|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Admin access to roaming profiles (existing folders)I'm trying to figure out how to give administrators access to roaming
profile folders stored on a server. I've set "Add the administrators security group to roaming user profiles" in a group policy object which takes care of any future profiles, but now I'm stuck with approx 5000 existing folder to which administrators do not have access. I believe the process to give admin access is: 1. Take ownership as admin (recursively). 2. Grant full control to administrators. 3. Give ownership back to the original user (recursively). However, doing this manually is a huge pain and considering we have about 5000 folders to go through, I would prefer an automated solution. Any suggestions would be appreciated. Cheers, Rickard Rickard <rickard.anders***@gmail.com> wrote:
> I'm trying to figure out how to give administrators access to roaming Been there :)> profile folders stored on a server. I've set "Add the administrators > security group to roaming user profiles" in a group policy object > which takes care of any future profiles, but now I'm stuck with approx > 5000 existing folder to which administrators do not have access. > XCACLS is your friend.> I believe the process to give admin access is: > > 1. Take ownership as admin (recursively). > 2. Grant full control to administrators. > 3. Give ownership back to the original user (recursively). > > However, doing this manually is a huge pain and considering we have > about 5000 folders to go through, I would prefer an automated > solution. Any suggestions would be appreciated. > > Cheers, > Rickard This may make it easier: http://www.sh-soft.com/front_content.php?idcat=19 I love me a command line, but sometimes a GUI is helpful. On 19 Nov, 17:20, "Lanwench [MVP - Exchange]"
<lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote: > XCACLS is your friend. I'm sure it is. I'm no scripting wiz though. I figured this was acommon problem and that maybe there was an existing solution. I had a look at xcacls.vbs and I understand how to use it. I am however uncertain how to reset the ownership once I've taken ownership and given administrators full control. You know, I have to make the original user owner again in order for him/her to be able to login. While we're on the subject, what's the difference between cacls, xcacls.exe and xcacls.vbs? > This may make it easier: Looks cool. It appears to only support a small subset of XCACLS.vbs> > http://www.sh-soft.com/front_content.php?idcat=19 > > I love me a command line, but sometimes a GUI is helpful. though. Look at this: http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png Pegasus: I did search for an existing topic on the subject, but I wasn't able to find anything. Also, the topic you referred to didn't exactly contain the solution. Cheers, Rickard I've been playing with xacls.vbs a bit and I'm making progress. There
are still some problems though. I created a new account and logged in in order to get a "template" of the permissions that are to be assigned to all the old folders. Here's the output from xacls.vbs: Allowed OURDOMAIN\test07ra Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and Files Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and Files Allowed BUILTIN\Administrators Special (Unknown) Subfolders and Files Here's the output for the same folder using fileacl's /ADVANCED switch: V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/ U V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/ U/U V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F In other words, when the profile folder is created upon first login, the above permissions are assigned to the folder. What does "Special (Unknown)" mean? What I'm desperately looking for is instructions on how to duplicate these exact permissions onto other folders. With test07ra replaced with the the respective usernames of course. I've tried fileacl's / BATCH switch, but it doesn't work as expected. This is what fileacl spits out for the test07ra folder when using the /BATCH switch: V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S "NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S "CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN \Administrators":U/F/F /REPLACE /PROTECT However, if I run these two commands on another folder, I end up with: V:\Shared\Profile>fileacl.exe test2 /ADVANCED V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/ RrRaRepWwAWaWePXDDcO V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/ RrRaRepWwAWaWePXDDcO V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/ RrRaRepWwAWaWePXDDcO which is not the same as the folder from which I "copied" the permissions. I'm lost! Rickard <rickard.anders***@gmail.com> wrote:
Show quoteHide quote > I've been playing with xacls.vbs a bit and I'm making progress. There Note - I'm not a scripting guru either. And as much as I love command lines, > are still some problems though. I created a new account and logged in > in order to get a "template" of the permissions that are to be > assigned to all the old folders. Here's the output from xacls.vbs: > > Allowed OURDOMAIN\test07ra Full Control This Folder > Only > Allowed NT AUTHORITY\SYSTEM Full Control This Folder > Only > Allowed BUILTIN\Administrators Full Control This Folder > Only > Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and > Files > Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and > Files > Allowed BUILTIN\Administrators Special (Unknown) Subfolders and > Files > > Here's the output for the same folder using fileacl's /ADVANCED > switch: > > V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U > V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/ > U > V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/ > U/U > V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F > V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F > V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F > > In other words, when the profile folder is created upon first login, > the above permissions are assigned to the folder. What does "Special > (Unknown)" mean? > > What I'm desperately looking for is instructions on how to duplicate > these exact permissions onto other folders. With test07ra replaced > with the the respective usernames of course. I've tried fileacl's / > BATCH switch, but it doesn't work as expected. This is what fileacl > spits out for the test07ra folder when