[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

setting Ownership

Posted on 2006-03-22
29
Medium Priority
?
520 Views
Last Modified: 2009-05-03
Is there a way as the admin of our servers that I can set ownership of files within a users folder without being at the users PC with them logged in?  Here is why I ask.... we are running a w2K server with quotas enabled on the user shares.  The problem I am having is the quota application (W2K) reports on ownership not total of files in the folder.  So, when one of my team members moves files for a user or has to place a large amount of files within the folder due to a rebuild of the users PC, those files are moves with the ownership of Administrator, not the user.  So, what this leaves is several GB of files in the users folder but quota is only reporting what the user owns.  I want to be able to set ownership on those files so the user is the owner of all files is their folder.  Can I do this without being at their workstation with them logged in?

Thanks
0
Comment
Question by:mchristo63
  • 11
  • 10
  • 4
  • +2
29 Comments
 
LVL 6

Expert Comment

by:enwhysee
ID: 16256740
You could do it with a combination of psexec.exe (a remote execution command) and cacls.exe (command line tool to set permissions, comes with Windows.)

http://www.sysinternals.com/Utilities/PsExec.html

For example, you'd be able to execute:

psexec \\othermachine -u Administrator -p password cacls.exe "C:\Directory" /g "DOMAIN\SomeUser":R

This would grant DOMAIN\SomeUser read access to C:\Directory on the machine \\othermachine.

You could run cacls.exe in the command prompt for additional command line switches.

Hope that helps~
0
 
LVL 7

Expert Comment

by:SoyYop
ID: 16256960
Start\Run,


\\computername\c$  (This is a default admin share for things like that)

Then you can do anything over files & fodlers.

Do it with a domain admin account.

0
 

Author Comment

by:mchristo63
ID: 16257001
I am assuming you are talking about connecting to the users PC.  I am talking about users folders on my server.  I need to make sure all users files in their user shares have the ownsership as the user, not admin.  Admin ownership happens when our team moves files off of their PC to the network share (user share).  This happens because they are logged into the local PC as admin.  Now that this has happened, I need to go through nearly 2000 user folders to make sure the user owns their own files, not the admin.  
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 7

Expert Comment

by:SoyYop
ID: 16257048
Ups... More difficult...


Try that:

http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/23663/23663.html

Hope it works.

0
 
LVL 6

Expert Comment

by:JimsZ
ID: 16257372
Why is each person logging into local machines as administrator instead of themselves and given local machine admin rights?  That would solve problems in both quota and domain security.  
0
 

Author Comment

by:mchristo63
ID: 16257419
No. this si not a hard problem to understand.  This has nothing to do with local PC's, nothing.  

We host all user home directories on our server.  When an admin (our team member, not the local user) moves files from the local PC to the server for what ever reason, it makes the Admin the owner of the files.  Now, I have several user folders on my SERVER that has files that are owned by the Admin, not the user of that folder.  I just want to be able to reset the ownership of the user folders on my SERVER to reflect the user of that folder.  
0
 
LVL 6

Expert Comment

by:JimsZ
ID: 16257425
Actually you could also have a robocopy script moving the files as a scheduled task ran under the user's id.   Create a robocopy script to move the files off their local pc to the storage area and set as scheduled task as the user, then it would attribute all files moved with that script to the user...  but then you'd also have to create a different script for each different user.
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16257432
You can download Windows subinacl which is part of the resource kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

Here's a brief MS overview of subinacl usage:

http://support.microsoft.com/?kbid=265360

We use it here to reset users profiles and docs permissions when we have erroneous quota entries using a little batch file (which resides in the same folder as subinacl):

REM Get user logon name
set /p userin=Please enter user ID:
start /wait subinacl.exe /noverbose /nostatistic /subdirectories \\servername\servershare$\%USERIN%\* /Owner="%USERIN%" /Grant=%USERIN%=f /Grant="creator owner"=f /Grant="domain\domain admins"=f /Grant=system=f

REM - /no verbose = no output
REM - /no statistic = no statistics required (you can output to text)
REM - /subdirectories = include subdirectories
REM - /owner = new owner of object(s)
REM - /grant = grant specific user access (f = full control)


