VBS: Create Folder Permissions
This script reads a given file system structure and creates domain local security groups based on folder names.
In addition the script applies the permission to the file system structure.
Examples
Folder Structure:
RootFolder
|- Department
| |- Department1
| |- Department2
|- Projects
| |- Project1
| | |- KickOff
| | |- Doing
| | |- Final
| |- Project2
|- General
Groups that will be created by script:
- FS_RootFolder_Department_L
- FS_RootFolder_Department_R
- FS_RootFolder_Department_W
- FS_RootFolder_Department_Department1_L
- FS_RootFolder_Department_Department1_L
- FS_RootFolder_Department_Department1_W
- FS_RootFolder_Department_Department2_L
- FS_RootFolder_Department_Department2_R
- FS_RootFolder_Department_Department2_W
- FS_RootFolder_Projects_L
- FS_RootFolder_Projects_R
- FS_RootFolder_Projects_W
- FS_RootFolder_Projects_Project1_L
- FS_RootFolder_Projects_Project1_R
- FS_RootFolder_Projects_Project1_W
- FS_RootFolder_Projects_Project1_KickOff_L
- FS_RootFolder_Projects_Project1_KickOff_R
- FS_RootFolder_Projects_Project1_KickOff_W
- FS_RootFolder_Projects_Project1_Doing_L
- FS_RootFolder_Projects_Project1_Doing_R
- FS_RootFolder_Projects_Project1_Doing_W
- FS_RootFolder_Projects_Project1_Final_L
- FS_RootFolder_Projects_Project1_Final_R
- FS_RootFolder_Projects_Project1_Final_W
- FS_RootFolder_Projects_Project2_L
- FS_RootFolder_Projects_Project2_R
- FS_RootFolder_Projects_Project2_W
- FS_RootFolder_General_L
- FS_RootFolder_General_R
- FS_RootFolder_General_W
Permission set to folders:
RootFolderDepartment:
- <inherited from RootFolder>
- FS_RootFolder_Department_L ==> List folder Contents; This folder only
- FS_RootFolder_Department_R ==> Read; This folder, subfolders and files
- FS_RootFolder_Department_W ==> Write; This folder, subfolders and files
RootFolderDepartmentDepartment1:
- <inherited from Department>
- <inherited from RootFolder>
- FS_RootFolder_Department_R ==> Read; This folder, subfolders and files
- FS_RootFolder_Department_W ==> Write; This folder, subfolders and files
- FS_RootFolder_Department_Department1_L ==> List folder Contents; This folder only
- FS_RootFolder_Department_Department1_R ==> Read; This folder, subfolders and files
- FS_RootFolder_Department_Department1_W ==> Write; This folder, subfolders and files
... and so on ...
Requirements
Required is the script xcacls.vbs. This script is provided by Microsoft you can download ist from here: >> MS Knowledgebase Article #825751
Compatibility Warning
This script was developed and tested on Windows Server 2008R2 it has known compatibility problems with newer operating systems.
! This script is no longer maintained !
Script code:
'**************************************************************************
'*
'* CreateFolderPermisson.vbs
'* Version 1.0
'* (c) 2012 Martin Müller
'* martin.mueller@sh-soft.com
'* www.sh-soft.com
'*
'* This script is provided as as without any warrenty!
'*
'**************************************************************************
'**************************************************************************
'* Definitions
const BaseFolder = "C:\temp\test"
const ShareName = "\\server\share"
const FolderDepth = 3
const prefix = "FS_"
const suffix_L = "_L"
const suffix_R = "_R"
const suffix_W = "_W"
const BASEDN = "LDAP://OU=filesystem,OU=groups,DC=customer,dc=local"
const DomainNB = "NBDomainName\"
'* WARNING setting runACL to "true" will change directory permissions!!! use this with care!
const runACL = false
const xcaclsString = "cscript.exe <pathTo>xcacls.vbs"
const ScriptEnabled = false
'**************************************************************************
'* SYSTEM Definitions (do not Change)
const ADS_GROUP_TYPE_LOCAL_GROUP = &h4
const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
DoIt BaseFolder, FolderDepth
'**************************************************************************
'* The Script
SUB DoIt(strFolder, strMaxLevel)
IF ScriptEnabled THEN
SET objFSO = CreateObject("Scripting.FileSystemObject")
SET objFolder = objFSO.GetFolder(strFolder)
SET objOU = GetObject(BASEDN)
IF strMaxlevel >= 1 THEN
FOR EACH SubFolder IN objFolder.SubFolders
FP = SubFolder.Path
RP = Right (FP, Len(FP)-Len(BaseFolder)-1)
GN = prefix
IF strMaxlevel = 3 THEN
GN = GN & RP
END IF
IF strMaxlevel = 2 THEN
GN = GN & MID (RP, 1, InStr(1, RP, "\")-1) & "-" & MID (RP, InStr(1, RP, "\")+1, LEN(RP))
END IF
IF strMaxlevel = 1 THEN
LB1 = InStr(1, RP, "\")
LB2 = InStr(LB1+1, RP, "\")
GN = GN & mid (RP, 1, LB1-1) & "-" & MID (RP, LB1+1, LB2-LB1-1) & "-" & MID (RP, LB2+1, LEN(RP))
END IF
wscript.echo "Creating groups W, R, L for directory: " & RP
GN_L = GN & suffix_L
GN_R = GN & suffix_R
GN_W = GN & suffix_W
SET objGroup = objOU.Create("Group", "cn="& GN_L)
objGroup.Put "sAMAccountName", GN_L
objGroup.Put "description", "Access Permission L to folder: " &ShareName & "\" & RP
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
SET objGroup = objOU.Create("Group", "cn="& GN_R)
objGroup.Put "sAMAccountName", GN_R
objGroup.Put "description", "Access Permission R to folder: " &ShareName & "\" & RP
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
SET objGroup = objOU.Create("Group", "cn="& GN_W)
objGroup.Put "sAMAccountName", GN_W
objGroup.Put "description", "Access Permission W to folder: " &ShareName & "\" & RP
objGroup.Put "groupType", ADS_GROUP_TYPE_LOCAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo
IF runACL THEN
SET wshshell = WScript.CreateObject ("wscript.shell")
wscript.echo ". Setting Permissions on folder..."
wscript.echo ".. LIST"
wshshell.run xcaclsString & " " & FP & " /E /G " & DomainNB & GN_L & ":L /SPEC A /q"
wscript.echo ".. READ"
wshshell.run xcaclsString & " " & FP & " /E /G " & DomainNB & GN_R & ":X /q"
wscript.echo ".. WRITE"
wscript.echo xcaclsString & " " & FP & " /E /G " & DomainNB & GN_W & ":M " & DomainNB & GN_W & ":7 /q"
END IF
DoIt SubFolder, (strMaxlevel - 1)
NEXT
END IF
SET objFolder = Nothing
SET objFSO = Nothing
ELSE
wscript.echo "Please configure the Parameters first!!!"
END IF
END SUB