Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Very basic question on shares on Novell Open Enterprise Server 6.5

Posted on 2007-09-28
24
Medium Priority
?
827 Views
Last Modified: 2012-06-27
This probably sounds like a very basic question for somebody familiar wiht Novell products, but I could urgently do with an answer.

I have zero experience with Novell Netware etc.  I've taken over a site where I will be replacing the Novell OES 6.5 server with a Windows SBS server.  Looking at the screen of the Novell server I have what looks like a Linux command prompt.  I also have access to iManager and ConsoleOne running on a workstation here.
When I browse to \\SERVER_NAME\ from a workstation I see a number of shared folders - APPS, DATA and SYS.  What I want to do is Robocopy all the files from these folders (I reckon some of them are just system files, but there is user data in each folder unfortunately) then remap the drives on the workstations to point to the folders on the SBS server.  However I need some way of stopping users accessing these folders by accident later on (the OES server will be staying in place for a couple of weeks), which is very likely as some users have laptops that I don't have access to yet.

In Windows I'd just delete the shares or remove permissions to them, what do I do with an OES and how do I do it?  I've gone through all the settings I can see in iManager and ConsoleOne without seeing an obvious "This folder/volume is shared as SYS".


Any help appreciated!
0
Comment
Question by:Zenith63
  • 11
  • 5
  • 5
  • +1
23 Comments
 
LVL 35

Accepted Solution

by:
ShineOn earned 1500 total points
ID: 19978735
Now, as an expert-

If you have NetWare OES, why in the world would you want to replace it with Windows SBS?  Just because you have zero experience with it?  

OES gives you both the NetWare and Linux kernel, so if you're using the NetWare kernel it's not a Linux command prompt - but it could be, since the BASH shell has been added to NetWare 6.5 in recent support packs.  It also gives you license to install multiple instances of the OS on multiple servers without paying for more server licenses - because it's licensed by active user object.  Way different from SBS, where if you want to use the SBS services they all have to be on the SBS server, and only one SBS server can be in a forest 'cause it has to be forest root, and you can only connect up to 75 users to it...

What you see when you browse to \\server_name\ from a workstation is not shared folders - it's volumes.  Your server has three volumes - SYS:, APPS: and DATA:.

The SYS: volume is the rough equivalent to the Windows C: drive.  Presumably the previous admin knew a bit of what he/she was doing, as the APPS: volume should hold user applications (not server apps - those would be on SYS:) and the DATA: volume should hold user data.

How many users do you support?  Are you planning to migrate the user identities? Have you considered looking into the Services for NetWare - MSDSS/FMU?

Have you even considered not "throwing out the baby with the bath water?"  There are many ways NetWare/OES and Windows can coexist in a network.  MSDSS is one.  OES comes with Identity Manager, which is another.

As far as "shares" and "permissions" is concerned - the only place where that terminology would be used would be if NFAP/CIFS were configured.  

In NetWare, volumes are volumes, directories(folders to you) are directories, files are files.  Access rights, AKA Trustee rights, (similar to but more powerful than "permissions") are inherited from many object types and inheritance passes dynamically down the directory structure from the parent directory where the rights are assigned.  

All those rights can be assigned through either iManager or ConsoleOne, to users, groups, containers, if you have ZENworks also application objects, workstation objects, workstation groups, and other objects can be security principals as well, unlike Windows where only the group or the user can be a security principal.

If you look in ConsoleOne at a user object and go to the last tab, where it says "rights to files and folders" you can click "show" and select one of the volumes, and it will list all of the *explicitly assigned* rights to folders / files on that volume, for that user.

Do the same with a group object, to see what rights are inherited through membership to that group.

Do the same with a container object (OU, O) and see what rights are inherited by all of the objects in that container.

Then tell me where, in Windows, you can do the same?  You can't.  You have to look at the "share" to see who's assigned permissions. - you can't look at a user and see what permissions they're granted.   This is why you're having trouble- you're looking to do it the same way you'd have to do it on Windows.  

