Todd_Bain
asked on
Profiles Directory - No Administrator Right to individual's profiles
Windows 2003
Orginization is using 105 Blade PC's with 350 thin clients.
DC Holds Profiles Directory
Profiles Directory (The directory itself)
Security
Administrators - Full Control
Domain Users - Modify (currently)
If I go into the the profile directory, and pick one of the folders at random, say John Smith, guess what, the administrator doesn't have rights to it.
I go into GP, set on both the Default DC GPO & Business Policy the following
Computer Configuration
Administrative Templates
System
User Profiles
Add the Administrators security group to roaming user profiles - Enabled
...
Nothing
The only way for me to get into their directories is to take ownership, then assign them modify rights individually. I do not have time to do this to 350 AD users. Plus from what I understand, if I do this, it would be bad for Quota usage as well (which I am not using currently but do not want to screw it up if I decide to later).
...
So there is my problem, I have tried FILEACL, from Microsoft (but not really), and it will not let me set permissions on those folders either (by adding).
I maybe mistaken, but I can not afford to go into the security tab, and FORCE it to accept Administrators, as that would remove the individual users Access Rights Correct?
I would really like to kick M$ in the #$%#$%#$@^%$^#%^%#^%$^%$#^ !@#$!$#@$ for making a parent directory with Administrative Rights not have full rights to its children, without my jumping through some hoops.
Help?
Orginization is using 105 Blade PC's with 350 thin clients.
DC Holds Profiles Directory
Profiles Directory (The directory itself)
Security
Administrators - Full Control
Domain Users - Modify (currently)
If I go into the the profile directory, and pick one of the folders at random, say John Smith, guess what, the administrator doesn't have rights to it.
I go into GP, set on both the Default DC GPO & Business Policy the following
Computer Configuration
Administrative Templates
System
User Profiles
Add the Administrators security group to roaming user profiles - Enabled
...
Nothing
The only way for me to get into their directories is to take ownership, then assign them modify rights individually. I do not have time to do this to 350 AD users. Plus from what I understand, if I do this, it would be bad for Quota usage as well (which I am not using currently but do not want to screw it up if I decide to later).
...
So there is my problem, I have tried FILEACL, from Microsoft (but not really), and it will not let me set permissions on those folders either (by adding).
I maybe mistaken, but I can not afford to go into the security tab, and FORCE it to accept Administrators, as that would remove the individual users Access Rights Correct?
I would really like to kick M$ in the #$%#$%#$@^%$^#%^%#^%$^%$#^
Help?
ASKER
xcalcs John.Smith /E /G Administrators:F
processed directory: E:\Profiles\John.Smith
ERROR: Access is denied.
processed directory: E:\Profiles\John.Smith
ERROR: Access is denied.
ASKER
er I type that command line thing up there wrong, I really entered in
xcacls John.Smith /E /G Administrators:F
xcacls John.Smith /E /G Administrators:F
You can take ownership easily:
Right-click the Parent folder.
Select Properites.
Select the Security tab.
Select the Advanced button.
Select the Owner tab.
Highlight Administrator (top entry).
Select the Replace owner on subcontainers and objects.
Now you should be able to set the basic rights on the parent.
Administrators = Full Control
SYSTEM = Full Control
On each subfolder, make sure to check the Allow Inheritable Permissions from parent to propogate to this object.
Apply the changes.
Each subfolder should then have only the user's Modify Permissions set at each folder, the rest comes down from the parent.
Right-click the Parent folder.
Select Properites.
Select the Security tab.
Select the Advanced button.
Select the Owner tab.
Highlight Administrator (top entry).
Select the Replace owner on subcontainers and objects.
Now you should be able to set the basic rights on the parent.
Administrators = Full Control
SYSTEM = Full Control
On each subfolder, make sure to check the Allow Inheritable Permissions from parent to propogate to this object.
Apply the changes.
Each subfolder should then have only the user's Modify Permissions set at each folder, the rest comes down from the parent.
ASKER
Yes but this completely defeats what I am trying to accomplish, if you reset the true Owner's permissions this will disrupt Quota usage down the road.
I mean this was explained in detail in my original question, I mean no disrespect it is just frustrating...
Original Question QUOTE
"The only way for me to get into their directories is to take ownership, then assign them modify rights individually. I do not have time to do this to 350 AD users. Plus from what I understand, if I do this, it would be bad for Quota usage as well (which I am not using currently but do not want to screw it up if I decide to later)."
This is definetly NOT a solution.
I mean this was explained in detail in my original question, I mean no disrespect it is just frustrating...
Original Question QUOTE
"The only way for me to get into their directories is to take ownership, then assign them modify rights individually. I do not have time to do this to 350 AD users. Plus from what I understand, if I do this, it would be bad for Quota usage as well (which I am not using currently but do not want to screw it up if I decide to later)."
