groupshare permissions question

I received a request to re-configure public drives on our Windows Server 2008 and Windows Server 2003 file servers in such a manner that allows our group1 users the ability to create files and folders in the public drive and only allow that user (creator/owner) the ability to edit/delete the objects, while giving all of group1 users the ability to read.

I believe this was setup originally so that creator/owner had modify rights while group1 users had read only. I dont know if the permissions ever really worked, but recently users complained of problems with the configuration - group1 users were modifying files they did not create.  

1. I need to know if this configuration is indeed possible.
2. If possible, is there a method of resetting the existing files and folders to re-apply the permissions as described above?

Thank you-

CCLProTechAsked:
Who is Participating?
 
chakkoCommented:
Try this script.  It's not pretty but should work.  TEST first.
save as .vbs file and then edit any line with 'EDIT in it, use your info
Before it tries to modify a file it will write to a log file.  If it crashes then you can see where it crashed.
Delete or rename the log file before running script again.
If inheritance is active then you may end up with extra permissions at places in subfolders.
There is a line in there for using takeown or subinacl for taking ownership.  If a folder is blocked to your admin account then it will crash.  
You should test some and decide which one you want to use (either takeown or subinacl).  I found one some test folders that the subinacl didn't seem like it would reset the permissions on a Folder, so I tried the takeown program and that worked.

good luck

resetperm.txt
0
 
chakkoCommented:
yes, that is possible.  

It may be some work though.

To Clarify:
Group1 users can only read, and create new files and folders
If John is in Group1 then he can also edit and delete any files that HE created.  Other Group1 members can only read Johns files.

on a folder remove inheritance if extra permissions on propagating from a higher level
add Creator Owner as Modify
add the Group1 and give them Read
Set the folder Owner as John (if we are editing Johns folder) and apply ownership to child objects

set those fodlers permissions to apply to child folders and files.  inheritance should be active on the child folders

This is assuming that your structure is that John has his folder and other contributors have their folders.  So you can reset Folders based on each user and set the user as the Owner

If you have 1 public folder and a mess of files in there  or there is no organization thenyou should check the current Owner of each file and make sure that it is set to the person who made it.

For backup purposes I would also set some domain admin account as read at the top level(s).
0
 
chakkoCommented:
If you do have folders for each user then you should not allow inheritance on those folders, otherwise users can create files in John's folder for example.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
chakkoCommented:
Sorry,  on the top folder you have to give Group1 a special permission.
Use the Advanced button to set these permissions.
Give Group1 Create Files / Write Data  and  Create Folders / Append Data
0
 
CCLProTechAuthor Commented:
Currently all users do NOT have their own folder. Users created folders as needed and at least half of the data seems scattered about - it's a messy directory. If I understand correctly, I dont know how feasible it is to manage each persons folder. I probably have 400 users/folders that would need set manually, and anytime a new user is hired we'd have to manually setup a folder for that user and modify permissions so they're the owner.

I think I need to look for another solution. Any ideas?  
0
 
chakkoCommented:
If you check the current Owner on some folders and files, are they set to a specific user already?

you could write a script to get the owner, then script the task to reset the permissions based on the current owner and add the Group1 as Read then make the script process all the files and folders.

If the current Owner doesn't give you information then it's going to be difficult to fix the permissions, how to know who created a file?
0
 
CCLProTechAuthor Commented:
The existing files seem to have the correct user listed as owner, but creator/owner is not listed in the ACL.

Any suggestions on script syntax to get the owner and reset permissions so group1 can read?  
0
 
chakkoCommented:
I just thought of something, when testing, make sure that after you rest a permission that group1 can still create a new file.  You may have to set an inheritance at the root level for them to create/write file and create/write folder , or adjust the script to add that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.