If you want to, you can go to the volume object and display the trustee list to see what objects are granted explicit rights at the volume level.  You can further drill down into the volume and look at individual folders to see explicit trustee assignments, and inherited rights as well.

All on ConsoleOne, all from your admin workstation - on any volume on any NetWare server in the tree, regardless of where it's physically located.  All through the volume objects in eDirectory.  Another thing AD can't do...
0
 
LVL 19

Expert Comment

by:alextoft
ID: 19979050
Quote sad to see people getting rid of superior products simply because they don't understand them, and don't want to learn. OES2 will be out shortly, and the domain services in that make it a better domain controller than ANY windows server!
0
 
LVL 19

Expert Comment

by:alextoft
ID: 19979060
To get rid of shares, go to file protocols in imanager and look at the CIFS options. It's set to share the root of all volumes by default.
0
[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

 
LVL 11

Author Comment

by:Zenith63
ID: 19979238
Thanks for the reply ShineOn.  That makes things a bit clearer, but I'm still not sure how I should prevent access to the DATA volume after I've done the data sync?  Is there an easy way to do this?  Also is there some way of seeing what files are open and in use on the server?

To be honest I don't think there's much point getting into the whole Microsoft vs. the rest debate again.  I've been reading so many Novell threads on here over the last few days and almost all start with why are you moving to Windows and why you shouldn't, it really does nobody any good, especially the person paying money to ask a question.
The reality is Novell has a tiny market share in Ireland so there is very little support if you run into problems.  Even on the Internet troubleshooting information is very difficult to come across.  I've sat here for two days trying to find ways of exporting data, seeing lists of email address in GroupWise, export email from GroupWise, remove the virus that is the Novell Client from PCs etc etc.  As IT support company we would be nothing short of negligent to leave a server in place that we cannot configure properly, let alone support.  In fact I think it would be fair to say that what's giving OES and Linux likewise a bad name with SMEs and IT service providers like ourselves is the slew of individuals and small companies out there deploying these servers without having a good enough knowledge of configuring and supporting them.  I can't count the number of small companies that have come to us over the last few years to get their site "sorted out" after they employed somebody who recommended a Linux server, on a home built server (because everybody knows you don't need proper hardware for a Linux server, it'll run on your average calculator, right?) and Open Office on their PCs.  Six months later they're tired of the complication and unreliability of the system and just want a "normal" system that any IT company on the block can support.
I'm not anti-Linux or anti-Novell, however I am pro-business, especially small/medium businesses where due to the complication of administration and lack of common knowledge of the products, Linux/Novell have no place.  It's not that Windows is better then Linux, or visa-versa, it's that there simply isn't enough knowledge of Linux systems out there, and our obligation is to the customer who frankly doesn't give a damn what the server OS is, provided we can sort it out, and should they want to get rid of us there are 1000 other IT companies out there who can pick up where we left off.

I hope you can see where I'm coming from.
0
 
LVL 11

Author Comment

by:Zenith63
ID: 19979348
alextoft - I was contracted to get rid of it by a customer, do you expect me to say no?  They have had 18 months or pure grief and unreliability and just want something that works.  I'm not sure what your experience is of MS products, but I've setup probably 100 Windows servers over the last year or two and not one of them has had the problems this company have experience with their Novell server.  Again as I said above it's not because Novell is less reliable then Windows (we all know the opposite is true), but incomplete knowledge of it on the part of the previous admin meant every time he changed something, something else stopped working.  When he is finally replaced there is so little useful information out there on Novell that it is very difficult to clean up the "mess".  Sad but true.

When I go to 'iManager'/'File Protocols'/'CIFS/AFP' and connect to my server there are no shares listed.  In 'iManager'/'File Protocols'/'NFS' it says 'Stopped'.  Seems strange but I've been back and forwards through iManager and ConsoleOne for the day trying to find somewhere where volumes are 'shared'.  While I'm at it, is there a way to see what files are open on the server?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19979473
Ireland isn't far from England, where alextoft is...  I wonder why support is so hard to come by in Ireland.