This is definetly NOT a solution.
Note: this is a solution if you want to edit the ACL to add the administrators... you must take ownership first...then you can edit the security. Taking ownership the only way I know of to modify permissions of a directory if the admin doesn't have rights.
ASKER
Looks like it is time to call Microsoft.
Appreciate the comments...
Appreciate the comments...
You're correct about the Quotas. The only other way to do this is set the permissions on the parent as you want them, then have each and every user check the box for inheriting permissions then clicking Apply.
This is the only way you'll get the proper permissions in place without affecting Quota.
This is the only way you'll get the proper permissions in place without affecting Quota.
You can take ownership, set the permissions the way you want them, and then re-assign ownership back to the user. I believe this would maintain your Quota settings.
You cannot assign ownership, you can only take it. The user would have to take ownership.
ASKER
I can not reassign ownership back to the user. Ordinarily you can, I'd agree with you 100%
This has to do with ADUC (Profile) creating the folder for me, not the Administrator creating the directory, and for whatever reason when it does this, it doesn't naturally inherit what the parent folder has set.
I am going to have to call Microsoft on this one, I think Netman66, is right as far as conventional thinking on how to do it, but my end users can barely click outlook by themselves, much less permissions...=(
Anyone can try this
...
Go make a directory. Give Domain Admins / Administrators Full Rights, now give your Domain Users Modify Rights.
Those are the only two permissions to actively set.
Now go into ADUC (Active Directory Users and Computers) and create a new user.
On the "Profile" tab of ADUC, unc path that profile to your newly created folder \\SERVER\FOLDER-Just-Creat ed\NewUser
Now click apply. Voila, it has created the folder, that you can't get into.
You can owner it, but it replaces it, but cant give it back to said NewUser
Whacky crap...
This has to do with ADUC (Profile) creating the folder for me, not the Administrator creating the directory, and for whatever reason when it does this, it doesn't naturally inherit what the parent folder has set.
I am going to have to call Microsoft on this one, I think Netman66, is right as far as conventional thinking on how to do it, but my end users can barely click outlook by themselves, much less permissions...=(
Anyone can try this
...
Go make a directory. Give Domain Admins / Administrators Full Rights, now give your Domain Users Modify Rights.
Those are the only two permissions to actively set.
Now go into ADUC (Active Directory Users and Computers) and create a new user.
On the "Profile" tab of ADUC, unc path that profile to your newly created folder \\SERVER\FOLDER-Just-Creat
Now click apply. Voila, it has created the folder, that you can't get into.
You can owner it, but it replaces it, but cant give it back to said NewUser
Whacky crap...
hmmm... possibly XCACLS can give ownership:
/G user:perm;spec Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
P Change Permissions (Special access)
O Take Ownership (Special access)
X EXecute (Special access)
E REad (Special access)
W Write (Special access)
D Delete (Special access)
however, I haven't tested this...
Yes, that's correct. If you allow the System to create the folder you have no rights. If you pre-create the folder then all is well.
There was a way to set this so that the automatic creation will succeed. I will have to find that doc for you.
There was a way to set this so that the automatic creation will succeed. I will have to find that doc for you.
ASKER
xcacls John.Smith /E /G Administrators:F
processed directory: E:\Profiles\John.Smith
ERROR: Access is denied.
My second post down, I tried this... Didn't work :(
processed directory: E:\Profiles\John.Smith
ERROR: Access is denied.
My second post down, I tried this... Didn't work :(
Actually, you can do it with the GUI also. When you're on the Ownership tab, you'll see a button that says "Other Users or Groups". You can search AD for your target user, and re-assign ownership back to the user.
@mcrowley - did you try this?
Here is one article that might work (haven't tested it): http://support.microsoft.com/kb/555046/en-us
It's not the one I'm looking for - so I'm still looking.
Here is one article that might work (haven't tested it): http://support.microsoft.com/kb/555046/en-us
It's not the one I'm looking for - so I'm still looking.
Yes, I've done this before, to do exactly what Todd's looking for. You can Take Ownership, change the permissions list to include Domain Admins (or some other group), and then give Ownership back to the user. I've never tried xcacls, but the GUI works.
Ok, here's what you can do. I've tested it and it works.
