• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 817
  • Last Modified:

Corrupted Security Permissions - Server 2003

I have a Windows 2003 server that has got its share permissions and security settings well and truly messed up as the result of a migration from an old server 2000 box that had corrupt shares and security. The server local admin account has got corrupt special permissions that seem to be a major factor in the problems

What I need to do is to :
1. Remove all permissions and security for all folders, shares and files on the data partition.  
2. Recreate default administrative access (administraor, domain admin etc) to all folders, files and shares
3. add security for any top level security groups and re-establish & apply inheritance at the appropriate point in the directory structure (eg admin team for admin folder area)
4. interrogate AD for each user account and capture the user home profile folder location
5. using the above (4) add specific default user rights (create / modify / delete) to each user's respective home folder (and any sub directories)

End result should be that admin accounts have full access / control to everything, security group permissions  are inherited down the tree coreectly, users only have access to their specific home folder ( and profile folder if applicable )

I've been looking at vbs to so this but would really appreciate some support with putting a script together.  If someone has already written a script to do this - even better !
0
cmdown
Asked:
cmdown
  • 3
  • 3
2 Solutions
 
DonNetwork AdministratorCommented:
0
 
DonNetwork AdministratorCommented:
0
 
DonNetwork AdministratorCommented:
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
cmdownAuthor Commented:
Hi dstewartjr
The 2nd script is almost what I am after.  The issue is that, of course, there has been no standard naming convention over the years so what I need is something that works the opposite way around.
1st. Clear all permissions for all folders - remove all the erroneous permissions
2nd. Set default permissions on all fiels/folders for Administrator / Administrators group & Domain Admins group only.  
3rd. For each user in the AD, interogate their user profile, extract the location(s) of their profile path (if set) and their home folder and then set their permissions to Modify, Read, Read&Execute on the relevenet folder(s)

I have something like 1,400 user accounts that this needs doing for so a script is the only realistic way of doing this.

Just for info the symptons currently are exceptionally slow access (> 40 seconds to a 1kb file) with server cpu utilisation at 1% (Dell PE 2950, 16Gb Ram, Dual 1Gb NIC (teamed), 3TB Raid 5, Server 2003 SP2).  Also permissions keep corrupting - folders losing permissions at random and having to be reset, users showing as having inherited permissions to random folders when they are not given those permissions at any higher level in the folder structure etc.

Just to add to the fun I've got to replace two of the hard drives in the array over the next two weekends in a phased disc change/ array rebuild - slighlty different models of same drive which although * not * contributing to the above problems (confirmed by Dell) is however causing the perc controller to log entries in the event log every so often that the version of drive is not in its list of approved hardware.  oh Joy !!
0
 
cmdownAuthor Commented:
dstewartjr has been really helpful with this problem but I am still stuck as to how to capture the location of a users home folder / profille location using vbs which I need to do in this situation.  Ideas anybody ?
0
 
cmdownAuthor Commented:
In the end this work was done manually as I was unable to find a way of capturing the user home folder location.  I would however like to award dstewartjr points as one of the scripts was very comprehensive.  Should anyone read this post and know how to acheive the above I through a script I would still be interested to know!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now