And to say you're not anti-Novell in the same post where you call the Novell Client32 a virus is a bit disingenuous.  Any tech worth a dime can learn how NetWare and Linux works and support all three platforms, in my humble opinion.

NetWare is much easier to support than is Windows, if there is any training or effort to learn done whatsoever.  Linux is a bit tougher, but not much - anyone with *nix experience can transfer that knowledge and update their skills easily, but it does take a tad more effort to support than "da pointin' an' da clickin'."  

However, in a truly small business, where they would never exceed the capacity or tax the hardware of a single Windoze SBS box, it's a bit of overkill to use full-blown OES.  The OES workgroup solution is much more powerful than Windows could ever hope to be, but it takes a bit of effort to learn how to support it.  On the user end, it's no problem whatsoever, in fact, much less problem than the typical Windows user suffers with.  One NetWare admin can typically support a couple-hundred users without going to the outside for help - most of their time is spent fixing Windows problems anyway.

However, as I mentioned before, if you're going to migrate from NetWare to Windows, MSDSS/FMU is a much better choice than piecemeal.

To disable access to a volume you could simply unmount it, if you don't want to figure out where trustee rights are assigned.  If you do find out where trustee rights are assigned, simply un-assign those rights and the volume disappears from the radar screen.  Like I said, rights are dynamic in NetWare.

It would be nicer for your customer if you'd find out where rights are assigned and assign permissions as closely as you can on the Windows side, if you don't want to use MSDSS/FMU, which will map trustee rights to permissions for you.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19979562
Volumes are only presented as "shares" when CIFS is in use.  If CIFS is not in use, then they are volumes.  They aren't "shared" - they have rights granted to them.

The filesystem rights structure is SRWCEMFA - Supervisor, Read, Write, Create, Erase, Modify, Filescan and Access.  If anyone has "S" rights to the root of the volume, they have full rights to everything on the volume.  Take away the rights and they can't get at them.

The only person that shoud have "S" rights to the root of a volume is the administrator.  No end-users should ever have "S" rights to the root of a volume.

That's why you need to look at how rights are being granted and inherited...  

As to how to see who has what open, you could use NoRM (the Novell Remote Manager).
0
 
LVL 19

Expert Comment

by:alextoft
ID: 19980689
I also find it interesting that you can't get Novell support in Ireland. I've done several IDM/Zen jobs over there and met lots of very capable Novell engineers. I know there's this same illusion in the UK aswell, but you've got thousands of extremely smug Novell admins hiding away because their systems just simply do not need hands-on attention every 2 minutes. No viruses, no worms, no malware, no worries... The support is out there if you want it, in quantity.

The fact that something is unreliable is usually representative of the capability of its administrator. I've had the opposite experience - I can't even remember the last time I had to physically visit one of my Netware or Linux servers for anything other than the occasional (and I mean occasional like once every 6 months, not 10 patches and a reboot every other day). From an admin's perspective Windows is a better choice if they have no idea what they're doing (not saying you don't...) as almost everything can be done point-n-click style. But that advantage is also its biggest disadvantage. Netware/Linux may be a little more complex to administer (and hence easier for the inexperienced to make a hash of), but the power and reliability one can obtain by having such granular access to the system is something Windows can only dream of.

Obviously if there's a paycheck at the end of it, that puts a different tint on the matter. I can do Windows too, I just choose not to because a) it's crap and I hate it, and b) every Tom, Dick & Harry can do Windows, MCSE's aren't worth jack these days, and Netware/Linux pays better :)
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19981258
Alex, you know what irritates me?  When said MCSE's think we know nothing of how Windows works because we know how NetWare works, and they get snooty about it.  

Then when it turns out we actually know more about Windows than they do, they get all defensive and start with ad-hominem attacks on Novell (or you) because they suddenly feel threatened by the "elder Geek."

Ever have that happen to you?




