[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

Disk Management

OK, This is going to get pretty involved, so I'm giving out a large sum of points.

My team manages over 100 servers and we have a problem with users taking up lots of space. I need to see what they have in their home directories without breeching the security defined by my company. Home dirs are config'd as follows.
User has full permissions from his home root on down. Admin has no rights. Admin owns home root, and some precreated directories, user owns his created dirs.

I can't take ownership of the dirs (snice the user would be able to notice it, and it may have consequences it I rewrite the permissions.

I would like to find files like exe,dll,mpw,avi....

Cacls has been useless to me thus far.

diruse has identified the problem users, but beyond that, it isn't much help.

Arcserve will display the files if I wish, but talk about a slow process.

So, does anyone know how to gain access using any remotely standard utility to find out what's on the servers? I can't put quota server on the systems, (I wish) so that won't be a help.

Good luck in finding a solution. I hope the points will be worth it.
0
tcalesa
Asked:
tcalesa
1 Solution
 
TurcoCommented:
there a simple solution:
you can give to admin's "List" right for all of these directories. Then Administrator can see all of files/folders but cannot change/delete.
0
 
LermitteCommented:
I must agree with Turco. But why the admins don't have any rights on the drives. Minimum rights that you must have is list.
For changing the permission go to the root of the drive and change to the right that you want and click on include also the subdirectory.
I have a question: How take you the backups from these drives?
If this is a seperate account. If yes you can always use this account for working with this porblem.

Mario
0
 
NickBentleyCommented:
You could try Security Explorer from small wonders (www.smallwonders.com).  This allows you to 'use' admin rights to view the permissions on files you wouldn't otherwise have access to.  It also allows you to change the ownership of folders etc. and then to GIVE ownership back to the original user, something which NT courses say can't be done - sneaky, but effective.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I think Mario tried to touch on this - what about putting yourself in the Backup Operators group - that is SUPPOSED to be able to bypass permissions, isn't it?  Then, what I usually do, is a find for *.zip & *.exe (looking for installation programs and such.  If you are also enforcing certain corporate polices, you might also look for *.mp3, *.mov and such).
0
 
MortenLCommented:
If your Arcserve is using SQL-server as database, you can get all the info needed from that database :)

Just make an ODBC connector, and power up your Access.
0
 
tcalesaAuthor Commented:
I work in a large company. The users have full control of the directories, and we have none. This is a security requirement due to the type of company I work for, so adding the list rights to the user directories will not be an option.

Doh! I hadn't thought of the backup operators group. I will try that this morning. Thanks for kick starting my brain.

Arcserve is running it's native database.

Thanks, all.
0
 
axlroseCommented:
there is a small free utility that can solve your problem. I will post here the read-me of it. If you think this will help you, request me the url from were you can download it.

Frequently NT administrators have files and directories that do not
allow Administrator access. This creates a problem for virus scans,
moving directories, user support, etc. Taking ownership is time-
consuming and breaks existing permissions.

This program modifies file permissions on NTFS files and directories
to allow Full Control for Administrators without breaking existing
permissions or taking ownership. Run it like:

admnalow d: e:
Affects all of D: and E: drives.
admnalow e:\users\joe
Affects only one directory (or file) and all subdirectories.

While running, the program prints a list of all files and directories
it has altered. It will also print any errors. It does not change files
that are already set correctly, so it will not turn your daily backup
into a total.

You can run this nightly before a virus scan or other automatic
operation from the scheduler, or run it as needed. It needs
administrator access, take-ownership, backup, and restore privileges.

How this program works:

The program turns on take-ownership, backup, and restore privileges.
Then it uses a findfirst/findnext loop to traverse the directories.
For each file or directory, it reads and inspects the ACL. If the ACL
does not give full control to administrators, or if it can't read the
ACL, it changes permissions on that file.

To do this, it first uses BackupRead to get the old owner of the file.
There is no politically correct way to do this without access to the
file that I know of, but the owner SID appears to be in a fixed location
in the data from BackupRead. In any case, the program checks the SID
and won't touch a file if it can't validate the SID.

Having read the old owner, it then sets owner to Administrator. It reads
the ACL, copies all ACEs not referring to Administrator to a new ACL,
and then adds ACEs giving administrator full control. Then it writes the
new ACL and sets the owner back as it found it. This leaves the file
permissions unchanged except for administrators having access.

0
 
benstockCommented:
Does SYSTEM have access to the files?

You could SChedule the check using AT on a regular basis (like I do)
0
 
tcalesaAuthor Commented:
OK, some developments,
I had no luck with the group memberships and find files.

I *was* able to see the file info using the arcserve database, but it will not be much help since I have 10,000 users, and manually going through the dirs is going to mean adding an FTE at the minimum.

I'm going to check out smallwonders.com in the morning.

I only wish the ones who developed our "engineered" solution had talked to the ones who would actually support the servers, but I guess that's alway the case...

axl, I am interested in checking it out.  Could you post the url?

Thanks to all of you. This won't be a quick thousand points, but then I wouldn't have dropped so many if I though it would be really easy. If more than one comment gets me to a solution, I have enough points for a second (albeit smaller) serving in another ?

0
 
axlroseCommented:
http://www.winsite.com/info/pc/winnt/sysutil/admnalow.zip/downl.html

try it; I have tried and it works good and safe; had no problem to make the change for 200 users in about 10 minutes...

best regards
0
 
carmineCommented:
There is also NTSEC which does the same thing, but it costs money.

You can download a thirty day trial version though.

http://www.pedestalsoftware.com/ntsec/index.htm

Mark
0
 
tcalesaAuthor Commented:
I was impressed at least in my initial look at security explorer. This is mainly because I can set things back to how they were before the change took place, so admnallow will have to come out of the running (Just not robust enough.

carmine,
I'll give ntsec a try.

Thanks.
0
 
tcalesaAuthor Commented:
OK, all. I'll be posting a few points in another question for Carmine, but the points in this one go to Nick for Security Explorer. It'll do all of what I need, and is simple enough that my less experienced admins will not have a problem (I hope).

Thanks to all for the assist.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now