JSI Tip 8626. How can I create a sub-folder and hidden share for every user, granting them Change permission?

A visitor asked how he could create a project sub-folder for every domain user, create a hidden share, and grant the user Change permission on the sub-folder and hidden share, while granting the Domain Admins group and the System account Full Control on the sub-folder.

Using GetUsers.bat, SubInAcl.exe, and the CACLS and NET SHARE commands, I have scripted CreateUserFolder.bat.

To use the CreateUserFolder.bat script, first create the parent folder and grant the Domain Admins group and System account Full Control, removing all other permissions, and removing inheritance from the parent folder. The user sub-folders that are created will inherit these permissions.

On the 'server' that will host these sub-folders and hidden shares, run CreateUserFolder FolderPath \[HiddenPrefix\], where:

FolderPath is the path to the parent folder, like C:\ProjectX, without any spaces, and HiddenPrefix is an optional parameter that will prefix the hidden share name, so it will be HiddenPrefixUserName$ instead of just UserName$.


If your domain contains User1, User2, and User3, and you wanted to create:

Folder               Share
c:\Project123\User1  P123_User1$  
c:\Project123\User2  P123_User2$  
c:\Project123\User3  P123_User3$
1. Create the C:\Project123 folder.

2. Remove inheritance from C:, granting Domain Admins and the System account Full Control of C:\Project123.

3. Run CreateUserFolder C:\Project123 P123_

When you are finished, only User1 will have access to the P123_User1$ hidden share, and only User1 and the Domain Admins group and the System account will have access to c:\Project123\User1.

CreateUserFolder.bat contains

@echo off
if \{%1\}

\{\} @echo Syntax: CreateUserFolder FolderPath \[HiddenPrefix\]&goto :EOF if not exist %1 @echo CreateUserFolder - %1 does not exist.&goto :EOF setlocal set folder=%1 set SharePre= if not \{%2\}

\{\} set SharePre=%2 pushd %folder% for /f "Tokens=*" %%u in ('getusers') do ( MD %%u echo y| cacls %%u /E /C /G %USERDOMAIN%\%%u:C net share %SharePre%%%u$=%folder%\%%u subinacl /share \\%ComputerName%\%SharePre%%%u$ /GRANT=%USERDOMAIN%\%%u=C /REVOKE=Everyone ) popd endlocal

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.