(Zenith63, I'm not referring to you... just having a side conversation in your thread.)
0
 
LVL 19

Expert Comment

by:alextoft
ID: 19983194
Funny you should say that. Our AD admin quit a couple of months back and hasn't been replaced. One of our IDM connected DC's imploded recently as the new student intake pumped its user object count past the 80,000 mark. It was chucking out RID pool errors and all sorts, and some of my other Redmond-worshipping colleagues were running around like headless chickens over the whole thing muttering about directory restore mode etc etc. Naturally this was all the fault of the axis of evil which is Identity Manager, installed by yours truly.

I gave them until lunchtime and it still wasn't fixed, so rummage around in the bottom draw, locate rather dusty resource kit, visit server, enter a couple of commands at the command prompt, reboot, fixed. Send slightly smug email, go to the pub for lunch.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19983326
heh.  80,000...

AD is soooo scalable ;D
0
 
LVL 11

Author Comment

by:Zenith63
ID: 19984427
OK, I'll rephrase - I'm not anti-Novell-server products.  I am very much anti-Novell Client.  I remember the grief it caused 10 years ago and it has not improved.  A typical virus takes over your PC but you might not notice any problems, until you remove it, then all the hooks it put into the OS are suddenly missing and rebuild is required.  I just don't see that the Client needs to get into every aspect of Windows and make itself so untidy to remove when the needs be.  Not considering that it may need to be removed some day and that the user doesn't want thier PC destroyed when that time comes is very much a tactic Microsoft gets accused of, eg. Internet Explorer.

It's not a case of me not being capable of learning Netware, I simply have no need to do it so why would I spend my time doing it when I could be learning something that will actually improve my salary prospects and how I support my customers?  I could spend the next few weeks and months learning the insides of Novell, but I'm unlikely to see another Novell server in the next few years, possibly ever.  I'm not exaggerating here by the way; I've been working in IT support now for 10 years, this is honestly the first Novell based server I have even SEEN in the last 8 years or so.  So although I understand the die-hard attitude (I've been on that side many times before) this is the reality for me.  I would have seen a couple more if we weren't supporting SMBs exclusively I'm sure, but we are so that's that.

It's all well and good to come out with statements as if they're facts about Windows server products, such as the patching every other day, rebooting every other day, viruses worms etc. but anybody who is actually supporting Windows based systems NOW knows this is simply wrong.  I know you say you "know" Windows, but have either of you actually done any serious Windows server support recently?  I say SERVER specifically because even in a Novell environment the workstations are generally Windows XP anyway, so problems with these are problems no matter what server OS you're using.  We support about 150 Windows servers at the moment and I can honestly say we've only had two virus issues in the last two-three years, in both cases weak administrator passwords were the underlying problem.  Viruses are really a non-issue these days, you stick something like McAfee Antivirus on each workstation and server and you're set.  As for restarting the server and patching I'm not sure where that comes from either, Windows Update/WSUS sorts this out and restarts the server during the night if necessary without any intervention.  Every OS needs patching.  I agree these things were problems in the past, but saying they are problems now is just showing ignorance of the current reality.

"Redmond-worshipping colleagues"
You say that in a derogatory way, but can't you see you're exactly the same with Novell/Linux?  It's fine by me that you prefer Novell over Windows, but you should realise how elitist the replies in this thread come across.  As I said I've read a lot of the threads in the Novell zones on EE over the last few days and I've seen this thread thrashed out over and over again.  I've come across this enough times over the years to let it wash over me at this stage, but I hope you can see how this attitude actually puts what you're supporting in a negative light.  In most of these threads somebody asks a question, making it quite clear they have little to know knowledge about the product, they then get a heap of replies (often from a select group (tempted to use the word clique here) of experts) asking them why they are trying to remove X, Y or Z piece of non-MS software and how crap the piece of software they're moving to is, regardless of the millions of users who may be using it worldwide with great success.  They tend to throw in one line at the end of the post with a hint of how to solve the problem just to justify their 10 other lines of hubris.

