Solved

NTFS ACLs and file ownership transfer

Posted on 2010-08-20
4
1,012 Views
Last Modified: 2013-12-04
Hello all,
I'm currently reading the Windows Administration Productivity Solutions for IT Professionals, which is a great guide on setting up Active Directory infrastructures, and designing a Role Based Access Control environment. (RBAC).

I currently have an infrastructure in place with about 3000 users and some 33000 students. I am taking on the challenge to revamp everything in there to comply with an RBAC system, rather than what I have inherited, which is really very rudimentary and insecure, and most of all, un-audit-able.

The concept of the RBAC seemed to make sense. in particular I have a question regarding an item:
The best practice is to create a shared folders for departments, and contrary to general practice, it is recommended that only EDIT permissions be given to the department security group role. (meaning, no delete), and then giving the OWNER CREATOR access to for deleting their own files.
I think this is a great system, that will avoid having people delete each other's files on purpose, or accidentally, while still allowing them to create and modify each other's files.
This is done by setting the ownership on the files and/or folders, and assigning the correct permissions.

Now my question:
Let's say John Doe used to work in Marketing, and had access to the marketing share, he created a bunch of files and folders of which he is now the owner, and the rest of the department can modify, but not delete his files.
Suddenly John Doe find a new job, and he's out. Now, I have a bunch of scattered files and folders with him as an owner over them, (or his now orphan SID as owner) Short of taking ownership of the parent folder, which would also mean taking ownership of other user's files in that department (which, of course, I wouldn't want to do)  I don't really see an easy way to transfer over the ownership of John's files to the person replacing him within this model.

Is anyone out there using RBAC, and particularly this system of file ownership, and if so, how are you managing file ownership transfers upon employee arrival or departure.. ?

I love the system, but I want to try to think long term first, before implementing something that sounds like a great solution, and then end up being stuck with big caveats and management nightmares...

Looking forward to hearing your opinions.

0
Comment
Question by:cvservices
  • 3
4 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
I have not used this, but I think that there are command line tools to change ACLs, including based on owner

see
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_25031865.html

Not perfect, but may be sufficient, and scriptable
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
also

'm looking for a fast way of finding user rights to files and folders in windows 2003. I tried accessenum but it didn't do what I was expecting. I have folders with a lot of files and going to every file and check it, it would be very time consuming.
xcacls can gather this information for you:

xcacls  can do this for you, maybe a little easier since it can grab/display as well as change permissions
http://support.microsoft.com/kb/825751

ex:  cscript.exe xcacls.vbs c:\temp /s

This would display the permissions for c:\temp and all subfolders.
0
 
LVL 1

Author Comment

by:cvservices
Comment Utility
So in looking more at the icacls, I'm thinking I may need to somehow leverage the /substitute SidOld SidNew option, the /SetOwner and perhaps even the takeown.exe.

I wonder if someone already has a script that does that, that they may be willing to share, so that I don't have to reinvent the wheel. Otherwise, I'll just have to write it. I was hoping for something a bit more built in than that, that I can delegate to the helpdesk or something of that nature.
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 250 total points
Comment Utility
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This comprehensive conference-networking guide will help you prep, practice and pack for success, reach out with purpose and confidence, capitalize on connections, and turn all those new leads into long-term connections.
Email signature management is something that is often overlooked in many organizations or is simply not implemented effectively. Let's take a look at what methods are available for managing this important piece of corporate branding.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now