setting Ownership

Is there a way as the admin of our servers that I can set ownership of files within a users folder without being at the users PC with them logged in?  Here is why I ask.... we are running a w2K server with quotas enabled on the user shares.  The problem I am having is the quota application (W2K) reports on ownership not total of files in the folder.  So, when one of my team members moves files for a user or has to place a large amount of files within the folder due to a rebuild of the users PC, those files are moves with the ownership of Administrator, not the user.  So, what this leaves is several GB of files in the users folder but quota is only reporting what the user owns.  I want to be able to set ownership on those files so the user is the owner of all files is their folder.  Can I do this without being at their workstation with them logged in?

Thanks
mchristo63Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

enwhyseeCommented:
You could do it with a combination of psexec.exe (a remote execution command) and cacls.exe (command line tool to set permissions, comes with Windows.)

http://www.sysinternals.com/Utilities/PsExec.html

For example, you'd be able to execute:

psexec \\othermachine -u Administrator -p password cacls.exe "C:\Directory" /g "DOMAIN\SomeUser":R

This would grant DOMAIN\SomeUser read access to C:\Directory on the machine \\othermachine.

You could run cacls.exe in the command prompt for additional command line switches.

Hope that helps~
SoyYopCommented:
Start\Run,


\\computername\c$  (This is a default admin share for things like that)

Then you can do anything over files & fodlers.

Do it with a domain admin account.

mchristo63Author Commented:
I am assuming you are talking about connecting to the users PC.  I am talking about users folders on my server.  I need to make sure all users files in their user shares have the ownsership as the user, not admin.  Admin ownership happens when our team moves files off of their PC to the network share (user share).  This happens because they are logged into the local PC as admin.  Now that this has happened, I need to go through nearly 2000 user folders to make sure the user owns their own files, not the admin.  
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

SoyYopCommented:
Ups... More difficult...


Try that:

http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/23663/23663.html

Hope it works.

JimsZCommented:
Why is each person logging into local machines as administrator instead of themselves and given local machine admin rights?  That would solve problems in both quota and domain security.  
mchristo63Author Commented:
No. this si not a hard problem to understand.  This has nothing to do with local PC's, nothing.  

We host all user home directories on our server.  When an admin (our team member, not the local user) moves files from the local PC to the server for what ever reason, it makes the Admin the owner of the files.  Now, I have several user folders on my SERVER that has files that are owned by the Admin, not the user of that folder.  I just want to be able to reset the ownership of the user folders on my SERVER to reflect the user of that folder.  
JimsZCommented:
Actually you could also have a robocopy script moving the files as a scheduled task ran under the user's id.   Create a robocopy script to move the files off their local pc to the storage area and set as scheduled task as the user, then it would attribute all files moved with that script to the user...  but then you'd also have to create a different script for each different user.
ian_chardCommented:
You can download Windows subinacl which is part of the resource kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

Here's a brief MS overview of subinacl usage:

http://support.microsoft.com/?kbid=265360

We use it here to reset users profiles and docs permissions when we have erroneous quota entries using a little batch file (which resides in the same folder as subinacl):

REM Get user logon name
set /p userin=Please enter user ID:
start /wait subinacl.exe /noverbose /nostatistic /subdirectories \\servername\servershare$\%USERIN%\* /Owner="%USERIN%" /Grant=%USERIN%=f /Grant="creator owner"=f /Grant="domain\domain admins"=f /Grant=system=f

REM - /no verbose = no output
REM - /no statistic = no statistics required (you can output to text)
REM - /subdirectories = include subdirectories
REM - /owner = new owner of object(s)
REM - /grant = grant specific user access (f = full control)


This should sort you out.
JimsZCommented:
Should be able to just set ownership of the user's home folder to the user and under advanced tab in security and click to inherit all child objects and on owner tab click replace owner on subcontainers and objects
ian_chardCommented:
I should just add that \\servername\servershare$\%userin% only works on our batch file as the users folders are named with their logon ID, you may have to tinker a little bit if you don't name your folders this way to reflect the correct path.
mchristo63Author Commented:
thanks.  will the command return a success or failure?  
ian_chardCommented:
Yep, if you don't use /noverbose or /nostastics you'll get a full output that you can redirect to a log file if you wish (i.e. have > C:\subinacl.txt on the end of the batch file)  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mchristo63Author Commented:
Thanks so much!
ian_chardCommented:
No problem. :o)

thanks
Ian
ian_chardCommented:
I should also warn you that you have to be very careful when using it, if you get the path wrong it can cause major problems. We had someone decide to alter the tested script to make it more user friendly who ended up resetting the ownership of all our users folders, so only one person could logon!
mchristo63Author Commented:
good thought.
mchristo63Author Commented:
are there limitations as to what OS this can be run against (server=W2K) or workstation I can run it from (worstation=XP)?  I ask as it is not working.  I will try to run the command out of the script to see if it works.  
ian_chardCommented:
Hi,

It will support the following OS:

Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows XP Professional
Windows Server 2003, Web Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition

You have to be an administrator to run it, users won't be able to.

I can't reiterate enough though that you should use it in a test platform first until you get it running as you want. It's always better to be safe than sorry. I had to spend the whole night here resetting faulty permissions after someone edited our script...not very nice.

Thanks
Ian
mchristo63Author Commented:
right, thanks
mchristo63Author Commented:
For some reason it doens't work.  Here is the comand and results:

C:\>subinacl /subdirectories \\appserver\f$\user1\* /setowner=domain1\user1

C:\>subinacl /subdirectories \\appserver\f$\users1\* /setowner=domain1\user+subdirectories \\appserver\f$\user1\*
/setowner=ads\user1

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        0
ian_chardCommented:
OK, I've just put this in to my test environment and create the same scenario to debug. The first line should be:

C:\>subinacl /subdirectories \\appserver\f$\user1 /setowner="domain1\user1"

(as it needs to set the ownership on the top folder first of all)



mchristo63Author Commented:
Ok, thanks.  I will try that.  
mchristo63Author Commented:
weird, still doesnt work

C:\>subinacl /subdirectories \\appserver\f$\user1 /setowner="domain1\user1"

Result:
C:\>subinacl /subdirectories \\appserver\f$\users1\ /setowner=domain1\user+subdirectories \\appserver\f$\user1\*
/setowner=ads\user1

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        0
ian_chardCommented:
Hmmm I can't work that out at all.

Do you have full control over this folder as yourself or the account that's running the subinacl? If not you may need to take ownership of that folder, though you should get a failed message in this case (i think).

I've rechecked it in a test environment and it definitely works
mchristo63Author Commented:
Ok,  I will keep testing.  Thanks
ian_chardCommented:
No problem. I'll have a think in the meantime to try to work out why it's going awry
SoyYopCommented:
???
ian_chardCommented:
SoyYop, why the ???
SoyYopCommented:
It's a silent complain... I provided the link to the tool info with examples, then I went for lunch, and... lost the points :(

Just to be clear: I'm not claiming the points.

You did a good job providing examples, plus the link to download it (if you don't have the resource kit). You also followed and answered all the user questions.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.