using the /BATCH switch: > > V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS > FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB > FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S > "NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S > "CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN > \Administrators":U/F/F /REPLACE /PROTECT > > However, if I run these two commands on another folder, I end up with: > > V:\Shared\Profile>fileacl.exe test2 /ADVANCED > V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/ > RrRaRepWwAWaWePXDDcO > V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/ > RrRaRepWwAWaWePXDDcO > V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/ > RrRaRepWwAWaWePXDDcO > > which is not the same as the folder from which I "copied" the > permissions. > > I'm lost! this particular sort of thing makes me nervous. Last time I did this, I used the GUI in the link I originally posted for you - and *added* the group Administrators, without changing anything else. Sorry I can't help further; you might post in m.p.windows.server.scripting if you want to do this without the little gui helper. On 20 Nov, 15:28, "Lanwench [MVP - Exchange]"
<lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote: > Note - I'm not a scripting guru either. And as much as I love command lines, After a few hours of trial and error, this is what I came up with:> this particular sort of thing makes me nervous. Last time I did this, I used > the GUI in the link I originally posted for you - and *added* the group > Administrators, without changing anything else. Sorry I can't help further; > you might post in m.p.windows.server.scripting if you want to do this > without the little gui helper. @echo off for /F "tokens=*" %%* in ('dir /ad /b *') do call :Sub %%* goto :eof :Sub subinacl.exe /file %* /objectcopysecurity=templateuser >> fix.logecho Processing %* ... subinacl.exe /file %* /replace=templateuser=%* >> fix.log fileacl.exe %* /INHERIT /REPLACE /NOROOT /SUB /FILES >> fix.log fileacl.exe %* /O %* /NOROOT /SUB /FILES >> fix.log It iterates through all directories and for each directory does the following: 1. Copies the permissions from the folder templateuser to the current directory (this also changes the owner). 2. Replaces the permissions for "templateuser" that were copied in step 1 with the username that matches the current directory. 3. Removes all non-standard permissions from subdirectories and files in the current directory and sets the inherit flag (inherit from parent). 4. Sets the owner back to the current user. At first I was attempting to set the permissions manually as opposed to copying them from a folder with the correct permissions, but I was unable to replicate the permissions perfectly. subinacl.exe with the / objectcopysecurity and /replace switches really came to the rescue. I just ran it overnight. I'm going to browse through fix.log to see if there were any problems, but looking at a sample of maybe 10 folders, it appears to have worked beautifully! Thanks for the help. Cheers, Rickard
Show quote
Hide quote
"Rickard" <rickard.anders***@gmail.com> wrote in message CACLS.exe is the version that comes with windows. The earlier versions (i.e. news:ee85d50d-d768-4211-bb48-c822fb90317c@n20g2000hsh.googlegroups.com... > On 19 Nov, 17:20, "Lanwench [MVP - Exchange]" > <lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote: >> XCACLS is your friend. > > I'm sure it is. I'm no scripting wiz though. I figured this was a > common problem and that maybe there was an existing solution. > > I had a look at xcacls.vbs and I understand how to use it. I am > however uncertain how to reset the ownership once I've taken ownership > and given administrators full control. You know, I have to make the > original user owner again in order for him/her to be able to login. > > While we're on the subject, what's the difference between cacls, > xcacls.exe and xcacls.vbs? in the earlier versions of windows) were such that XCACLS.exe started showing up in various resource kits. I'm not sure what versions of this might exist, but until xp/2k3, XCACLS.exe was generally the way to go. I use CACLS.exe from XP and from 2k3 with no problems. Note that some of the older versions might cause problems when working with the newer version of NTFS (i.e. the one with dynamic inheritance. XCACLS.vbs - I think this was devised with NTFS versions in mind, but I don't know what functional differences there might be with CACLS.exe. /Al Show quoteHide quote >> This may make it easier: >> >> http://www.sh-soft.com/front_content.php?idcat=19 >> >> I love me a command line, but sometimes a GUI is helpful. > > Looks cool. It appears to only support a small subset of XCACLS.vbs > though. Look at this: > http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png > > Pegasus: I did search for an existing topic on the subject, but I > wasn't able to find anything. Also, the topic you referred to didn't > exactly contain the solution. > > Cheers, > Rickard
Show quote
Hide quote
"Rickard" <rickard.anders***@gmail.com> wrote in message Have a look at the almost identical thread headednews:9b3c4044-1370-4211-963c-fd27a21eceb9@f3g2000hsg.googlegroups.com... > I'm trying to figure out how to give administrators access to roaming > profile folders stored on a server. I've set "Add the administrators > security group to roaming user profiles" in a group policy object > which takes care of any future profiles, but now I'm stuck with approx > 5000 existing folder to which administrators do not have access. > > I believe the process to give admin access is: > > 1. Take ownership as admin (recursively). > 2. Grant full control to administrators. > 3. Give ownership back to the original user (recursively). > > However, doing this manually is a huge pain and considering we have > about 5000 folders to go through, I would prefer an automated > solution. Any suggestions would be appreciated. > > Cheers, > Rickard "Admin access denied to view roaming profiles", posted here less than two days ago. It always pays to look at existing threads before starting a new one.  
Other interesting topics
Tool to email if server is up or down?
Command line parameters not valid Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10 The shares permissions SSL 2.0 Vulernability IPSec policy on servers connected to 2 networks Which of my servers is 2003 R2? Virtual Machine Specs OE uninstall Mic OE virus |
|||||||||||||||||||||||
