor%
::: Start to do something :::::::::::::::::::::::::::::::::
::: Your code comes here :::::::::::::::::::::::::::::::::
::: Check start options. e.g. Call ThisBatch DIR2 to Set permissions for DIR2 and its SUBDIRS only
If "%1"=="" Goto DIR1
If "%1"=="DIR1" Goto DIR1
If "%1"=="DIR2" Goto DIR2
Goto End
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::DIR 1 Example with for All users and groups with a few exeptions.
:DIR1
Set TARGETDIR=DIR1
Echo Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite%
If %ERRORLEVEL% GTR 0 Goto Error
::: Echo ---- Remove grant for User2 from tree under "%MAINDIR%%TARGETDIR%"
::: icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" > nul
::: If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
::From SubMap1 remove User2
Set TARGETDIR=DIR1\SubMap1
Echo Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite% %DENIEDUSERS%
If %ERRORLEVEL% GTR 0 Goto Error
Echo ---- Remove grant for User2 from tree under "%MAINDIR%%TARGETDIR%"
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" > nul
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
::Sub Map 2 has spaces. And Remove User2.
Set TARGETDIR=DIR1\Sub Map 2
Echo Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite% %DENIEDUSERS%
If %ERRORLEVEL% GTR 0 Goto Error
Echo ---- Remove grant for User2 from tree under "%MAINDIR%%TARGETDIR%"
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" > nul
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
Set TARGETDIR=DIR1\Sub Map 2\SubMap3
Echo Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite% %DENIEDUSERS%
If %ERRORLEVEL% GTR 0 Goto Error
Echo ---- Remove grant for xxx from tree under "%MAINDIR%%TARGETDIR%"
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" %RM_MYDOMAIN% > nul
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
::MyUsers can read. User1 can write, User3 is removed.
Set TARGETDIR=DIR1\SubMap4
Echo ---- Add exeption to "%MAINDIR%%TARGETDIR%". (1: Users read)
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSread% %DENIEDUSERS%
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
Echo ---- Add exeption to "%MAINDIR%%TARGETDIR%". (2: User1 write)
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% "MYDOMAIN\User1":(OI)(CI)M
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
Echo ---- Remove grant voor %RM_MYADGROUP% from entire tree under "%MAINDIR%%TARGETDIR%"
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User3" > nul
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
If "%1"=="DIR1" Goto End
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::Users are not added. To be sure I remove them.
:DIR2
Set TARGETDIR=DIR2
Echo ---- Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE%%DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %DENIEDUSERS%
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
Echo ---- Remove grant voor %RM_MYADGROUP% from entire tree under "%MAINDIR%%TARGETDIR%"
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g %RM_MYUSERS% > nul
If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
If "%1"=="DIR2" Goto End
:Help
Help icacls
Goto End
::: We have a problem :::::::::::::::::::::::::::::::::::::
:Error
Color %MyWarningColor%
Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR%
Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR% >> %LogFile%
Goto Quit
::: We are done :::::::::::::::::::::::::::::::::::::::::::
:End
Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch%
Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch% >> %LogFile%
:Quit
Echo Hit any key to quit . . . & pause >nul
::: That's All ::::::::::::::::::::::::::::::::::::::::::::
Toelichting bij de regels
- Volgt nog
Resultaaat
- Selecteer een map of bestand.
- Klik met rechtermuistoets en kies ‘Eigenschappen’.
- Selecteer vervolgens het tabblad ‘Beveiliging’ en controleer de ingestelde permissies.
![](/images/PermissieOpMappen.jpg)
Verwijderen van permissies
Op vergelijkbare wijze kunnen de permissies worden verwijderd.
- Ik plaats de voorbeeld batchfiles standaard in C:\ICTWebUtils\Batch
@echo off
::: Template batchfile to remove permissions in shared directories
::: Jan Peppink - https://ict.peppink.nl
::: Prepare ::::::::::::::::::::::::::::::::::::::::::::::
::: %~0 - Remove any surrounding quotes (")
::: %~f0 - expands to fully qualified pathname with filename.
::: %~d0 - expands to drive letter
::: %~p0 - expands to path
::: %~n0 - expands to filname without extension
Set ThisBatch=%~0
Set LogFile=%~d0%~p0%~n0.log
Set OldLogFile=%~d0%~p0%~n0-old.log
If exist "%LogFile%" Echo Save %LogFile% to %OldLogFile%
If exist "%LogFile%" Move /y "%LogFile%" "%OldLogFile%" >nul
::: Start new empty logfile :::::::::::::::::::::::::::::::
Echo %date% %time:~0,5% ::: Start %ThisBatch%
Echo %date% %time:~0,5% ::: Start %ThisBatch% > %LogFile%
If "%1"=="-h" Goto Help
::: Set Environment :::::::::::::::::::::::::::::::::::::::
Set MAINDIR=\\MyServer\MyShare\
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Define person/group to remove.
Set Remove_Them="MYDOMAIN\User2" "MYDOMAIN\User3"
Echo Remove permission for %Remove_Them%
:::: Color First Background Second ForeGround
::: 0 = Black 8 = Gray
::: 1 = Blue 9 = Light Blue
::: 2 = Green A = Light Green
::: 3 = Aqua B = Light Aqua
::: 4 = Red C = Light Red
::: 5 = Purple D = Light Purple
::: 6 = Yellow E = Light Yellow
::: 7 = White F = Bright White
Set MyColor=0E
Set MyWarningColor=CE
Color %MyColor%
::: Start to do something :::::::::::::::::::::::::::::::::
::: Your code comes here :::::::::::::::::::::::::::::::::
Set TARGETDIR=DIR1
Echo ---- Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g %Remove_Them%
If %ERRORLEVEL% GTR 0 Goto Error
Set TARGETDIR=DIR2
Echo ---- Start with "%MAINDIR%%TARGETDIR%".
Echo %date% %time:~0,5% Start with %MAINDIR%%TARGETDIR% >> %LogFile%
icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g %Remove_Them%
If %ERRORLEVEL% GTR 0 Goto Error
Goto End
:Help
Help icacls
Goto End
::: We have a problem :::::::::::::::::::::::::::::::::::::
:Error
Color %MyWarningColor%
Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR%
Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR% >> %LogFile%
Goto Quit
::: We are done :::::::::::::::::::::::::::::::::::::::::::
:End
Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch%
Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch% >> %LogFile%
:Quit
Echo Hit any key to quit . . . & pause >nul
::: That's All ::::::::::::::::::::::::::::::::::::::::::::
Toelichting bij de regels
De opbouw is grotendeels gelijk aan de eerdere batch file. Ik stip nog slechts enkele punten aan.
- 22: Zet de hoofdirectory.
- 26: Stelt in dat gebruiker 2 en 3 worden opgegeven om te verwijderen.
- 48 en 54: Hier wordt de verwijdering uitgevoerd met de opties /t /c /remove:g
- De opties zorgen ervoor dat alle toegekende rechten voor toegang voor de persoon of groep worden verwijderd (:g). Dit wordt toegepast in alle onderliggende directories en bestanden (/t). De actie gaat door en negeert eventuele errors (/c).