Solved

LDAP Query profile path & take ownership of network folders/files script

Posted on 2013-12-04
13
577 Views
Last Modified: 2013-12-06
Hi guys,

I'm trying to take ownership of many files & folders for a client. The file and folders are located on a File server, these folders are automatically created when the user John Doe logs into the domain for the 1st time. The folders are generated from the profile tab in Active Directory, so think \\SERV-01\profiles\johndoe

This works great, John Doe logs into the domain and the folder is automatically created on the file server. John Doe is able to access, read & write into the folder. Problem is the local Admin account (or any other account) does not have access to this folder. The only way to gain admin access is to take ownership of the files, and then give admin and user John Doe  access to his files. Easy if you had one or two folders/users but unfortunately I have thousands to deal with.

Now onto the tricky part; bear with me here.

Say John Doe leaves, the admins delete his account but keep the \\SERV-01\profiles\johndoe folder. 1 year later John Doe comes back into the company, the user is recreated in Active Directory and this is where problems arise. John Doe logs into the domain with his new account with \\SERV-01\profiles\johndoe set as his profile path. He notices upon logging into the domain he does not have access to \\SERV-01\profiles\johndoe, in order to "fix" this issue his profile path in active directory is changed to \\SERV-01\profiles\johndoe2 (note the 2 at the end). He now logs back into the domain and voila, he has a new folder he can access at \\SERV-01\profiles\johndoe2. The reason why he cannot access the old path is due to UID mismatch, the old path has the UID of the first John Doe account, the returning John Doe account has a new UID.

This is where I'm called in. I need to be able to do two of the following things in 1 script:

1) Gain admin access to \\SERV-01\profiles\johndoe via taking ownership and adding the local built-in admin group into the ACL with full permission

2) Somehow add the new John Doe UID account onto the old \\SERV-01\profiles\johndoe folder. I assume this requires an ldap query onto the "users" OU, dumping the results and trying to match the \\SERV-01\profiles\johndoe folder to John Doe.

I'm assuming a VBS/BAT script of sorts can pull this magic off, but I'm open to any other method to achieve my solution. Any takers?

Thanks Experts.
0
Comment
Question by:levertm
  • 7
  • 6
13 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 39697331
Perms setup for the share, ntfs or both?
For the first issue, I think the local admin should have rights at the profiles level, with inheritance turned on - easy to setup with cacls/icalcs/xcacls.

The second portion is a bit confusing - but it may be because it's late for me :^)
If the account is removed, then the acl for that folder would have the '<account unknown s-1-15-2-...>' listed - that would simply need to be removed with the new account/uid...  Again, probably accomplishable via icacls/xcacls.
0
 

Author Comment

by:levertm
ID: 39697383
So for the first part you propose I run (elevated cmd):

icacls profiles /setowner Administrator /T /C

Or

icacls profiles /grant Administrators:(F) /T /C

As for the second part, its tricky indeed. I believe I need to use some sort of variable to achieve what I want. The account is removed and yes I have a '<account unknown s-1-15-2-...>' listed on the folder which is the old John Doe account, not only do I need to remove this old UID but also add the new John Doe UID to the permissions (share/ntfs) of the said folder.  I need to be able to do this automatically without having to manually do it for each folder.

I'm sure I need some sort of script that has a variable, it may look like this:

John Doe logs in
John doe has \\SERV-01\profiles\johndoe in his profile tab
The Folder only has the old John Doe UID '<account unknown s-1-15-2-...>'
The script kicks into gear
Sets administrators owner to \\SERV-01\profiles\johndoe
Grants administrators full access to \SERV-01\profiles\johndoe
Identifies the new John Doe UID and adds it into \\SERV-01\profiles\johndoe

It's the bit with the variable that's tricky, that's why I think I need to query ldap and match the profile path name with the account UID and set that new account to the folder.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 39697999
No, I don't believe you need to give the Administrator ownership, you just need access to the data, correct?

icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F


should suffice, and this should allow the Admin to gain access to any profile's data.

