Solved

New users Permissions

Posted on 2011-02-25
9
336 Views
Last Modified: 2013-12-27
I want two users, who are part of a security group "level 0" get automatic permissions to all files/folders/sub-folders of all users that are created in SBS console or AD.

More importantly, I want so that, whenever a new user is created, besides his own access, this security group "level 0" also gets access to new users folder automatically.

Is there a settign to automate this? I dont want to have to do this for every user.
0
Comment
Question by:m2chaudh
  • 4
  • 4
9 Comments
 
LVL 13

Expert Comment

by:connectex
ID: 34982043
Which version of SBS are you using?
0
 

Author Comment

by:m2chaudh
ID: 34982294
We recently migrated from SBS2003 to SBS2011
0
 
LVL 13

Expert Comment

by:connectex
ID: 34982363
In SBS 2003 there was a group called Folder Operators. And adding someone too it did this exact request. But they dropped it and it's not really possible anymore as the SBS wizards will not add the proper rights by default. So you'll have to do it manually from what found.
0
 

Author Comment

by:m2chaudh
ID: 34983752
Isnt there another way for this to be done on sbs2011?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Expert Comment

by:connectex
ID: 34984805
The problem is the SBS new user wizard won't grant the rights so you'll always be going to behind it to fix them as you desire.
0
 
LVL 12

Accepted Solution

by:
Navdeep earned 250 total points
ID: 34985047
Hi,

Do you want this on Files / Folders or when you create a new user and in it's security tab you want a group/user to have permission on them

permission on Files / Folders are thru inheritance. For example all childs and subchilds which are inheriting permissions will get the same permission which their parent folder has.

What i understand from your question is that whenever you create new user, they will have those special users and there permissions on them --- correct -- -This can be ----Create a group and make it a member of AdminSDHolder with desired permission.... But be very careful

Read this article first, this talks of something opposite what you are trying to achieve but it can be used to accomplish what you are trying to do.
http://theessentialexchange.com/blogs/michael/archive/2008/10/22/admincount-adminsdholder-sdprop-and-you.aspx

and whatever files and folder user create they get that permission --- is this correct --- this may  not be controlled from AD -- as i mentioned before
0
 

Author Comment

by:m2chaudh
ID: 35089485
That article is too confusing, there has to be something simpler to do this relatively simple task?
0
 
LVL 13

Assisted Solution

by:connectex
connectex earned 250 total points
ID: 35339356
I recently had a client management request access to all user folders. While my solution is not perfect, it does work. So here's what I did. I created a batch file to change the permissions on all subfolders using SetACL.exe. I'm running it on the server via the task schedular every day. It updates all users folders by adding the SBS Folder Operators group with change permissions. Be sure to change line 3 to your user folder path, line 4 for the path to setacl.exe, and line 6 change "sbs folder operators" to your desired group. Also you can "change" to "full" is desired.

@echo off
setlocal
set folder=d:\users\shares
set setacl="\\omnisrv1\netadmin$\utils\setacl.exe"
if not exist %setacl% goto need_setacl
for /d %%a in ("%folder%\*.*") do %setacl% -on "%%a" -ot file -actn ace -ace "n:sbs folder operators;p:change"
endlocal
goto :EOF
:need_setacl
echo.
echo ERROR - SetACL.exe is not available
endlocal

Open in new window


SetACL download: http://sourceforge.net/projects/setacl/files/
SetACL documention: http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/:
0
 

Author Closing Comment

by:m2chaudh
ID: 35728592
This hasnt worked, but the closest answer was what I received from you guys. My client hasnt brought this up as an "issue" so I have to put it at rest for now. I'll probably use a 3rd party program if he insists on using this feature.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now