Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

NTFS ACLs and file ownership transfer

Posted on 2010-08-20
4
Medium Priority
?
1,035 Views
Last Modified: 2013-12-04
Hello all,
I'm currently reading the Windows Administration Productivity Solutions for IT Professionals, which is a great guide on setting up Active Directory infrastructures, and designing a Role Based Access Control environment. (RBAC).

I currently have an infrastructure in place with about 3000 users and some 33000 students. I am taking on the challenge to revamp everything in there to comply with an RBAC system, rather than what I have inherited, which is really very rudimentary and insecure, and most of all, un-audit-able.

The concept of the RBAC seemed to make sense. in particular I have a question regarding an item:
The best practice is to create a shared folders for departments, and contrary to general practice, it is recommended that only EDIT permissions be given to the department security group role. (meaning, no delete), and then giving the OWNER CREATOR access to for deleting their own files.
I think this is a great system, that will avoid having people delete each other's files on purpose, or accidentally, while still allowing them to create and modify each other's files.
This is done by setting the ownership on the files and/or folders, and assigning the correct permissions.

Now my question:
Let's say John Doe used to work in Marketing, and had access to the marketing share, he created a bunch of files and folders of which he is now the owner, and the rest of the department can modify, but not delete his files.
Suddenly John Doe find a new job, and he's out. Now, I have a bunch of scattered files and folders with him as an owner over them, (or his now orphan SID as owner) Short of taking ownership of the parent folder, which would also mean taking ownership of other user's files in that department (which, of course, I wouldn't want to do)  I don't really see an easy way to transfer over the ownership of John's files to the person replacing him within this model.

Is anyone out there using RBAC, and particularly this system of file ownership, and if so, how are you managing file ownership transfers upon employee arrival or departure.. ?

I love the system, but I want to try to think long term first, before implementing something that sounds like a great solution, and then end up being stuck with big caveats and management nightmares...

Looking forward to hearing your opinions.

0
Comment
Question by:cvservices
  • 3
4 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 33488598
I have not used this, but I think that there are command line tools to change ACLs, including based on owner

see
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_25031865.html

Not perfect, but may be sufficient, and scriptable
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33488620
also

'm looking for a fast way of finding user rights to files and folders in windows 2003. I tried accessenum but it didn't do what I was expecting. I have folders with a lot of files and going to every file and check it, it would be very time consuming.
xcacls can gather this information for you:

xcacls  can do this for you, maybe a little easier since it can grab/display as well as change permissions
http://support.microsoft.com/kb/825751

ex:  cscript.exe xcacls.vbs c:\temp /s

This would display the permissions for c:\temp and all subfolders.
0
 
LVL 1

Author Comment

by:cvservices
ID: 33488670
So in looking more at the icacls, I'm thinking I may need to somehow leverage the /substitute SidOld SidNew option, the /SetOwner and perhaps even the takeown.exe.

I wonder if someone already has a script that does that, that they may be willing to share, so that I don't have to reinvent the wheel. Otherwise, I'll just have to write it. I was hoping for something a bit more built in than that, that I can delegate to the helpdesk or something of that nature.
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 1000 total points
ID: 33488801
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question