?
Solved

On my network share, how can I prevent users from creating folders that exclude Administrator permissions?

Posted on 2008-11-17
5
Medium Priority
?
251 Views
Last Modified: 2013-11-25
I am using Robocopy to backup our network share's files and folders.  The files and folders all have a complex and carefully laid out set of ACLs/permissions that I need to preserve.

However, Robocopy came across whole directories of files that it couldn't copy, because of "Error 5: Access is denied."  When I examined them closer, I found that they were files contained in folders that users had created themselves, and therefore did not have any domain administrator permissions or ownership.

Is there any way that I can allow users to create folders with fine tuned permissions, but still enforce/propagate Administrator ownership or privileges for all files and folders on the network share?
0
Comment
Question by:KTN-IT
  • 3
5 Comments
 
LVL 12

Expert Comment

by:RobinHuman
ID: 22978485
Have you checked that the administrator permissions on the primary folder include inheritance to all subfolders? (it is a tick box which allows the permissions to be propogated to all sub-folders)
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 22978671
Is this what you mean?  (See picture)

The problem is, at many points down in the folder hierarchy, permission inheritance has been discontinued, and different permissions propagate from that point.

This is fine, but I wonder if there's some way (like with a powershell script or something) that I could recurse through all the files and folders and just add the administrator in (at least with read access so I can backup with Robocopy), without altering any of the other custom permissions that are established.
Clipboard01.gif
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 1600 total points
ID: 22979989
Try the following command
C:\>cacls C:\PathToFolder /C /E /T /G administrators:F
0
 
LVL 5

Author Comment

by:KTN-IT
ID: 22985031
That's what I was looking for.

The Powershell command is Set-Acl, but it doesn't seem quite as simple and straightforward as cacls, because it doesn't have any switch to automatically process all subfolders and files.

Good resource:
http://www.ss64.com/nt/cacls.html
0
 
LVL 5

Author Closing Comment

by:KTN-IT
ID: 31517555
Thanks!
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question