This should sort you out.
0
 
LVL 6

Expert Comment

by:JimsZ
ID: 16257450
Should be able to just set ownership of the user's home folder to the user and under advanced tab in security and click to inherit all child objects and on owner tab click replace owner on subcontainers and objects
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16257465
I should just add that \\servername\servershare$\%userin% only works on our batch file as the users folders are named with their logon ID, you may have to tinker a little bit if you don't name your folders this way to reflect the correct path.
0
 

Author Comment

by:mchristo63
ID: 16257493
thanks.  will the command return a success or failure?  
0
 
LVL 6

Accepted Solution

by:
ian_chard earned 2000 total points
ID: 16257526
Yep, if you don't use /noverbose or /nostastics you'll get a full output that you can redirect to a log file if you wish (i.e. have > C:\subinacl.txt on the end of the batch file)  
0
 

Author Comment

by:mchristo63
ID: 16257541
Thanks so much!
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16257557
No problem. :o)

thanks
Ian
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16257600
I should also warn you that you have to be very careful when using it, if you get the path wrong it can cause major problems. We had someone decide to alter the tested script to make it more user friendly who ended up resetting the ownership of all our users folders, so only one person could logon!
0
 

Author Comment

by:mchristo63
ID: 16257611
good thought.
0
 

Author Comment

by:mchristo63
ID: 16257679
are there limitations as to what OS this can be run against (server=W2K) or workstation I can run it from (worstation=XP)?  I ask as it is not working.  I will try to run the command out of the script to see if it works.  
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16257695
Hi,

It will support the following OS:

Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows XP Professional
Windows Server 2003, Web Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition

You have to be an administrator to run it, users won't be able to.

I can't reiterate enough though that you should use it in a test platform first until you get it running as you want. It's always better to be safe than sorry. I had to spend the whole night here resetting faulty permissions after someone edited our script...not very nice.

Thanks
Ian
0
 

Author Comment

by:mchristo63
ID: 16257778
right, thanks
0
 

Author Comment

by:mchristo63
ID: 16257901
For some reason it doens't work.  Here is the comand and results:

C:\>subinacl /subdirectories \\appserver\f$\user1\* /setowner=domain1\user1

C:\>subinacl /subdirectories \\appserver\f$\users1\* /setowner=domain1\user+subdirectories \\appserver\f$\user1\*
/setowner=ads\user1

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        0
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16257991
OK, I've just put this in to my test environment and create the same scenario to debug. The first line should be:

C:\>subinacl /subdirectories \\appserver\f$\user1 /setowner="domain1\user1"

(as it needs to set the ownership on the top folder first of all)



0
 

Author Comment

by:mchristo63
ID: 16258733
Ok, thanks.  I will try that.  
0
 

Author Comment

by:mchristo63
ID: 16258894
weird, still doesnt work

C:\>subinacl /subdirectories \\appserver\f$\user1 /setowner="domain1\user1"

Result:
C:\>subinacl /subdirectories \\appserver\f$\users1\ /setowner=domain1\user+subdirectories \\appserver\f$\user1\*
/setowner=ads\user1

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        0
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16259021
Hmmm I can't work that out at all.

Do you have full control over this folder as yourself or the account that's running the subinacl? If not you may need to take ownership of that folder, though you should get a failed message in this case (i think).

I've rechecked it in a test environment and it definitely works
0
 

Author Comment

by:mchristo63
ID: 16259069
Ok,  I will keep testing.  Thanks
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16259077
No problem. I'll have a think in the meantime to try to work out why it's going awry
0
 
LVL 7

Expert Comment

by:SoyYop
ID: 16259594
???
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16259795
SoyYop, why the ???
0
 
LVL 7

Expert Comment

by:SoyYop
ID: 16260069
It's a silent complain... I provided the link to the tool info with examples, then I went for lunch, and... lost the points :(

Just to be clear: I'm not claiming the points.

You did a good job providing examples, plus the link to download it (if you don't have the resource kit). You also followed and answered all the user questions.

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question