?
Solved

More Fun with Folder Permissions

Posted on 2004-09-29
7
Medium Priority
?
190 Views
Last Modified: 2010-04-19
I've given a user rights to create a new user in the active directory w/ an e-mail account. I also had to give him full rights to the root home directory for the users so that he would have permission to create a folder for the new user and copy the common files into the folder. I've written a batch script that does all of this for him, so that all he needs to do in order to create a new user is type in the new user's first and last name. Everything else is automated.

With that said, is it possible to restrict the account that I've given those permissions to so that he can create new folders in the root home directory and copy new files into those folders from a common folder, but so that he cannot view or modify the folder afterwards?
0
Comment
Question by:Grime121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 12183262
Hi,

You could try and give him specified permissons (deny permissions i mean). You could also try and only give him the create folder and subfolders rights and make sure not to give him the change rights..

You cannot make sure that he, after creating, cannot see the folder (it could also be tried by using the Deny List permissions, but i'm afraid he will losse more rights...)
0
 
LVL 1

Author Comment

by:Grime121
ID: 12183792
He needs to be able to change permissions on the folder as well though so that he can give the new user full control over the folder after the user and folder are created.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12183851
Hi,

You could try it, but here's my suggestion. Make sure to Deny acces to list the folder cannot be set (he cannot check if the folder was created well, and cannot change permissions), right to a folder is rights to a folder. You can try to only give him "Changing Permissions" rights and "Create Folder / Add Data"..
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 1

Author Comment

by:Grime121
ID: 12186373
Ok, I've almost got it working how I want it. I just need to change the owner of the folder once it's created. If I leave it how it is, the person who's creating the new user folder is left as the owner, and as the owner they have full control over the folder regardless of their account's permissions on the folder. What is the command I can use in a batch script to change the owner of the folder to 'Administrator'?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12187304
Hi,

There isn't. You eed to be logged in as the admin and then take permissions for the folder.

You could try doing it with the takeowner.pl tool (only 2000 machines), here's a link on how to..

http://support.microsoft.com/default.aspx?scid=kb;en-us;q320046
0
 
LVL 1

Author Comment

by:Grime121
ID: 12194134
Ok, what if I mapped the drive w/ the admin's credintials before making the folder, and then used the mapped drive path to make the folder. Would it then use the Admin credintials to create the folder, or would it still use the user that ran the script's credintials?
0
 
LVL 23

Accepted Solution

by:
rhandels earned 1500 total points
ID: 12194647
Hi,

If you map a drive using different credentials, then all that is change or created (or done for all that matter) is being done by the users you mapped the drive with, so indeed, if you create a folder on a mapped folder with tha dmin account, it will be the owner (this mapping and it's folders isn't aware of the actual user being logged in).

Bu then, if you map it like this, you would give the specified user the admin rights to this folder, and i'm not quite sure if that's an option...
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question