Solved

Profiles Directory - No Administrator Right to individual's profiles

Posted on 2006-06-09
25
945 Views
Last Modified: 2008-01-09
Windows 2003

Orginization is using 105 Blade PC's with 350 thin clients.

DC Holds Profiles Directory

Profiles Directory (The directory itself)
Security
Administrators - Full Control
Domain Users - Modify (currently)

If I go into the the profile directory, and pick one of the folders at random, say John Smith, guess what, the administrator doesn't have rights to it.

I go into GP, set on both the Default DC GPO & Business Policy the following

Computer Configuration
Administrative Templates
System
User Profiles
Add the Administrators security group to roaming user profiles - Enabled

...

Nothing

The only way for me to get into their directories is to take ownership, then assign them modify rights individually.  I do not have time to do this to 350 AD users.  Plus from what I understand, if I do this, it would be bad for Quota usage as well (which I am not using currently but do not want to screw it up if I decide to later).

...

So there is my problem, I have tried FILEACL, from Microsoft (but not really), and it will not let me set permissions on those folders either (by adding).

I maybe mistaken, but I can not afford to go into the security tab, and FORCE it to accept Administrators, as that would remove the individual users Access Rights Correct?

I would really like to kick M$ in the #$%#$%#$@^%$^#%^%#^%$^%$#^!@#$!$#@$ for making a parent directory with Administrative Rights not have full rights to its children, without my jumping through some hoops.

Help?




0
Comment
Question by:Todd_Bain
  • 10
  • 7
  • 5
  • +1
25 Comments
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16871612
xcacls can be used to edit the permissions:


make sure to use the -->   /E                 Edit ACL instead of replacing it.

XCACLS filename [/T] [/E|/X] [/C] [/G user:perm;spec] [/R user [...]]
               [/P user:perm;spec [...]] [/D user [...]] [/Y]
   filename           Displays ACLs.
   /T                 Changes ACLs of specified files in
                      the current directory and all subdirectories.
   /E                 Edit ACL instead of replacing it.
   /X                 Same as /E except it only affects the ACEs that the
                      specified users already own.
   /C                 Continue on access denied errors.
   /G user:perm;spec  Grant specified user access rights.
                      Perm can be: R  Read
                                   C  Change (write)
                                   F  Full control
                                   P  Change Permissions (Special access)
                                   O  Take Ownership (Special access)
                                   X  EXecute (Special access)
                                   E  REad (Special access)
                                   W  Write (Special access)
                                   D  Delete (Special access)
                      Spec can be the same as perm and will only be
Press ENTER to continue...

                           applied to a directory. In this case, Perm
                           will be used for file inheritence in this
                           directory. If not omitted: Spec=Perm. Special values
                           for Spec only:
                                   T  Not Specified (for file inherit,
                                      only for dirs valid)
                                      At least one access right has to follow!
                                      Entries between ';' and T will be ignored

   /R user            Revoke specified user's access rights.
   /P user:perm;spec  Replace specified user's access rights.
                      for access right specification see /G option
   /D user            Deny specified user access.
   /Y                 Replace user's rights without verify

0
 

Author Comment

by:Todd_Bain
ID: 16871797
xcalcs John.Smith /E /G Administrators:F

processed directory: E:\Profiles\John.Smith
ERROR: Access is denied.
0
 

Author Comment

by:Todd_Bain
ID: 16871805
er I type that command line thing up there wrong, I really entered in

xcacls John.Smith /E /G Administrators:F
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16872234
You can take ownership easily:

Right-click the Parent folder.
Select Properites.
Select the Security tab.
Select the Advanced button.
Select the Owner tab.
Highlight Administrator (top entry).
Select the Replace owner on subcontainers and objects.

Now you should be able to set the basic rights on the parent.

Administrators = Full Control
SYSTEM = Full Control

On each subfolder, make sure to check the Allow Inheritable Permissions from parent to propogate to this object.

Apply the changes.

Each subfolder should then have only the user's Modify Permissions set at each folder, the rest comes down from the parent.

0
 

Author Comment

by:Todd_Bain
ID: 16872382
Yes but this completely defeats what I am trying to accomplish, if you reset the true Owner's permissions this will disrupt Quota usage down the road.

I mean this was explained in detail in my original question, I mean no disrespect it is just frustrating...

Original Question QUOTE

"The only way for me to get into their directories is to take ownership, then assign them modify rights individually.  I do not have time to do this to 350 AD users.  Plus from what I understand, if I do this, it would be bad for Quota usage as well (which I am not using currently but do not want to screw it up if I decide to later)."

This is definetly NOT a solution.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16872432
Note: this is a solution if you want to edit the ACL to add the administrators... you must take ownership first...then you can edit the security.  Taking ownership the only way I know of to modify permissions of a directory if the admin doesn't have rights.

0
 

Author Comment

by:Todd_Bain
ID: 16872439
Looks like it is time to call Microsoft.

Appreciate the comments...
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16872547
You're correct about the Quotas.  The only other way to do this is set the permissions on the parent as you want them, then have each and every user check the box for inheriting permissions then clicking Apply.

This is the only way you'll get the proper permissions in place without affecting Quota.

0
 
LVL 2

Expert Comment

by:mcrowley
ID: 16872959
You can take ownership, set the permissions the way you want them, and then re-assign ownership back to the user.  I believe this would maintain your Quota settings.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16872981
You cannot assign ownership, you can only take it.  The user would have to take ownership.

0
 

Author Comment

by:Todd_Bain
ID: 16873035
I can not reassign ownership back to the user.  Ordinarily you can, I'd agree with you 100%

This has to do with ADUC (Profile) creating the folder for me, not the Administrator creating the directory, and for whatever reason when it does this, it doesn't naturally inherit what the parent folder has set.

