Setting NTFS folder permissions with Icacls.exe and VBScript

In the VBScript example below, I’m using the Icacls.exe utility to assign modify permissions to the D:\Test folder for the user Oliver on the LOOMER domain (or local machine). The script includes as comments some good resources on the subject.

' http://support.microsoft.com/kb/919240
' http://technet.microsoft.com/en-us/magazine/2009.07.geekofalltrades.aspx
' http://timbolton.net/2010/06/23/icacls-changing-permissions-on-files-and-folders/

Dim strFolder, strUser, strDomain

strFolder = "D:\Test"
strUser = "Oliver"
strDomain = "LOOMER"

SetPermissions
	
Function SetPermissions()
	Dim intRunError, objShell, objFSO

	Set objShell = CreateObject("Wscript.Shell")
	Set objFSO = CreateObject("Scripting.FileSystemObject")
	If objFSO.FolderExists(strFolder) Then
		intRunError = objShell.Run("icacls " & strFolder & " /inheritance:r /grant:r " & strDomain &"\" & strUser & ":(OI)(CI)M ", 2, True)
		
		If intRunError <> 0 Then
			Wscript.Echo "Error assigning permissions for user " & strUser & " to folder " & strFolder
		End If
	Else
		Wscript.Echo "Error: folder " & strFolder & " does not exist"
	End If
End Function

This script is a work-in-progress. To be considered complete, I want it to be able to create multiple directories and assign them permissions. For extra credit, I want it to be able to accept as input a list of usernames from a text file and iterate through them, creating folders where necessary and assigning them permissions.

3 thoughts on “Setting NTFS folder permissions with Icacls.exe and VBScript

  1. Astra

    Hi Oliver,

    I got one small query.

    instead of using strUser=”Oliver” ,is there a way to picking up members from AD group?
    thanks!

  2. ardamis Post author

    That’s an interesting challenge, but I don’t have an immediate answer.

    There is a good article on how to script the lookup of a user’s OU from AD at http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/21/how-can-i-determine-the-ou-a-user-account-belongs-to.aspx, but that doesn’t seem to be what you’re asking.

    It sounds like you want to query AD for a list of users that belong to a particular OU and then set NTFS permissions for each of those users. I can certainly see how this would be useful. If I come across a need to do this myself, I’ll come back and update this post.

Leave a Reply

Your email address will not be published. Required fields are marked *