Permissie op gedeelde mappen

Doel

Batch file als voorbeeld om lees, schrijf of volledige controle in te stellen op directories in een domein of PC met veel gebruikers, waar b.v. op data mappen selectief permissies gezet kunnen worden.

Aanleiding/overwegingen

Voorbereiding

  • Ik plaats de voorbeeld batchfiles standaard in C:\ICTWebUtils\Batch
  • Na download: Open (rechtsklik) de eigenschappen van het bestand en hef blokkering die gezet wordt op alvorens het te aan te passen en te gebruiken.
    Bestandsnaam: ZetPermissies.bat
  • Voor lokaal testen gaat het bestand uit van aanwezige E: schijf. Pas dit zo nodig aan. Evenzo de gebruikers en gebruikersgroepen. Zomaar draaien heeft geen zin.
  • Ik documenteer al mijn bestanden met steenkolen Engels.
  • Verdere uitleg en tips worden onder het venster gegeven met verwijzing naar de regelnummers.
  • Pak met muis van het code venster de hoek rechs onder om het te verbreden.
@Echo off
::: Template batchfile to set permissions in shared directories
::: Jan Peppink - https://ict.peppink.nl
::: Prepare  ::::::::::::::::::::::::::::::::::::::::::::::
::: %~0   - Remove any surrounding quotes (")
::: %~f0  - expands to fully qualified pathname with filename.
::: %~d0  - expands to drive letter
::: %~p0  - expands to path
::: %~n0  - expands to filname without extension
 Set ThisBatch=%~0
 Set LogFile=%~d0%~p0%~n0.log
 Set OldLogFile=%~d0%~p0%~n0-old.log 
 If exist "%LogFile%" Echo Save %LogFile% to %OldLogFile%
 If exist "%LogFile%" Move /y "%LogFile%" "%OldLogFile%" >nul

::: Start new empty logfile :::::::::::::::::::::::::::::::
 Echo %date% %time:~0,5% ::: Start %ThisBatch%
 Echo %date% %time:~0,5% ::: Start %ThisBatch% > %LogFile%
 If "%1"=="-h" Goto Help

::: Set Environment :::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: For Help information type: help icacls
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: - (OI)(CI):F means Full Control for This folder, Subfolders and Files
::: - (OI)(CI):M means Modify for This folder, Subfolders and Files
::: - (OI)(CI):RX means Read for This folder, Subfolders and Files
::: 
::: (OI) This folder and Files
::: (CI) This folder and Subfolders.
::: (OI)(CI) This folder, Subfolders, and Files.
::: (OI)(CI)(IO) Subfolders and Files only.
::: (CI)(IO) Subfolders only.
::: (OI)(IO) Files only.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Echo Define Options for Only Target or including subdirs and Files ::::::::::::
 Set OPT_RECURSE=/c /inheritance:r /grant:r
 Set MAINDIR=\\MyServer\MyShare\
 Set TARGETDIR=""

:::JUST TO TEST SET PATH TO TESTDRIVE AND CREATE DIRECTORIES
 Set MAINDIR=E:\Temp\
 If not exist E:\ Goto Error
 If not exist E:\Temp mkdir E:\Temp
 If not exist "%MAINDIR%\DIR1" mkdir "%MAINDIR%\DIR1"
 If not exist "%MAINDIR%\DIR1\SubMap1" mkdir "%MAINDIR%\DIR1\SubMap1"
 If not exist "%MAINDIR%\DIR1\Sub Map 2" mkdir "%MAINDIR%\DIR1\Sub Map 2"
 If not exist "%MAINDIR%\DIR1\Sub Map 2\SubMap3" mkdir "%MAINDIR%\DIR1\Sub Map 2\SubMap3"
 If not exist "%MAINDIR%\DIR1\SubMap4" mkdir "%MAINDIR%\DIR1\SubMap4"
 If not exist "%MAINDIR%\DIR2" mkdir "%MAINDIR%\DIR2"

Echo Define Default Permissions for ALL Directories :::::::::::::::::::::::::::
::: for local PC 

::: for Domain
 Set DEFAULT="BUILTIN\Administrators":(OI)(CI)F "NT AUTHORITY\SYSTEM":(OI)(CI)F "CREATOR OWNER":(OI)(CI)F "MYDOMAIN\MY-ADMINGROUP":(OI)(CI)F 

Echo Define AD groups :::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: First to give Read permission, Second to give Mofify permission, Thirt is used to remove the permissions.
::: Call Existing group for All Domain users
 Set MYDOMAINRead="MYDOMAIN\Domain Users":(OI)(CI)RX
 Set MYDOMAINWrite="MYDOMAIN\Domain Users":(OI)(CI)M
 Set RM_MYDOMAIN="MYDOMAIN\Domain Users"