Download the latest xcacls tool - http://support.microsoft.com/?kbid=318754
Install it, then create the first batch file (called runxcacls.bat) -
------
cscript xcacls.vbs %1 /O "<domainname>\Domain Admins" ; assigns ownership to Domain Admins
cscript xcacls.vbs %1 /G "<domainname>\Domain Admins":F ;gives Domain Admins Full Control
cscript xcacls.vbs %1 /G <domainname>\%2:F ; gives user back Full Control
cscript xcacls.vbs %1 /G "<domainname>\...":F ; anyone else you want to have rights
cscript xcacls.vbs %1 /O <domainname>\%2 ; re-assigns ownership back to <username>
------
You can then run it like this -
runxcacls.bat \\FILESERVER\PROFILESHARE\ JohnDoePro file JohnDoe
If your folders match the usernames, you're in business. To take it a bit further, you can use a scripting tool (or Excel even) to take an exported list of usernames and run the batch file on each.
Give that a shot and let us know how it works.
Download the latest xcacls tool - http://support.microsoft.com/?kbid=318754
Install it, then create the first batch file (called runxcacls.bat) -
------
cscript xcacls.vbs %1 /O "<domainname>\Domain Admins" ; assigns ownership to Domain Admins
cscript xcacls.vbs %1 /G "<domainname>\Domain Admins":F ;gives Domain Admins Full Control
cscript xcacls.vbs %1 /G <domainname>\%2:F ; gives user back Full Control
cscript xcacls.vbs %1 /G "<domainname>\...":F ; anyone else you want to have rights
cscript xcacls.vbs %1 /O <domainname>\%2 ; re-assigns ownership back to <username>
------
You can then run it like this -
runxcacls.bat \\FILESERVER\PROFILESHARE\
If your folders match the usernames, you're in business. To take it a bit further, you can use a scripting tool (or Excel even) to take an exported list of usernames and run the batch file on each.
Give that a shot and let us know how it works.
ASKER
mcrowley => I will definetly give that a shot, if I am unable to complete it today, I will first thing Monday. Thank you all for your effort, mcrowley thank you for the script file, that looks like it should do the trick.
The folder names do match the usernames, so hopefully that will make everything just right.
The folder names do match the usernames, so hopefully that will make everything just right.
Cool, then insert the path in front of %1, and you can do it with one parameter, like so -
------
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\ %1 /O "<domainname>\Domain Admins" ; assigns ownership to Domain Admins
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\ %1 /G "<domainname>\Domain Admins":F ;gives Domain Admins Full Control
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\ %1 /G <domainname>\%1:F ; gives user back Full Control
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\ %1 /G "<domainname>\...":F ; anyone else you want to have rights
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\ %1 /O <domainname>\%1 ; re-assigns ownership back to <username>
------
You can then run it like this -
runxcacls.bat JohnDoe
------
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\
------
You can then run it like this -
runxcacls.bat JohnDoe
ASKER
mcrowley I think you are right on the money with what needs to be done, I am receiving an error now though that I am going to research further...
************************** ********** ********** ********** ********** ********
Directory: E:\Profiles\USER.NAME
Error -2147217406: occurred setting Win32_LogicalFileSecurityS etting object.
(Msg#501)
Error description: Not found
************************** ********** ********** ********** ********** ********
I will let you guys know something as soon as I know something
**************************
Directory: E:\Profiles\USER.NAME
Error -2147217406: occurred setting Win32_LogicalFileSecurityS
(Msg#501)
Error description: Not found
**************************
I will let you guys know something as soon as I know something
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome, I will look into that right after lunch. Thank you again mcrowley, I had been researching that error and hadn't been able to turn anything up on it. I will look into takeown asap.
ASKER
That worked for taking ownership, now in conjunction with xcacls, I should be able to write a batch to takeown /f PROFILENAME /R /A, set permissions via xcacls, then give them ownership back.
Thank you for your diligence mcrowley
Thank you for your diligence mcrowley
No problem, I was actually trying to figure out something similar for myself, and figured it out.
make sure to use the --> /E Edit ACL instead of replacing it.
XCACLS filename [/T] [/E|/X] [/C] [/G user:perm;spec] [/R user [...]]
[/P user:perm;spec [...]] [/D user [...]] [/Y]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/X Same as /E except it only affects the ACEs that the
specified users already own.
/C Continue on access denied errors.
/G user:perm;spec Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
P Change Permissions (Special access)
O Take Ownership (Special access)
X EXecute (Special access)
E REad (Special access)
W Write (Special access)
D Delete (Special access)
Spec can be the same as perm and will only be
Press ENTER to continue...
applied to a directory. In this case, Perm
will be used for file inheritence in this
directory. If not omitted: Spec=Perm. Special values
for Spec only:
T Not Specified (for file inherit,
only for dirs valid)
At least one access right has to follow!
Entries between ';' and T will be ignored
/R user Revoke specified user's access rights.
/P user:perm;spec Replace specified user's access rights.
for access right specification see /G option
/D user Deny specified user access.
/Y Replace user's rights without verify