"every Tom, Dick & Harry can do Windows, MCSE's aren't worth jack these days, and Netware/Linux pays better"
I agree with part 1, and this is a benefit, not the other way around!  I also agree with part 2, but this is the case for most certifications out there these days.  I can just as easily learn off the material for a CCNA exam as I can an MCSE exam.  Part 3 is a generalisation that doesn't stand up to any scrutinisation.  If you take 100 MS admins and 100 Netware/Linux admins will the Netware guys be on more money?  Absolutely.  However the reason for this is you won't get many low-mid range Novell/Linux support guys because it's simply too complicated for them to learn and there isn't the business out there for those guys to work in small-medium businesses.  If you knew MS as well as you say you know Novell/Linux I'm quite confident you could get similar money.

Anyway, enough of that, this is a place of learning after all :).  Iim going to try and "simply unmount it" on Monday, after I've checked that no files are open, of course, using NoRM which I now know so much about.  With any luck (it sounds like I may need this) I'll happen to find out where trustees have been granted permissions on the various directories so I can replicate them on my new server.  In reality I've learned very little here to achieve this, so I'm going to pull the power on the box to get all file locks closed, then pull the connection to the LAN and connect direct to the box I'm transferring to to stop users accessing it, and as the previous admin found his Novell box too complicated to configure permissions I won't need to copy them to the new server as he didn't set any.  
LOL, when I said I know nothing about Novell I really meant that.  To draw a parallel to Windows - I don't know how or where to look for the Start button, I don't know if this mysteriously tempting sounding Start button should be accessed from a web console or at the machine itself, I know I can see "folders" on the server from a workstation but I have no idea if these are volumes, directories, folders, pools, drives or mounted floppy disks all I do know is I want them to stop appearing.  Tongue in cheek here by the way.


Cheers!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19984696
Geez.  Hit a nerve did we?

If you were paying attention, you could have learned enough to find where "permissions" are granted.  You were too busy looking for your "shares" to look at where trustee rights to the filesystem are granted, explicity or inherited - which is much easier to discover with NetWare than it is with Windows.  I already explained how to do that, and if you don't understand any of my instructions, just ask for clarification.

If you just turn it off, you're really showing *pure* ignorance - or at least *pure* bullheadedness.  Would you "pull the power" on your Windows SB server?  To shut down a NetWare server, you go to the server console, and flip through the screens until you see the "colon" prompt, then enter "down."  It will ask you to verify that you really want to, and will tell you that some users have some files open and ask if you still want to.

There is no "start" button.  There is a GUI available for the server, but it's a server, not a workstation.  You do most administrative functions from an administrative client.

If you'd tell us what approach you're interested in taking, amongst the several suggestions that have been made, and ask a few questions about whatever you don't understand still, we can give you further explanation.

And I ask you this, as one last shot at your "virus" comment - if the Novell client were a "virus," would Microsoft recommend you install the Novell client on your >Win2K3 SERVER< ?  They do, you know, as part of installing the Services for NetWare (MSDSS/FMU).
0
 
LVL 19

Expert Comment

by:alextoft
ID: 19984725
Microsoft have 2 outstanding products: Exchange >2003, and SQL Server >2005.

Any networked operating system which stores file permissions in the directory instead of the filesystem is frankly laughable. Loose the directory, loose the permissions. Unacceptable. Active Directory today is still miles behind what eDirectory (or NDS I should really say) was in 1994! Fortunately our main filestores are NOT on Windows. Can you imagine the size of the AD with 80,000+ users, all with 10,000+ files (full cross-platform roaming profiles, cookies, web cache, everything) in their home directory, each of those files having its own individual ACL enumeration (NTFS doesn't truly do inherited permissions don't forget...)?! Doesn't bear thinking about!

Any networked operating system that requires you to reboot to do a directory repair is beyond belief. In an eDirectory tree it's 1 command, just 1. No reboot, no fuss.