::: First to give Read permission, Second to give Mofify permission, Thirt is used to remove the permissions.
::: Call Existing AD group
 Set MYADGROUPRead="MYDOMAIN\MYADGROUP":(OI)(CI)RX 
 Set MYADGROUPWrite="MYDOMAIN\MYADGOURP":(OI)(CI)M
 Set RM_MYADGROUP="MYDOMAIN\MYADGROUP"

Echo Define Special specified groups - combination of users and/or groups :::::
::: First to give Read permission, Second to give Mofify permission, Thirt is used to remove the permissions.
::: Self defined group
 Set MYUSERSWrite="MYDOMAIN\User1":(OI)(CI)M "MYDOMAIN\User2":(OI)(CI)M "MYDOMAIN\User3":(OI)(CI)M
 Set MYUSERSRead="MYDOMAIN\User1":(OI)(CI)RX "MYDOMAIN\User2":(OI)(CI)RX "MYDOMAIN\User3":(OI)(CI)RX
 Set RM_MYUSERS="MYDOMAIN\User1" "MYDOMAIN\User2" "MYDOMAIN\User3"

Echo Define specific Users or Groups to deny access :::::::::::::::::::::::::::
 Set DENIEDUSERS=/deny "MYDOMAIN\User4":(OI)(CI)F
 Set RM_DENIEDUSERS="MYDOMAIN\User4"

:::: Color First Background Second ForeGround
::: 0 = Black	 	8 = Gray
::: 1 = Blue		9 = Light Blue
::: 2 = Green		A = Light Green
::: 3 = Aqua		B = Light Aqua
::: 4 = Red 		C = Light Red
::: 5 = Purple	 	D = Light Purple
::: 6 = Yellow		E = Light Yellow
::: 7 = White		F = Bright White
 Set MyColor=0E
 Set MyWarningColor=CE
 Color %MyColor%

::: Start to do something :::::::::::::::::::::::::::::::::
::: Your code comes here  :::::::::::::::::::::::::::::::::

::: Check start options. e.g. Call ThisBatch DIR2 to Set permissions for DIR2 and its SUBDIRS only
 If "%1"=="" Goto DIR1
 If "%1"=="DIR1" Goto DIR1
 If "%1"=="DIR2" Goto DIR2
Goto End

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::DIR 1 Example with for All users and groups with a few exeptions.
:DIR1
Set TARGETDIR=DIR1
 Echo Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite%
 If %ERRORLEVEL% GTR 0 Goto Error
::: Echo ---- Remove grant for User2 from tree under "%MAINDIR%%TARGETDIR%"
::: icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" > nul
::: If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------

::From SubMap1 remove User2
Set TARGETDIR=DIR1\SubMap1
 Echo Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite% %DENIEDUSERS%
 If %ERRORLEVEL% GTR 0 Goto Error
 Echo ---- Remove grant for User2 from tree under "%MAINDIR%%TARGETDIR%"
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" > nul
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------

::Sub Map 2 has spaces. And Remove User2.
Set TARGETDIR=DIR1\Sub Map 2
 Echo Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite% %DENIEDUSERS%
 If %ERRORLEVEL% GTR 0 Goto Error
 Echo ---- Remove grant for User2 from tree under "%MAINDIR%%TARGETDIR%"
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" > nul
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------

Set TARGETDIR=DIR1\Sub Map 2\SubMap3
 Echo Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSWrite% %DENIEDUSERS%
 If %ERRORLEVEL% GTR 0 Goto Error
 Echo ---- Remove grant for xxx from tree under "%MAINDIR%%TARGETDIR%"
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User2" %RM_MYDOMAIN% > nul
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------

::MyUsers can read. User1 can write, User3 is removed.
Set TARGETDIR=DIR1\SubMap4
 Echo ---- Add exeption to "%MAINDIR%%TARGETDIR%". (1: Users read)
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% %DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %MYUSERSread% %DENIEDUSERS%
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
Echo ---- Add exeption to "%MAINDIR%%TARGETDIR%". (2: User1 write)
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE% "MYDOMAIN\User1":(OI)(CI)M 
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
 Echo ---- Remove grant voor %RM_MYADGROUP% from entire tree under "%MAINDIR%%TARGETDIR%"
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g "MYDOMAIN\User3" > nul
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
 If "%1"=="DIR1" Goto End

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::Users are not added. To be sure I remove them.
:DIR2
Set TARGETDIR=DIR2
 Echo ---- Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" %OPT_RECURSE%%DEFAULT% %MYDOMAINRead% %MYADGROUPWrite% %DENIEDUSERS%
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
 Echo ---- Remove grant voor %RM_MYADGROUP% from entire tree under "%MAINDIR%%TARGETDIR%"
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g %RM_MYUSERS% > nul
 If %ERRORLEVEL% GTR 0 Goto Error
Echo --------------------------------------------------------------------------
 If "%1"=="DIR2" Goto End

:Help
 Help icacls
Goto End

::: We have a problem :::::::::::::::::::::::::::::::::::::
:Error
 Color %MyWarningColor%
 Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR%
 Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR% >> %LogFile%
Goto Quit

::: We are done :::::::::::::::::::::::::::::::::::::::::::
:End
 Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch%
 Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch% >> %LogFile%

:Quit
 Echo Hit any key to quit . . . & pause >nul
::: That's All ::::::::::::::::::::::::::::::::::::::::::::

Toelichting bij de regels

  • Volgt nog

Resultaaat

  • Selecteer een map of bestand.
  • Klik met rechtermuistoets en kies ‘Eigenschappen’.
  • Selecteer vervolgens het tabblad ‘Beveiliging’ en controleer de ingestelde permissies.
Eigenschappen Beveiliging

Verwijderen van permissies

Op vergelijkbare wijze kunnen de permissies worden verwijderd.

