LDAP Query profile path & take ownership of network folders/files script
Hi guys,
I'm trying to take ownership of many files & folders for a client. The file and folders are located on a File server, these folders are automatically created when the user John Doe logs into the domain for the 1st time. The folders are generated from the profile tab in Active Directory, so think \\SERV-01\profiles\johndoe
This works great, John Doe logs into the domain and the folder is automatically created on the file server. John Doe is able to access, read & write into the folder. Problem is the local Admin account (or any other account) does not have access to this folder. The only way to gain admin access is to take ownership of the files, and then give admin and user John Doe access to his files. Easy if you had one or two folders/users but unfortunately I have thousands to deal with.
Now onto the tricky part; bear with me here.
Say John Doe leaves, the admins delete his account but keep the \\SERV-01\profiles\johndoe
This is where I'm called in. I need to be able to do two of the following things in 1 script:
1) Gain admin access to \\SERV-01\profiles\johndoe
2) Somehow add the new John Doe UID account onto the old \\SERV-01\profiles\johndoe
I'm assuming a VBS/BAT script of sorts can pull this magic off, but I'm open to any other method to achieve my solution. Any takers?
Thanks Experts.
I'm trying to take ownership of many files & folders for a client. The file and folders are located on a File server, these folders are automatically created when the user John Doe logs into the domain for the 1st time. The folders are generated from the profile tab in Active Directory, so think \\SERV-01\profiles\johndoe
This works great, John Doe logs into the domain and the folder is automatically created on the file server. John Doe is able to access, read & write into the folder. Problem is the local Admin account (or any other account) does not have access to this folder. The only way to gain admin access is to take ownership of the files, and then give admin and user John Doe access to his files. Easy if you had one or two folders/users but unfortunately I have thousands to deal with.
Now onto the tricky part; bear with me here.
Say John Doe leaves, the admins delete his account but keep the \\SERV-01\profiles\johndoe
This is where I'm called in. I need to be able to do two of the following things in 1 script:
1) Gain admin access to \\SERV-01\profiles\johndoe
2) Somehow add the new John Doe UID account onto the old \\SERV-01\profiles\johndoe
I'm assuming a VBS/BAT script of sorts can pull this magic off, but I'm open to any other method to achieve my solution. Any takers?
Thanks Experts.
ASKER
So for the first part you propose I run (elevated cmd):
icacls profiles /setowner Administrator /T /C
Or
icacls profiles /grant Administrators:(F) /T /C
As for the second part, its tricky indeed. I believe I need to use some sort of variable to achieve what I want. The account is removed and yes I have a '<account unknown s-1-15-2-...>' listed on the folder which is the old John Doe account, not only do I need to remove this old UID but also add the new John Doe UID to the permissions (share/ntfs) of the said folder. I need to be able to do this automatically without having to manually do it for each folder.
I'm sure I need some sort of script that has a variable, it may look like this:
It's the bit with the variable that's tricky, that's why I think I need to query ldap and match the profile path name with the account UID and set that new account to the folder.
icacls profiles /setowner Administrator /T /C
Or
icacls profiles /grant Administrators:(F) /T /C
As for the second part, its tricky indeed. I believe I need to use some sort of variable to achieve what I want. The account is removed and yes I have a '<account unknown s-1-15-2-...>' listed on the folder which is the old John Doe account, not only do I need to remove this old UID but also add the new John Doe UID to the permissions (share/ntfs) of the said folder. I need to be able to do this automatically without having to manually do it for each folder.
I'm sure I need some sort of script that has a variable, it may look like this:
John Doe logs in
John doe has \\SERV-01\profiles\johndoe in his profile tab
The Folder only has the old John Doe UID '<account unknown s-1-15-2-...>'
The script kicks into gear
Sets administrators owner to \\SERV-01\profiles\johndoe
Grants administrators full access to \SERV-01\profiles\johndoe
Identifies the new John Doe UID and adds it into \\SERV-01\profiles\johndoe
John doe has \\SERV-01\profiles\johndoe in his profile tab
The Folder only has the old John Doe UID '<account unknown s-1-15-2-...>'
The script kicks into gear
Sets administrators owner to \\SERV-01\profiles\johndoe
Grants administrators full access to \SERV-01\profiles\johndoe
Identifies the new John Doe UID and adds it into \\SERV-01\profiles\johndoe
It's the bit with the variable that's tricky, that's why I think I need to query ldap and match the profile path name with the account UID and set that new account to the folder.
No, I don't believe you need to give the Administrator ownership, you just need access to the data, correct?
icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F
should suffice, and this should allow the Admin to gain access to any profile's data.
For the 2nd part, to be clean, you would want to eventually remove that unknown account, but it's not entirely necessary. All you should really need to do is to simply apply the ACE for that existing/'new' user:
icacls profiles\johndoe /e /t /grant domain\johndoe:M
(assuming you want to limit the user to Modify rights, which should be the limit, so they can't befuddle what you've done to configure everything correctly)
icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F
should suffice, and this should allow the Admin to gain access to any profile's data.
