Solved

Corrupted Security Permissions - Server 2003

Posted on 2009-05-05
6
808 Views
Last Modified: 2012-05-06
I have a Windows 2003 server that has got its share permissions and security settings well and truly messed up as the result of a migration from an old server 2000 box that had corrupt shares and security. The server local admin account has got corrupt special permissions that seem to be a major factor in the problems

What I need to do is to :
1. Remove all permissions and security for all folders, shares and files on the data partition.  
2. Recreate default administrative access (administraor, domain admin etc) to all folders, files and shares
3. add security for any top level security groups and re-establish & apply inheritance at the appropriate point in the directory structure (eg admin team for admin folder area)
4. interrogate AD for each user account and capture the user home profile folder location
5. using the above (4) add specific default user rights (create / modify / delete) to each user's respective home folder (and any sub directories)

End result should be that admin accounts have full access / control to everything, security group permissions  are inherited down the tree coreectly, users only have access to their specific home folder ( and profile folder if applicable )

I've been looking at vbs to so this but would really appreciate some support with putting a script together.  If someone has already written a script to do this - even better !
0
Comment
Question by:cmdown
  • 3
  • 3
6 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24308242
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 24308275
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 500 total points
ID: 24308342
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:cmdown
ID: 24331435
Hi dstewartjr
The 2nd script is almost what I am after.  The issue is that, of course, there has been no standard naming convention over the years so what I need is something that works the opposite way around.
1st. Clear all permissions for all folders - remove all the erroneous permissions
2nd. Set default permissions on all fiels/folders for Administrator / Administrators group & Domain Admins group only.  
3rd. For each user in the AD, interogate their user profile, extract the location(s) of their profile path (if set) and their home folder and then set their permissions to Modify, Read, Read&Execute on the relevenet folder(s)

I have something like 1,400 user accounts that this needs doing for so a script is the only realistic way of doing this.

Just for info the symptons currently are exceptionally slow access (> 40 seconds to a 1kb file) with server cpu utilisation at 1% (Dell PE 2950, 16Gb Ram, Dual 1Gb NIC (teamed), 3TB Raid 5, Server 2003 SP2).  Also permissions keep corrupting - folders losing permissions at random and having to be reset, users showing as having inherited permissions to random folders when they are not given those permissions at any higher level in the folder structure etc.

Just to add to the fun I've got to replace two of the hard drives in the array over the next two weekends in a phased disc change/ array rebuild - slighlty different models of same drive which although * not * contributing to the above problems (confirmed by Dell) is however causing the perc controller to log entries in the event log every so often that the version of drive is not in its list of approved hardware.  oh Joy !!
0
 
LVL 1

Author Comment

by:cmdown
ID: 24402334
dstewartjr has been really helpful with this problem but I am still stuck as to how to capture the location of a users home folder / profille location using vbs which I need to do in this situation.  Ideas anybody ?
0
 
LVL 1

Author Comment

by:cmdown
ID: 24772234
In the end this work was done manually as I was unable to find a way of capturing the user home folder location.  I would however like to award dstewartjr points as one of the scripts was very comprehensive.  Should anyone read this post and know how to acheive the above I through a script I would still be interested to know!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question