  • Ik plaats de voorbeeld batchfiles standaard in C:\ICTWebUtils\Batch
  • Na download: Open (rechtsklik) de eigenschappen van het bestand en hef blokkering die gezet wordt op alvorens het te aan te passen en te gebruiken.
    Bestandsnaam: VerwijderPermissies.bat    		 
@echo off
::: Template batchfile to remove permissions in shared directories
::: Jan Peppink - https://ict.peppink.nl
::: Prepare  ::::::::::::::::::::::::::::::::::::::::::::::
::: %~0   - Remove any surrounding quotes (")
::: %~f0  - expands to fully qualified pathname with filename.
::: %~d0  - expands to drive letter
::: %~p0  - expands to path
::: %~n0  - expands to filname without extension
 Set ThisBatch=%~0
 Set LogFile=%~d0%~p0%~n0.log
 Set OldLogFile=%~d0%~p0%~n0-old.log 
 If exist "%LogFile%" Echo Save %LogFile% to %OldLogFile%
 If exist "%LogFile%" Move /y "%LogFile%" "%OldLogFile%" >nul

::: Start new empty logfile :::::::::::::::::::::::::::::::
 Echo %date% %time:~0,5% ::: Start %ThisBatch%
 Echo %date% %time:~0,5% ::: Start %ThisBatch% > %LogFile%
 If "%1"=="-h" Goto Help

::: Set Environment :::::::::::::::::::::::::::::::::::::::
 Set MAINDIR=\\MyServer\MyShare\

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Define person/group to remove.
 Set Remove_Them="MYDOMAIN\User2" "MYDOMAIN\User3"
 Echo Remove permission for %Remove_Them%

:::: Color First Background Second ForeGround
::: 0 = Black	 	8 = Gray
::: 1 = Blue		9 = Light Blue
::: 2 = Green		A = Light Green
::: 3 = Aqua		B = Light Aqua
::: 4 = Red 		C = Light Red
::: 5 = Purple	 	D = Light Purple
::: 6 = Yellow		E = Light Yellow
::: 7 = White		F = Bright White
 Set MyColor=0E
 Set MyWarningColor=CE
 Color %MyColor%

::: Start to do something :::::::::::::::::::::::::::::::::
::: Your code comes here  :::::::::::::::::::::::::::::::::

 Set TARGETDIR=DIR1
 Echo ---- Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g %Remove_Them%
 If %ERRORLEVEL% GTR 0 Goto Error

 Set TARGETDIR=DIR2
 Echo ---- Start with  "%MAINDIR%%TARGETDIR%".
 Echo %date% %time:~0,5% Start with  %MAINDIR%%TARGETDIR% >> %LogFile%
 icacls "%MAINDIR%%TARGETDIR%" /t /c /remove:g %Remove_Them%
 If %ERRORLEVEL% GTR 0 Goto Error
Goto End

:Help
 Help icacls
Goto End

::: We have a problem :::::::::::::::::::::::::::::::::::::
:Error
 Color %MyWarningColor%
 Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR%
 Echo %date% %time:~0,5% ::: Error detected in %ThisBatch% for %MAINDIR%%TARGETDIR% >> %LogFile%
Goto Quit

::: We are done :::::::::::::::::::::::::::::::::::::::::::
:End
 Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch%
 Echo %date% %time:~0,5% ::: Ready is Case for %ThisBatch% >> %LogFile%

:Quit
 Echo Hit any key to quit . . . & pause >nul
::: That's All ::::::::::::::::::::::::::::::::::::::::::::

Toelichting bij de regels

De opbouw is grotendeels gelijk aan de eerdere batch file. Ik stip nog slechts enkele punten aan.

  • 22: Zet de hoofdirectory.
  • 26: Stelt in dat gebruiker 2 en 3 worden opgegeven om te verwijderen.
  • 48 en 54: Hier wordt de verwijdering uitgevoerd met de opties /t /c /remove:g
  • De opties zorgen ervoor dat alle toegekende rechten voor toegang voor de persoon of groep worden verwijderd (:g). Dit wordt toegepast in alle onderliggende directories en bestanden (/t). De actie gaat door en negeert eventuele errors (/c).

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

Deze site gebruikt Akismet om spam te verminderen. Meer informatie over hoe uw reactiegegevens worden verwerkt.