resetACL.bat


When moving data to a new domain (in a domein migration or disaster recovery scenario, for instance), the Access Control Lists (ACL) of the files will contain user accounts from the old domain. Recreating user accounts with the same name in the new domain does not solve the problem, because ACL work by security identifier (SID), not by account name. It is therefor necessarry to reset the ACL's. To do this, we first let the Administrator of the new domain take owenrship of the files. This will allow the Administrator to modify the Access Control Lists. That, obviously, is the next step in this script. When setting the ACL, we will replace the ACL's so that the old accounts are removed.

After Administrator has taken Ownership, we will give our users READ access to the files. In a second stage, specific user groups will be given read and write access to specified folders. Those groups and folders are listed in a text file which resetACL.bat wil read from.

REM Current user (administrator) take ownership, recursive
takeown /f F:\ /R

REM use XCACLS.exe : more control over inheritance for newly created files
REM resort to CACLS if XCALS is missing

IF NOT EXIST dir_users.txt ECHO dir_users.txt missing && EXIT /B 1

REM GENERAL SETTINGS for DATA and DISTRIBUTION
REM 	basic ACL : 	Admin, DomainAdmin	Full Control
REM 				Domain Users		Read

E:\ /C /T /Y /P SYSTEM:f;f Administrators:f;f Domeinadministrators:f;f lTeam:r;r
F:\ /C /T /Y /P SYSTEM:f;f Administrators:f;f Domeinadministrators:f;f lTeam:r;r


REM Add specific ACL by directory by team : Read/Write for specified group

FOR /F "tokens=1,*" %%i in (dir_users.txt) DO (

	if not exist %%j\NUL MD "%%j"
	xcacls %%j /c /y /t /e /g "%%i":rcd;ew
)
:batchend
EXIT /B 0


		

The input file (dir_users.txt) should look something like this :


	lTeamleiders		F:\documents\legal			
	lTeamleiders		F:\documents\office	
	lTeam_ND		F:\documents\office\management
	lTeam_PT		F:\documents\production
	lTeam_CT		F:\documents\communication
	lTeam_ST		F:\documents\sales
	lTeam_FT		F:\documents\finance
	Teamleiders_FT		F:\documents\finace\financial_director
	lTeam			F:\databasereports


		

The directory structure is based on considerations explained in File and Directory Management"


Koen Noens
june 7, 2005