Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

More Fun with Folder Permissions

Posted on 2004-09-29
7
Medium Priority
?
191 Views
Last Modified: 2010-04-19
I've given a user rights to create a new user in the active directory w/ an e-mail account. I also had to give him full rights to the root home directory for the users so that he would have permission to create a folder for the new user and copy the common files into the folder. I've written a batch script that does all of this for him, so that all he needs to do in order to create a new user is type in the new user's first and last name. Everything else is automated.

With that said, is it possible to restrict the account that I've given those permissions to so that he can create new folders in the root home directory and copy new files into those folders from a common folder, but so that he cannot view or modify the folder afterwards?
0
Comment
Question by:Grime121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 12183262
Hi,

You could try and give him specified permissons (deny permissions i mean). You could also try and only give him the create folder and subfolders rights and make sure not to give him the change rights..

You cannot make sure that he, after creating, cannot see the folder (it could also be tried by using the Deny List permissions, but i'm afraid he will losse more rights...)
0
 
LVL 1

Author Comment

by:Grime121
ID: 12183792
He needs to be able to change permissions on the folder as well though so that he can give the new user full control over the folder after the user and folder are created.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12183851
Hi,

You could try it, but here's my suggestion. Make sure to Deny acces to list the folder cannot be set (he cannot check if the folder was created well, and cannot change permissions), right to a folder is rights to a folder. You can try to only give him "Changing Permissions" rights and "Create Folder / Add Data"..
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 1

Author Comment

by:Grime121
ID: 12186373
Ok, I've almost got it working how I want it. I just need to change the owner of the folder once it's created. If I leave it how it is, the person who's creating the new user folder is left as the owner, and as the owner they have full control over the folder regardless of their account's permissions on the folder. What is the command I can use in a batch script to change the owner of the folder to 'Administrator'?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12187304
Hi,

There isn't. You eed to be logged in as the admin and then take permissions for the folder.

You could try doing it with the takeowner.pl tool (only 2000 machines), here's a link on how to..

http://support.microsoft.com/default.aspx?scid=kb;en-us;q320046
0
 
LVL 1

Author Comment

by:Grime121
ID: 12194134
Ok, what if I mapped the drive w/ the admin's credintials before making the folder, and then used the mapped drive path to make the folder. Would it then use the Admin credintials to create the folder, or would it still use the user that ran the script's credintials?
0
 
LVL 23

Accepted Solution

by:
rhandels earned 1500 total points
ID: 12194647
Hi,

If you map a drive using different credentials, then all that is change or created (or done for all that matter) is being done by the users you mapped the drive with, so indeed, if you create a folder on a mapped folder with tha dmin account, it will be the owner (this mapping and it's folders isn't aware of the actual user being logged in).

Bu then, if you map it like this, you would give the specified user the admin rights to this folder, and i'm not quite sure if that's an option...
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question