Solved

File Permissions

Posted on 2011-03-08
21
351 Views
Last Modified: 2013-12-04
I'm not sure if this is the right place to ask, but here it is. I mapped a drive for students to put their classwork in. They actually put it into a folder for what ever period they are in. The teacher complains that a student/s is deleting other students work. I have experimented with the NTFS permissions, but can't figure out a solution. I would like for the students to be able to put work in that folder and not be able to delete or change it once it is in. That would prevent other students from tampering with other students work. Can this be done?

Thanks,
Mike
0
Comment
Question by:aintgot1
  • 6
  • 6
  • 5
  • +1
21 Comments
 
LVL 9

Expert Comment

by:Timothy McCartney
ID: 35071097
Does each student have their own username/password?
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35071144
@aintgot1,

One method would be to create the folder such that they can write to it, but not read its contents. However, if the students are showing signs of temptation towards misbehaviour, that won't work.

Can I ask why you don't set up home drives for the users in Active Directory for this purpoise? This would be the simplest method by far for your needs. If that isn't possible, please post back; this is a case of "skinning cats" - there are several ways of achieving your goal, each with its own pros and cons.

Answers to these questions would help clarify the best option:

Who needs to be able to list the folder contents within the parent folder, and in each sub-folder?
Who needs to be able to write to each folder and sub-folder?

Look forward to hearing from you.

Thanks
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35071145
@aintgot1,

One method would be to create the folder such that they can write to it, but not read its contents. However, if the students are showing signs of temptation towards misbehaviour, that won't work.

Can I ask why you don't set up home drives for the users in Active Directory for this purpoise? This would be the simplest method by far for your needs. If that isn't possible, please post back; this is a case of "skinning cats" - there are several ways of achieving your goal, each with its own pros and cons.

Answers to these questions would help clarify the best option:

Who needs to be able to list the folder contents within the parent folder, and in each sub-folder?
Who needs to be able to write to each folder and sub-folder?

Look forward to hearing from you.

Thanks
0
 
LVL 9

Expert Comment

by:Timothy McCartney
ID: 35071191
The best way to secure each students' work is for them to each have their own personal folder and set the shared permission so that only administrators and that particular student/user has permissions.

This is how most of our clients are set up with their employees' personal folders. This way each student can store their work without it being tampered.
0
 

Author Comment

by:aintgot1
ID: 35072735
Let me explain further with more detail. I created a share on the server. I created a batch file to map the drive and put it in the startup folder. The students use a generic username and password. The students actually have their own account, and the teacher is using it right now. This just went into effect late last week. I have not changed the batch file to the All Users profile yet, so the mapped drive will not show.

I instructed the teacher to create folders for each period to put in the shared folder on the server. After each period ends, the teacher should move the folder to a different location so the students will not try to tamper with it. The next day the teacher can put it back. It is not fool proof, but it is a start.

The Home folders would work great because only the owner and who ever else I give permission to can view it. The problem is separating those specific users. I don't think the teacher would want to sift through 2200+ students to find his students. What would happen if another teacher wanted to do the same thing?

The network here is not all that good. I tried a roaming profile and it took 20 minutes for it to load. The user said forget it. Personal folders would work, but how would you go about setting permissions for each individual user? I sure there might be a way using a script, but I know nothing about scripting.
I almost forgot. The only people who need access to the folders are the students, the teacher and myself.

Thanks,
Mike
0
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 35165243
Let me explain further with more detail. I created a share on the server. I created a batch file to map the drive and put it in the startup folder. The students use a generic username and password. The students actually have their own account, and the teacher is using it right now. This just went into effect late last week. I have not changed the batch file to the All Users profile yet, so the mapped drive will not show.

1. Forget about "drive letters".  That stuff should have died witht he dinosaurs.  No drive letters, no batch files, no "mapping".   The UNC Path is all that is needed.  Yes the kids can remember the UNC Path just fine,...they are kids,...they'll remember it better than the adults.  

2. Generic login is just not possible to manage. They have to use their own acounts

3. Create a Folder under the Root share point for each student.  They only need Read/List permissions on the Root,...and the Read/List/Write on their own folder.