I don't particularly have any vendor loyalty, maybe I come over as a Novell fanboy, but it's simply that their products on the whole are extremely well thought out, and written by some of the best computing brains in the world (why do you think MS move heaven and earth to poach them all the time?). Pity I can't heap the same praise on their PR department! I honestly couldn't give a rat's ass who makes the products, I simply choose the best technology for the job, not merely what I'm comfortable with and what "everyone else uses". If that's Windows, fine, I'll use Windows, and on occasion I have. But the vast majority of the time when it comes down to cost, support requirements, reliability and just plain power, Windows comes bottom of the pile.

I work for one of the largest Universities in the UK, with several million pounds worth of carrier grade Nortel network infrastructure, more users than the population of the average small city, thousands of PC's and servers (Windows/OSX/Netware/Linux/Solaris/BSD/HPUX). I've been in this game for 20 years and remember writing 8-bit assembler whilst watching Live Aid in 1985. Without getting into a cock-size contest, I feel this allows me to say I know what I'm talking about.

The big money MS jobs are mainly contract consulting, as I'm sure you know. Been there, done that, got fed up to the back teeth with travelling, hotels, never being at home long enough to spend all the money I was earning. Now permanent jobs with a 10 minute commute, 40 days leave, pulling the same money? That's a different matter, but I'm pleased to say I have one.

Anyway, I hope you get where you want to be with your server.

0
 
LVL 11

Author Comment

by:Zenith63
ID: 19987884
Not really hit a nerve, but having spent two days reading threads on here and other forums I was a bit tired of seeing people with genuine questions get little to know help but ears full of how crap Microsoft was.  If they'd (and I'd) asked for a comparison then fine, but simple questions are repeatedly answered with pages of stupid answers about how great Novell is and how crap Windows is, as if the asker of the question could give a damn.  If it wasn't for the fact that I really needed answers, it would have been a good laugh to contrast the various other zones on here where users are getting some great info, with the threads in this one where users were getting a sermon.  The thing is ExpertsExchange is not a public forum, it's a place where people pay money for professional answers.  Come on, you've got to admit this is happening right?

I was paying attention and read your explanation of trustee rights.  What I want to do though is stop users accessing the folders.  From what I remember seeing the other day I don't get the option to set Deny permissions on a directory?  I'm not even too sure where I'm supposed to be setting these permissions from as there seems to be a few places showing folders called SYS or ADMIN or DATA.  When I browse to the server I see another "share" the previous admin created but this only appears in some locations in iManager, so again I'm quite confused as to where I should be setting these permissions.  If I happen to figure out where to do this, do I add a group that contains all the users but not tick any of the rights for them?  Is this effectively denying access by not granting it?  I hope my problem is obvious here.  It may seem to you like setting permissions in Novell is easier then 1-2-3, and that's great, but to somebody who only knows Windows it is very different and so very complicated.  Maybe with a few months I'd agree that the permissions structure is better (and I do agree that seeing permissions granted to a user from the user account properties would be handy in Windows), but right now I have no interest in learning all about it, I just want to do one task and so asked for instructions on doing this with the proviso that I know nothing about using OES.

I've already made it quite clear that I have *pure* ignorance of Novell.  The second line in my question was - "I have zero experience with Novell Netware".  How can I make this any clearer?  When somebody says that you should assume I have complete and utter ignorance.

Erm I did say that was tongue in cheek.  I was making the point that from your postings and others I've read on here I'm in no better a position to do any more then that.  As for the Start button comments I was trying to draw a parallel to somebody coming to you/me who doesn't know jack about Windows.

I didn't mean that virus comment about the Novell Client literally.  Do you not agree that the way it gets deep into the OS is a bad thing?  It only takes one other application to make some change to something the Client also changes during installation and that's it, it will likely never uninstall successfully.  If you don't need to remove it that's no problem, and in an environment that is Novell and staying that way I'm sure it's a non-issue.  I just don't think it's good enough to take this attitude, they have to consider it wanting to be removed some day without a rebuild being so likely.  Anyway, we're not likely to change the way it's made, I was just voicing my dismay at the next two weeks I'm going to spend on this site trying to remove this piece of software from users' PCs so that they function properly.  Very much the experience you used to have 5 years ago when a virus got onto a network no?