For the 2nd part, to be clean, you would want to eventually remove that unknown account, but it's not entirely necessary.  All you should really need to do is to simply  apply the ACE for that existing/'new' user:

icacls profiles\johndoe /e /t /grant domain\johndoe:M
(assuming you want to limit the user to Modify rights, which should be the limit, so they can't befuddle what you've done to configure everything correctly)
0
 

Author Comment

by:levertm
ID: 39698848
Hi Sirbountry,

i had an issue with your initial command

icacls profiles /e /t /inheritance:e /grant Administrator (OI)(CI) F

Open in new window


I get an Invalid parameter "/e" error. Through my research I also found that the /grant option removes all existing ACL rather than appending. This doesnt work for me since I need to keep the current ACL (user home drive needs user access).

So i got the following:

Profiles\
\user1
\user2
\user3
\user4

Right now only user1 has access to user1 folder and so on with the other users. I need to add administrators to user1 folder but also be able to keep the current ACL which has the appropriate user for their folder.
0
 

Author Comment

by:levertm
ID: 39698869
I found an article that asks what I want to do -

http://www.experts-exchange.com/Microsoft/Server_Applications/Q_27463001.html

Going to look into this.
0
 

Author Comment

by:levertm
ID: 39698891
Getting closer, I found this as well:

Cool, I'm getting closer, I am running the following command

for /f %i in (users.txt) do icacls.exe C:\test\*.* /grant %i:(OI)(CI)F /C /T

I have two accounts listed in users.txt   ( domain\user ) and I have a test folder created with two folders with the same name as the user account.

When I run the command above it adds the accounts but it adds both accounts to both folders. I'm sure the syntax is off but I'm not sure what I need to do to fix it.

Thanks,

I think this may work, I will have to test it. I may need to find out if I can /grant multiple users in 1 line though. Also I need to create this script and have no idea how to make it, do I just save as a batch file?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 39698969
Yes, you should be able to grant multiple in one line, and yes save it as a bat or cmd extension.
The /e was my error - it's used with cacls, and it's for editing the acl, as opposed to replacing it.
I'd have to dig into icacls to find the equivalent.
0
 

Author Comment

by:levertm
ID: 39699495
Hmm the batch file isnt working, the command prompt opens and closes immedietly.

I have the following line in the .bat file:

for /f %i in (users2.txt) do icacls.exe D:\test\*.* /grant %i:(OI)(CI)F /C /T

Open in new window


The users2.txt has the following:

John
Mike
Jimmy
Nancy
joe

I also have the following folders in D:\test

john
mike
jimmy
Nancy
joe
0
 

Author Comment

by:levertm
ID: 39699625
I actually am 90% close to accomplishing this, my final batch file looks like this:

for /f "tokens=*" %%i (users2.txt) do icacls.exe D:\test\%%i /grant %%i:F Administrator:F\

NOW, my only poblem is if I Administrators dont have access to say JOHN folder the script fails with a access denied, albeit continues with the remaining folders.

How do I modify my script to take ownership of that folder first and then apply the new permissions? This may be a seperate batch file?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 39700000
Yes, a batch file needs two % signs - running from the cmd line, only one.

I'm not sure icacls will do the trick, but within the same batch file, you could take ownership first via subinacl.exe (http://ss64.com/nt/subinacl.html) or takeown.exe (I appear to have this one natively on my win7 client).
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 39700714
This should work as a one-liner (remember single %) or a batch (double %):

for /d %a in (d:\profiles\*) do takeown /f "%~fa" /r /d y & icacls.exe "%~fa" /grant %a:F Administrator:F


@echo off
for /d %%a in (d:\profiles\*) do (
  takeown /f "%%~fa" /r /d y 
  icacls.exe "%%~fa" /grant %%a:F Administrator:F
)

Open in new window

0
 

Author Comment

by:levertm
ID: 39700950
Thank you sir bounty that did it. It also caused a new issue but you have answered my question.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 39700972
Happy to have helped - thanx for the grade! :^)
0

Join & Write a Comment

This article is the result of a quest to better understand Task Scheduler 2.0 and all the newer objects available in vbscript in this version over  the limited options we had scripting in Task Scheduler 1.0.  As I started my journey of knowledge I f…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now