0
 

Author Comment

by:aintgot1
ID: 35165639
2. Generic login is just not possible to manage. They have to use their own acounts

3. Create a Folder under the Root share point for each student.  They only need Read/List permissions on the Root,...and the Read/List/Write on their own folder.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The generic login was something I wanted to get away from for the last year. I had issues importing the student accounts, which has been working now for the last month. They all have their own accounts.

The individual folders would work, but that means setting permissions on each folder. I'm sure that can be done through a script, but I know nothing about scripting. If scripting is the easiest way, then I will have to find a script to do that. Is that the easiest way?

Thanks,
Mike
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35166271
Forget the scripts.  Just set the permissions.  Do it when you create the Folders that you are going to have to create anyway,...it will add maybe a whopping 30 seconds to the creation process of each folder.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35166292
You may or may not want  to turn off the security inheritence on the user's folder when you are setting the permissions.  That is up to you,...but it needs thought about.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35166649
This sounds very like an issue I solved recently, aintgot1.

This tool from Microsoft is a good start:

"How to use Xcacls.vbs to modify NTFS permissions"
http://support.microsoft.com/kb/825751

As per previous poster's comments, you have very simple permissions requirements. Therefore, look at how those are set in the MS article, and practice doing this for just one folder, getting your command-line "just so" for your needs.

It sounds like each sub-folder might need to have entries like:

You/admin - Full Control
Student - Modify
Teacher - Read

Once you've done that, I or another expert can show you how to create either a batch file or another VBScript which will just accept either one username and a foldername, or a list of usernames and folder names from a file, and pass them to the Microsoft VBScript with the right arguments, allowing it to then loop through your list of users and set it all up.

Some notes:

1. On your root folder, ensure that permissions are not being pushed down from it to sub-folders, If they are, it could wreck your work at a later point.
2. Again on the root folder, under "Security >> Advanced... >> Auditing" make sure that you have some auditing enabled, and that these auditing entries are inherited by sub-folders. This is because whilst you don't want the same permissions on each sub-folder, you do want tracking to be consistent acorss them all. Be selective about what you choose to audit or you'll fill your Security Event Log up! I'm sure there's plenty of people here who can advise on that, but better to use a separate post for that I think.

Again, hope this is useful,
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35166654
This sounds very like an issue I solved recently, aintgot1.

This tool from Microsoft is a good start:

"How to use Xcacls.vbs to modify NTFS permissions"
http://support.microsoft.com/kb/825751

As per previous poster's comments, you have very simple permissions requirements. Therefore, look at how those are set in the MS article, and practice doing this for just one folder, getting your command-line "just so" for your needs.

It sounds like each sub-folder might need to have entries like:

You/admin - Full Control
Student - Modify
Teacher - Read

Once you've done that, I or another expert can show you how to create either a batch file or another VBScript which will just accept either one username and a foldername, or a list of usernames and folder names from a file, and pass them to the Microsoft VBScript with the right arguments, allowing it to then loop through your list of users and set it all up.

Some notes:

1. On your root folder, ensure that permissions are not being pushed down from it to sub-folders, If they are, it could wreck your work at a later point.
2. Again on the root folder, under "Security >> Advanced... >> Auditing" make sure that you have some auditing enabled, and that these auditing entries are inherited by sub-folders. This is because whilst you don't want the same permissions on each sub-folder, you do want tracking to be consistent acorss them all. Be selective about what you choose to audit or you'll fill your Security Event Log up! I'm sure there's plenty of people here who can advise on that, but better to use a separate post for that I think.

Again, hope this is useful,
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35166814
To "All":

You/admin - Full Control
Student - Modify
Teacher - Read


Those would be Share Permissions, not NTFS Permissions,...NTFS is what you want.  
Modify = "write" in Share permissions,..but,...Modify = "ability to modify permissions" when dealing with NTFS File System Permissions
There is no need to create a share for each user,...just create a single Share at the Root.
Forget "mapped drive" letters,...more efficient and more dependable without them,..they are a needless extra layer that does not need to be there.  Mapped drives are the Curse of Novell that far too many people still think we need for some reason.
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35166925
Accepted re your correction - although if you look at the tool, Xcacls.vbs recognises both "advanced" NTFS permissions and "GUI" permissions options - one of which is "Modify".