The approach I'm taking, OK - There's only the one OES server and only really 15-20 users, and at most times half of these aren't here.  Between this, and the fact that a migration to SBS would be a bit more messy then your average Windows server, I didn't think going down the proper migration path was justified.  It would have been smoother, but sometimes these migrations take considerably longer then the plain old brute force approach, especially in small companies where a bit of complete downtime isn't a big deal.
So I wanted to Robocopy all the data off the Novell box to the new SBS server a few days in advance, then on the day just sync the data.  I'd need to check nobody had files open when I did the final sync.  Because the OES box has GroupWise on it as well it would have to stay in place for a few days more, so I definitely need to disable the existing 'shares' on the Novell box in case some user had a UNC link on their Desktop that I didn't catch.  Setting up new user accounts on SBS only took 10 minutes, so again migration here wouldn't have been a major benefit.  From what I could tell on the client end there are no permissions setup on the data folders so this wasn't an issue, though I would very much like to have confirmed this.
Shockingly simple plan I thought with damn all knowledge of Novell needed, but disabling the shares somehow is very important.  Hence the reason for my question.  Maybe this task is easier in Novell, but there are probably 1000 documents on the Internet which will explain how to do it on a Windows box, I've found 0 to explain it in a clear manor for Novell.  This doesn't make Windows better, but it does make it easier to support.

"Any networked operating system which stores file permissions in the directory instead of the filesystem is frankly laughable. Loose the directory, loose the permissions."
I'm not sure what you mean by this?  The security descriptors for an NTFS volume are stored on the drive in the $Secure file, not in AD.  Am I misunderstanding what you're saying?

Well after all that it seems I believe Novell is not suitable for most small businesses out there, and you believe Windows is not appropriate for most large enterprise customers?  1-1, can I go to bed now? :)


If somebody would care to give me explicit (assume I'm 4 years old) instructions for preventing access to files in the DATA share of this server I'd really appreciate it.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19988019
I thought I had explained adequately, but  apparently not.  There are no shares in NetWare, only volumes, folders and files.  There are no permisssions in NetWare, only rights.

That may seem to you to be the same thing, but it's not.

A share can point to any NTFS/FAT folder you want it to and be called whatever you want to call it.  An NWFS/NSS volume is always a volume, and it always appears with the same name, and is the root of a division of the filesystem structure, along the lines of the NT C: drive or an unlettered NTFS volume, however it doesn't show up as a folder within another "drive."  It's its own entity.

Rights are either granted, or not.  They can be inherited and they can be blocked, but they cannot be "denied."  Rights are dynamically inherited.  NTFS Permissions can be inherited and blocked and there's also a "deny" permission that doesn't exist in NetWare.  Shares take the place of the dynamic upward inheritance, to a degree, in that they help control visibility to the NTFS files and folders and are used in mapping, and are less static than NTFS permissions.   There is no true "share" equivalent in NWFS/NSS unless you are using Native File Access Protocols/Common "Internet" File System, which is a feature of NetWare similar to Samba on *nix, which makes a NetWare server appear as though it's a Windows server, presenting "shares" to the native Windows LanMan client service.  This appears not to be your situation, so I haven't spoken of CIFS or shares since your dialog with alextoft regarding those features.

If you're granted rights to a folder, you only have rights to that folder and its children.  The rights dynamically flow bidirectionally from the point where they are granted, giving you sufficient rights to see the directory path from the root or mapping, to the folder where you were granted rights.

If those rights are revoked, you no longer have those rights, or any of the inherited rights.  Immediately and dynamically.

So, if you take the time to find out how rights are being assigned to the volumes, you can use that to revoke said rights, dynamically.

For example, if all of your users are in a group called "Everyone" and the "everyone" group is the source of inheritance of rights to the Apps volume, by a) removing the users from that group or b) removing the rights granted that group to the Apps volume, you immediately revoke the inherited rights, dynamically.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19988258
To further explain, unlike Windows NTFS, filesystem permissions aren't statically stored in the ACL's and any new or changed inheritances don't require a manual action to tell the filesystem to populate the inherited permissions.

