Corrupted Security Permissions - Server 2003

Posted on 2009-05-05
Last Modified: 2012-05-06
I have a Windows 2003 server that has got its share permissions and security settings well and truly messed up as the result of a migration from an old server 2000 box that had corrupt shares and security. The server local admin account has got corrupt special permissions that seem to be a major factor in the problems

What I need to do is to :
1. Remove all permissions and security for all folders, shares and files on the data partition.  
2. Recreate default administrative access (administraor, domain admin etc) to all folders, files and shares
3. add security for any top level security groups and re-establish & apply inheritance at the appropriate point in the directory structure (eg admin team for admin folder area)
4. interrogate AD for each user account and capture the user home profile folder location
5. using the above (4) add specific default user rights (create / modify / delete) to each user's respective home folder (and any sub directories)

End result should be that admin accounts have full access / control to everything, security group permissions  are inherited down the tree coreectly, users only have access to their specific home folder ( and profile folder if applicable )

I've been looking at vbs to so this but would really appreciate some support with putting a script together.  If someone has already written a script to do this - even better !
Question by:cmdown
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 47

Expert Comment

by:Donald Stewart
ID: 24308242
LVL 47

Accepted Solution

Donald Stewart earned 500 total points
ID: 24308275
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 500 total points
ID: 24308342
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 24331435
Hi dstewartjr
The 2nd script is almost what I am after.  The issue is that, of course, there has been no standard naming convention over the years so what I need is something that works the opposite way around.
1st. Clear all permissions for all folders - remove all the erroneous permissions
2nd. Set default permissions on all fiels/folders for Administrator / Administrators group & Domain Admins group only.  
3rd. For each user in the AD, interogate their user profile, extract the location(s) of their profile path (if set) and their home folder and then set their permissions to Modify, Read, Read&Execute on the relevenet folder(s)

I have something like 1,400 user accounts that this needs doing for so a script is the only realistic way of doing this.

Just for info the symptons currently are exceptionally slow access (> 40 seconds to a 1kb file) with server cpu utilisation at 1% (Dell PE 2950, 16Gb Ram, Dual 1Gb NIC (teamed), 3TB Raid 5, Server 2003 SP2).  Also permissions keep corrupting - folders losing permissions at random and having to be reset, users showing as having inherited permissions to random folders when they are not given those permissions at any higher level in the folder structure etc.

Just to add to the fun I've got to replace two of the hard drives in the array over the next two weekends in a phased disc change/ array rebuild - slighlty different models of same drive which although * not * contributing to the above problems (confirmed by Dell) is however causing the perc controller to log entries in the event log every so often that the version of drive is not in its list of approved hardware.  oh Joy !!

Author Comment

ID: 24402334
dstewartjr has been really helpful with this problem but I am still stuck as to how to capture the location of a users home folder / profille location using vbs which I need to do in this situation.  Ideas anybody ?

Author Comment

ID: 24772234
In the end this work was done manually as I was unable to find a way of capturing the user home folder location.  I would however like to award dstewartjr points as one of the scripts was very comprehensive.  Should anyone read this post and know how to acheive the above I through a script I would still be interested to know!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question