You can't set domain users to only read/write, if you do they won't be able to make changes to existing files, delete files or delete folders. If you want to script file permission changes, you can use XCALS via a batch file setup as a scheduled job to run nightly (or as often as you feel necessary). You can get XCALS from Microsoft here: http://support.microsoft.c
Alternatively, if all subfolders under each of your main folders is inheriting permissions, you can always push permissions out manually by:
Going to the highest level directory where all subfoldres are inheriting the exact same permissions from this folder - right click and go to "sharing and security" and then "security" or properties, then security. In here, click advanced and you can then check "Replace permission entries on all child objects....." and hit apply. This will pop up a warning box, telling you it's going to replace all explicitely defined permissions on the child object, which is exactly what you want, so click OK. Windows will then make sure all subfolders of your main folder are inheriting permissions from that main folder and have the same permissions.
If you get any errors warning you that "access is denied" when setting the permissions, click continue on each and let it finish. If you had access errors, go over to the owners tab, and select the local admin or domain admin account, check the box saying "replace owner on subcontainers and objects" then click apply. Once you set ownership to the admin account on all objects repeat the step above on pushing out permissions and you'll be all set.
If you need help scripting the XCACLS vbs to run or configuring the script to work correctly, let me know. I use this all the time to fix permissions problems on file servers and as long as you test your script on a test directory and ensure it works properly it's a fantastic tool.
If you want to see an example, here's a small test I use to verify my ACLs are being set right when I was trying to add a local user account named "LocalAccount" on a computer named "Computer1" to permissions on an existing folder. The following was put in a batch file, which can then be scheduled to run from the Windows scheduled tasks tool:
cscript.exe xcacls.vbs C:\Test_Folder\ /E /G Computer1\LocalAccount:R
Good luck, let me know if you have any other trouble or if this doesn't work for you. As for why the permissions are getting broken in the first place - have you done the configuration on the Macs to bind them to your AD domain? If not, this would be a good idea and may fix your problem. On the Macs, go to Applications, Utilities, then Directory Access. Click on the Services button, then click on Active Directory, make sure it's checked, then click Configure. Put in your domain info, and you'll need to use a domain admin account to join it to the domain. This will also create a computer account in AD for the Mac which gives you some added control over the Mac from an admin perspective. Some group policy settings will apply to a Mac (even more once 10.5 comes out), you can use AD user accounts to log on to the Mac, map home drive automatically to the user/documents to the user accounts, etc.
For a good visual on binding a Mac to AD, check the following - just make sure you use your own info when necessary and not the info from the pictures (like domain, etc)
https://websvc06.cern.ch/w
Let me know if you need other options.
Main Topics
Browse All Topics
by: lnkevinPosted on 2007-09-21 at 12:43:18ID: 19938571
1. Set security audit for the folder. You can set it on GPO or local policy, here is the guide for local policy:
http://msdn2.microsoft.com
2. To stop your user from changing the folder permision, set domain user permission to read, write only. You set domain user to Modify so you allow them to modify the permission.
K