As such it's possible to get much more granular than my suggestion, but it was NTFS permissions I was referring to, not share-level.

For example, as you say, granting "Modify" in the DACL on the folder would allow the user to change permissions. However, that would be recorded in the security log if £success" auditing is enabled for "Change Permissions" and "Take Ownership". I figured if we can get to that stage it's possible to micromanage the permissions further if needed.

But as also said by pwindell; you might be as well doing it manually! Depends how many students, how much turnover, etc.

Thanks,
0
 

Author Comment

by:aintgot1
ID: 35169058
It looks like I got some very good advice and suggestions.It looks like there is no simple way around what is already set up, I will just have to have the students create their own folders inside of the teacher's folder. With the correct permissions as suggested, that should stop students from deleting other students work.

I don't think the UNC method is going to work in my case. The students don't have access to the run command, and I wouldn't want them accessing their folders through a URL. With the mapped drive method, they have to be in that particular class in order to get the mapped drive with their work. It may not be perfect, but it should eliminate some cheating. I have told the teachers to remove the folder after each class so the students cannot remove or change once they turn in their work.

The next issue would be assigning the permissions to the student folders. Right now I estimate approx 200 students that will need to create folders. I do not want to do this manually. This is where a script would make it much easier. It would be even better if the script could create the folders and assign the permissions all in one shot, a similar process like importing the students into AD. Since I know nothing about writing scripts, I will need help.

Does this sound workable, or am I making a mountain out of a mole hill?

Thanks,
Mike
0
 
LVL 2

Assisted Solution

by:Hapexamendios
Hapexamendios earned 250 total points
ID: 35179386
@aintgot1,

I'd say you can do it with scripting - but I'm fairly comfortable with scripting. You'd have to ask yourself whether you could support a script if you had one here, though?

My suggestion there would be to post a new question in the scripting area of EE, outling exactly what you neeed to do. Don't think too much on the background, just imagine the series of steps you would need to take, in the correct order, to achieve your goal.

From what you've already outlined, I'd suggest the algorithm would be:

Accept a list of student's user names (either in a text file, or in an input dialog box)
For each student in the list
   Create a folder in (drive:\folder) called <student name>
   call Xcacls.vbs to assign permissions to that folder
Loop

However you might get much better suggestions from people who've declared themselves experts on scripting - I get by, but I'm not "expert" :)

What do you think?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35182191
I don't think the UNC method is going to work in my case. The students don't have access to the run command, and I wouldn't want them accessing their folders through a URL.

What!!??  There is no "command" to run.  There is no URL.  It is a UNC Path.  It is just a shortcut on the desktop,...or just open Windows Explorer(which you aould have to do to open a "drive letter" anyway) and type the Path intot he Address Bar,...then at that point they can drag the icon from the address bar to the Desktop or something.  
0
 

Author Comment

by:aintgot1
ID: 35183481
It is just a shortcut on the desktop,...or just open Windows Explorer(which you aould have to do to open a "drive letter" anyway) and type the Path intot he Address Bar,...then at that point they can drag the icon from the address bar to the Desktop or something.  
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The "run command" I reffered to is just a bad habit. I am used to getting to the command prompt from the run dialog box if I don't have a shortcut. My mistake.

Creating the shortcut you described went completely over my head. I was not even thinking of doing it that way, just not used to it. I am going to do away with the batch file and use your method since the student can go directly to their folder. I see the teacher added additional sub folders, but that should't change much.

Thanks for the correction,
Mike

0
 
LVL 29

Expert Comment

by:pwindell
ID: 35184005
A good thing to do with such a shortcut is to put it in the All Users Desktop,..or the individual User's Desktop or their My Docs (whatever applies best to the situation).  It will behave just like a Folder in any of those location and even typical Browse Dialog boxes will "browse through" the shortcut just like a folder,...so the user experience is just like having their files under a folder in those locations.
0
 

Author Comment

by:aintgot1
ID: 35184622
Since I started using individual user accounts I have been putting shortcuts in the all users desktop. I use Ghost to push them to labs. Still trying to make things easier.

Thanks,
Mike
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now