CUIP Tech Site

For Tech Coordinators, NSP-CUIP Techs, and CUIP Staff

Batch User Creation - CACLS

Batch User Creation HOW-TO -- CACLS and Folder Security

Instructions

Create a worksheet for setting directory permissions.
1. In your Excel workbook, create a new sheet.
2. Name the new sheet 'secure'.
3. In cell A1 of sheet 'secure', enter =CONCATENATE("@echo off")
4. In cell A2 of sheet 'secure', enter
  =CONCATENATE("cacls c:\users\students\",YEAR(TODAY())+G-RIGHT(students.csv!E2,1),"\",students.csv!H2," /T /E /C /G ",students.csv!H2,":C administrators:f")
  making sure to replace "c:" with the letter of the drive where your students' home directories are stored and G with the value you came up with in the last stage of this HOW-TO (number of grades in school - one if and only if it is after Jan 1st).
5. AutoFill this formula for the rest of the students.
Export the worksheet as a batch file named 'secure.bat'.
1. From the 'File' menu, select 'Save As...'.
2. Set the file format to 'Text (OS/2 or MS-DOS)'.
3. Set the save location to '...\LoginProject\Batch\Students\'
4. Change the file extension to '.bat'.
5. Save the file.
6. Answer 'Yes' or 'Ok' to any prompts Excel gives you.
Run the batch file you've created by either...
- Opening the 'Batch\Students\' folder and double-clicking the file named 'secure.bat'
  OR
- In a DOS window, changing to the '...\Batch\Students\' directory, typing in 'secure.bat' and hitting ENTER.

Explanation

So now we have the accounts for every student, and a directory for each account. The logical next step would be to create network share for all those directories so that the students can log on and get started. However, we have to take security into account. We don't want just anybody to be able to get a students' directory; only the student and the network administrator should be allowed in. So in this step, you'll be creating a batch file that uses cacls.exe to set the permissions for each of the students' home directories. For more information on what cacls.exe can do and how to use it, see CACLS and XCACLS.

The first thing to do is return to your Excel workbook and create a new worksheet. Name this sheet 'secure,' since when we export it to a batch file, it will set up the security on the folders. Just like in the last step, enter the formula =CONCATENATE("@echo off) in cell A1. This will prevent DOS from showing the cacls.exe command line every time it is run, making the output easier to read if you need to look for errors. In cell A2, enter the formula

=CONCATENATE("cacls c:\users\students\",YEAR(TODAY())+G-RIGHT(students.csv!E2,1),"\",students.csv!H2," /T /E /C /G ",students.csv!H2,":C administrators:f")

Make sure to replace "c:\" with the drive letter for the drive where you made the student home directories in the last step, and G with the value from before. To understand this formula, keep in mind that the command itself has to come first, so we lead off with cacls. Since cacls works on a file or directory, the first argument is the directory we want to work on, hence c:\users\students\. This is followed by the formula that you used in the previous step to sort the students' home directories by their year of graduation. After the directory that we want to set the permissions for, we need some more arguments that cacls exactly what to do to the listed directory. '/T' tells cacls.exe to change (rather than display) the permissions on the listed directory, '/E' instructs it to leave any permissions not specified in the command alone (rather than replacing all of them), '/C' lets the program keep going if it runs into an error, and '/G' tells cacls that the next thing it will see is a user name to give permissions to, followed by the permissions to give. 'students.csv!H2',":C" tells cacls which user to give permissions to and what kind of permissions to give. In this case, the formula gets the user name that corresponds to the directory and tells cacls to give that user Change permissions. Finally, 'administrators:f' gives all the users who belong to the Administrators group full access to the directories.

If you've got everything setup right, the results in A2 should look like this, but with your data:

cacls c:\users\students\2005\SMITHA /T /E /C /G SMITHA:C administrators:f

Once you have the formula in cell A2 of 'secure,' AutoFill it for all the other students. Then, following the same procedures as in the last step (listed again above under Instructions as steps 2 and 3), export this worksheet to a batch file and run it.

CAN THIS SCRIPT BE RUN REMOTELY FROM A WORKSTATION OR DOES IT HAVE TO BE DONE AT THE PDC CONSOLE? I CAN'T REMEMBER.

Next: Batch User Creation - RMTSHARE
Previous: Batch User Creation - MD
Up: Batch User Creation - Table of Contents
See also: CUIP Home
See also: CUIP Tech Home
CUIP Tech Site Map(not yet working)

This page is: http://tech.cuip.net/topics/logins/cacls.html
Author: Ben Buckley, benb@cuip.net
Last updated at 09:11 2005n June 17, 2005.
It has had 777923 visitors.