NWFS/NSS filesystem rights are purely dynamic.  Removing the assigned or inherited rights also removes the inheritance and visibility.

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 19988277
Another thing - to clarify why I was making comparisons or trying to get you to use the investment was to start, you didn't say that you were a consultant or the company with OES was a client of yours.  It sounded to me like you were a newly-hired employee of the company that inherited an OES network, and because you didn't understand it had convinced them to switch to Win SBS which you do understand, rather than taking the time or effort to understand what you do have.

Had you said, from the outset, that your company was hired to migrate a client's system from OES to WinSBS, my comments would have been different.  Sure, I may have said something like "it's a shame they're getting rid of a superior product, but here's the answer to your question" rather than "you should think about doing this or this instead of that" and I would have spent less time trying to educate you to the strengths of the product I thought you were getting rid of just because you didn't know better, and more time trying to educate you to the logistics of doing the task you were contracted to do.

Further, a lot of the comparison stuff when talking about shares/permissions vs volumes/rights was trying to work within your frame of reference to help you understand why you weren't finding what you were looking for, and why you should look for something else.
0
 
LVL 4

Expert Comment

by:blcarter14
ID: 20001021
Try this, mostly a paraphrase of ShineOn.
Login as admin.
Open \\SERVER_NAME
Right click on the Apps Volume
Select "Trustee Rights..."
Remove all trustees from the "Trustees" box by highlighting, then delete

Do the same for the DATA Volume

The volumes are still shared, but no-one (except admin and admin equivalent ) have access to them.  You should be safe with this.  You can check your users to see if any have "security equal to me" as admin, but it is unlikely.

Hope this helps, and it is really a shame your leaving OES.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 20002639
"The volumes are still shared"

Not really.  They never were to begin with.  Sharing is a Windows-only concept.

The volumes are served.  At that point, after completing your instructions, none of the explicitly-assigned rights to the root of the volume would be in effect any more.  Problem with that is, if any object has explicitly-assigned rights to a subdirectory on the volume, the volume is still very much visible and very much accessible.

I don't have any explicit rights granted to the root of any of my volumes to any users/groups/containers/apps.

For example, say I have a volume DATA with a Users folder, under which are all of my user home directories.

Nobody has any rights to the root of the DATA volume.  Everyone has explicit rights to their own home directory.  They will be able to see the User folder and their own home directory folder, even though there are no trustees showing at the root of the volume to remove using your technique.
0
 
LVL 4

Expert Comment

by:blcarter14
ID: 20005647
good point.
What about this, right click the volume, select Inherited Rights and filters, select 'view trustees below directory'.  It takes a while to populate.
Then remove all trustees except admin.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 20010593
That would work.  Depending on how many users, how many levels of explicit rights, etc., as blcarter14 says, it takes a while to populate.  

When it's done "thinking" sometimes you have to move the dialog box or something to get the list to display, but it does.
0
 
LVL 11

Author Comment

by:Zenith63
ID: 20111930
Well thanks for all the replies guys, the "migration" is done.

The Novell client uninstalled fairly cleanly on most of the PCs, though there were a few where the Windows profiles were left unuseable afterwards.  I ended up replacing most of the PCs in the end anyway, so it wasn't too big a deal.

For the data transfer I used robocopy to copy it across then just renamed the folders on the server, saved me messing with the permissions.  ConsoleOne didn't seem to be working to well in there (kept complaining that it couldn't save changes even though I was logged in as admin) so it probably wouldn't have worked anyway.


Thanks again for the help.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Machine Learning is one of the profound applications of AI and therefore, just like AI, it is surrounded by myths and fears. Check out these facts about ML that demystify the related myths.
Herein one will find an aggregate of some of my experience building and deploying virtualization stacks both in standalone, clustered Hyper-V, clustered Hyper-V with a Scale-Out File Server (SOFS) backend, and Storage Spaces Direct (S2D).
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question