I am going to have to call Microsoft on this one, I think Netman66, is right as far as conventional thinking on how to do it, but my end users can barely click outlook by themselves, much less permissions...=(

Anyone can try this

...

Go make a directory.  Give Domain Admins / Administrators Full Rights, now give your Domain Users Modify Rights.

Those are the only two permissions to actively set.

Now go into ADUC (Active Directory Users and Computers) and create a new user.

On the "Profile" tab of ADUC, unc path that profile to your newly created folder \\SERVER\FOLDER-Just-Created\NewUser

Now click apply.  Voila, it has created the folder, that you can't get into.

You can owner it, but it replaces it, but cant give it back to said NewUser

Whacky crap...
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16873057


hmmm... possibly XCACLS can give ownership:

   /G user:perm;spec  Grant specified user access rights.
                      Perm can be: R  Read
                                   C  Change (write)
                                   F  Full control
                                   P  Change Permissions (Special access)
                                   O  Take Ownership (Special access)
                                   X  EXecute (Special access)
                                   E  REad (Special access)
                                   W  Write (Special access)
                                   D  Delete (Special access)

however, I haven't tested this...

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:Netman66
ID: 16873064
Yes, that's correct.  If you allow the System to create the folder you have no rights.  If you pre-create the folder then all is well.

There was a way to set this so that the automatic creation will succeed.  I will have to find that doc for you.

0
 

Author Comment

by:Todd_Bain
ID: 16873071
xcacls John.Smith /E /G Administrators:F

processed directory: E:\Profiles\John.Smith
ERROR: Access is denied.

My second post down, I tried this... Didn't work :(
0
 
LVL 2

Expert Comment

by:mcrowley
ID: 16873078
Actually, you can do it with the GUI also.  When you're on the Ownership tab, you'll see a button that says "Other Users or Groups".  You can search AD for your target user, and re-assign ownership back to the user.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16873083
@mcrowley - did you try this?

Here is one article that might work (haven't tested it):  http://support.microsoft.com/kb/555046/en-us

It's not the one I'm looking for - so I'm still looking.

0
 
LVL 2

Expert Comment

by:mcrowley
ID: 16873095
Yes, I've done this before, to do exactly what Todd's looking for.  You can Take Ownership, change the permissions list to include Domain Admins (or some other group), and then give Ownership back to the user.  I've never tried xcacls, but the GUI works.
0
 
LVL 2

Expert Comment

by:mcrowley
ID: 16873516
Ok, here's what you can do.  I've tested it and it works.

Download the latest xcacls tool - http://support.microsoft.com/?kbid=318754

Install it, then create the first batch file (called runxcacls.bat) -

------
cscript xcacls.vbs %1 /O "<domainname>\Domain Admins"             ; assigns ownership to Domain Admins
cscript xcacls.vbs %1 /G "<domainname>\Domain Admins":F               ;gives Domain Admins Full Control
cscript xcacls.vbs %1 /G <domainname>\%2:F               ; gives user back Full Control
cscript xcacls.vbs %1 /G "<domainname>\...":F               ; anyone else you want to have rights
cscript xcacls.vbs %1 /O <domainname>\%2             ; re-assigns ownership back to <username>
------

You can then run it like this -
runxcacls.bat \\FILESERVER\PROFILESHARE\JohnDoeProfile JohnDoe

If your folders match the usernames, you're in business.  To take it a bit further, you can use a scripting tool (or Excel even) to take an exported list of usernames and run the batch file on each.

Give that a shot and let us know how it works.
0
 

Author Comment

by:Todd_Bain
ID: 16873559
mcrowley => I will definetly give that a shot, if I am unable to complete it today, I will first thing Monday.  Thank you all for your effort, mcrowley thank you for the script file, that looks like it should do the trick.

The folder names do match the usernames, so hopefully that will make everything just right.
0
 
LVL 2

Expert Comment

by:mcrowley
ID: 16873574
Cool, then insert the path in front of %1, and you can do it with one parameter, like so -

------
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\%1 /O "<domainname>\Domain Admins"             ; assigns ownership to Domain Admins
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\%1 /G "<domainname>\Domain Admins":F               ;gives Domain Admins Full Control
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\%1 /G <domainname>\%1:F               ; gives user back Full Control
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\%1 /G "<domainname>\...":F               ; anyone else you want to have rights
cscript xcacls.vbs \\FILESERVER\PROFILESHARE\%1 /O <domainname>\%1             ; re-assigns ownership back to <username>
------

You can then run it like this -
runxcacls.bat JohnDoe
0
 

Author Comment

by:Todd_Bain
ID: 16894016
mcrowley I think you are right on the money with what needs to be done,  I am receiving an error now though that I am going to research further...

**************************************************************************
Directory: E:\Profiles\USER.NAME
Error -2147217406:  occurred setting Win32_LogicalFileSecuritySetting object.
(Msg#501)
Error description: Not found
**************************************************************************

I will let you guys know something as soon as I know something
0
 
LVL 2

Accepted Solution

by:
mcrowley earned 500 total points
ID: 16921017
takeown.exe from the Win2k3 resource kit appears to work better for ownership.
0
 

Author Comment

by:Todd_Bain
ID: 16921539
Awesome, I will look into that right after lunch.  Thank you again mcrowley, I had been researching that error and hadn't been able to turn anything up on it.  I will look into takeown asap.
0
 

Author Comment

by:Todd_Bain
ID: 16921603
That worked for taking ownership, now in conjunction with xcacls, I should be able to write a batch to takeown /f PROFILENAME /R /A, set permissions via xcacls, then give them ownership back.

Thank you for your diligence mcrowley
0
 
LVL 2

Expert Comment

by:mcrowley
ID: 16921920
No problem, I was actually trying to figure out something similar for myself, and figured it out.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now