[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 815
  • Last Modified:

Corrupted Security Permissions - Server 2003

I have a Windows 2003 server that has got its share permissions and security settings well and truly messed up as the result of a migration from an old server 2000 box that had corrupt shares and security. The server local admin account has got corrupt special permissions that seem to be a major factor in the problems

What I need to do is to :
1. Remove all permissions and security for all folders, shares and files on the data partition.  
2. Recreate default administrative access (administraor, domain admin etc) to all folders, files and shares
3. add security for any top level security groups and re-establish & apply inheritance at the appropriate point in the directory structure (eg admin team for admin folder area)
4. interrogate AD for each user account and capture the user home profile folder location
5. using the above (4) add specific default user rights (create / modify / delete) to each user's respective home folder (and any sub directories)

End result should be that admin accounts have full access / control to everything, security group permissions  are inherited down the tree coreectly, users only have access to their specific home folder ( and profile folder if applicable )

I've been looking at vbs to so this but would really appreciate some support with putting a script together.  If someone has already written a script to do this - even better !
0
cmdown
Asked:
cmdown
  • 3
  • 3
2 Solutions
 
Donald StewartNetwork AdministratorCommented:
0
 
Donald StewartNetwork AdministratorCommented:
0
 
Donald StewartNetwork AdministratorCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
cmdownAuthor Commented:
Hi dstewartjr
The 2nd script is almost what I am after.  The issue is that, of course, there has been no standard naming convention over the years so what I need is something that works the opposite way around.
1st. Clear all permissions for all folders - remove all the erroneous permissions
2nd. Set default permissions on all fiels/folders for Administrator / Administrators group & Domain Admins group only.  
3rd. For each user in the AD, interogate their user profile, extract the location(s) of their profile path (if set) and their home folder and then set their permissions to Modify, Read, Read&Execute on the relevenet folder(s)

I have something like 1,400 user accounts that this needs doing for so a script is the only realistic way of doing this.

Just for info the symptons currently are exceptionally slow access (> 40 seconds to a 1kb file) with server cpu utilisation at 1% (Dell PE 2950, 16Gb Ram, Dual 1Gb NIC (teamed), 3TB Raid 5, Server 2003 SP2).  Also permissions keep corrupting - folders losing permissions at random and having to be reset, users showing as having inherited permissions to random folders when they are not given those permissions at any higher level in the folder structure etc.

Just to add to the fun I've got to replace two of the hard drives in the array over the next two weekends in a phased disc change/ array rebuild - slighlty different models of same drive which although * not * contributing to the above problems (confirmed by Dell) is however causing the perc controller to log entries in the event log every so often that the version of drive is not in its list of approved hardware.  oh Joy !!
0
 
cmdownAuthor Commented:
dstewartjr has been really helpful with this problem but I am still stuck as to how to capture the location of a users home folder / profille location using vbs which I need to do in this situation.  Ideas anybody ?
0
 
cmdownAuthor Commented:
In the end this work was done manually as I was unable to find a way of capturing the user home folder location.  I would however like to award dstewartjr points as one of the scripts was very comprehensive.  Should anyone read this post and know how to acheive the above I through a script I would still be interested to know!
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now