For the 2nd part, to be clean, you would want to eventually remove that unknown account, but it's not entirely necessary. All you should really need to do is to simply apply the ACE for that existing/'new' user:
icacls profiles\johndoe /e /t /grant domain\johndoe:M
(assuming you want to limit the user to Modify rights, which should be the limit, so they can't befuddle what you've done to configure everything correctly)
ASKER
Hi Sirbountry,
i had an issue with your initial command
I get an Invalid parameter "/e" error. Through my research I also found that the /grant option removes all existing ACL rather than appending. This doesnt work for me since I need to keep the current ACL (user home drive needs user access).
So i got the following:
Profiles\
\user1
\user2
\user3
\user4
Right now only user1 has access to user1 folder and so on with the other users. I need to add administrators to user1 folder but also be able to keep the current ACL which has the appropriate user for their folder.
i had an issue with your initial command
icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) FI get an Invalid parameter "/e" error. Through my research I also found that the /grant option removes all existing ACL rather than appending. This doesnt work for me since I need to keep the current ACL (user home drive needs user access).
So i got the following:
Profiles\
\user1
\user2
\user3
\user4
Right now only user1 has access to user1 folder and so on with the other users. I need to add administrators to user1 folder but also be able to keep the current ACL which has the appropriate user for their folder.
ASKER
I found an article that asks what I want to do -
https://www.experts-exchange.com/questions/27463001/Using-icacls-to-fix-permissions-on-users-home-folders.html
Going to look into this.
https://www.experts-exchange.com/questions/27463001/Using-icacls-to-fix-permissions-on-users-home-folders.html
Going to look into this.
ASKER
Getting closer, I found this as well:
I think this may work, I will have to test it. I may need to find out if I can /grant multiple users in 1 line though. Also I need to create this script and have no idea how to make it, do I just save as a batch file?
Cool, I'm getting closer, I am running the following command
for /f %i in (users.txt) do icacls.exe C:\test\*.* /grant %i:(OI)(CI)F /C /T
I have two accounts listed in users.txt ( domain\user ) and I have a test folder created with two folders with the same name as the user account.
When I run the command above it adds the accounts but it adds both accounts to both folders. I'm sure the syntax is off but I'm not sure what I need to do to fix it.
Thanks,
I think this may work, I will have to test it. I may need to find out if I can /grant multiple users in 1 line though. Also I need to create this script and have no idea how to make it, do I just save as a batch file?
Yes, you should be able to grant multiple in one line, and yes save it as a bat or cmd extension.
The /e was my error - it's used with cacls, and it's for editing the acl, as opposed to replacing it.
I'd have to dig into icacls to find the equivalent.
The /e was my error - it's used with cacls, and it's for editing the acl, as opposed to replacing it.
I'd have to dig into icacls to find the equivalent.
ASKER
Hmm the batch file isnt working, the command prompt opens and closes immedietly.
I have the following line in the .bat file:
The users2.txt has the following:
John
Mike
Jimmy
Nancy
joe
I also have the following folders in D:\test
john
mike
jimmy
Nancy
joe
I have the following line in the .bat file:
for /f %i in (users2.txt) do icacls.exe D:\test\*.* /grant %i:(OI)(CI)F /C /TThe users2.txt has the following:
John
Mike
Jimmy
Nancy
joe
I also have the following folders in D:\test
john
mike
jimmy
Nancy
joe
ASKER
I actually am 90% close to accomplishing this, my final batch file looks like this:
for /f "tokens=*" %%i (users2.txt) do icacls.exe D:\test\%%i /grant %%i:F Administrator:F\
NOW, my only poblem is if I Administrators dont have access to say JOHN folder the script fails with a access denied, albeit continues with the remaining folders.
How do I modify my script to take ownership of that folder first and then apply the new permissions? This may be a seperate batch file?
for /f "tokens=*" %%i (users2.txt) do icacls.exe D:\test\%%i /grant %%i:F Administrator:F\
NOW, my only poblem is if I Administrators dont have access to say JOHN folder the script fails with a access denied, albeit continues with the remaining folders.
How do I modify my script to take ownership of that folder first and then apply the new permissions? This may be a seperate batch file?
Yes, a batch file needs two % signs - running from the cmd line, only one.
I'm not sure icacls will do the trick, but within the same batch file, you could take ownership first via subinacl.exe (http://ss64.com/nt/subinacl.html) or takeown.exe (I appear to have this one natively on my win7 client).
I'm not sure icacls will do the trick, but within the same batch file, you could take ownership first via subinacl.exe (http://ss64.com/nt/subinacl.html) or takeown.exe (I appear to have this one natively on my win7 client).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you sir bounty that did it. It also caused a new issue but you have answered my question.
Happy to have helped - thanx for the grade! :^)
For the first issue, I think the local admin should have rights at the profiles level, with inheritance turned on - easy to setup with cacls/icalcs/xcacls.
The second portion is a bit confusing - but it may be because it's late for me :^)
If the account is removed, then the acl for that folder would have the '<account unknown s-1-15-2-...>' listed - that would simply need to be removed with the new account/uid... Again, probably accomplishable via icacls/xcacls.