?
Solved

Correcting Folder Redirection Permissions post implementation - script explanation !

Posted on 2014-10-20
14
Medium Priority
?
330 Views
Last Modified: 2014-11-18
Ouch my brain hurts !!! I'm running Server 2012 Essentials with a mixture of Vista SP2 Business PC's and some Windows 7 pro SP1 machines. All joined to the domain (server 2012 is single DC)

I have made the mistake of using the defaults for folder redirection on the above and a number of Server 2012 installations and only recently discovered the issues with backup (or rather restoration from a backup I believe)

Firstly can someone confirm that all data is backed up when using the native Server 2012 R2 backup solution and it is only recovery of Redirected folder data by administrators (not actual owners) which is the problem ???

Secondly I'm looking for someone to fill in the bits I don't understand in an attempt to change the permissions of the existing Redirected Folders before I run the following script which I believe provides Administrators full access permissions without disturbing user level exclusiveness. From http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/ which is referenced in a number of other articles on this matter.

I have left the CACLS line that actually makes the change commented out until I understand what this is going to do for me. (Carrying on below script)


#ChangePermissions.ps1
 # CACLS rights are usually
 # F = FullControl
 # C = Change
 # R = Readonly
 # W = Write

$StartingDir= "E:\ServerFolders\Folder Redirection"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
 "files starting at"$StartingDir.ToUpper() `n "for security"`
 "principal"$Principal.ToUpper() `
 "with new right of"$Permission.ToUpper()"."`n `
 "Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir  -recurse)) {
 #display filename and old permissions
 write-Host -foregroundcolor Yellow $file.FullName
 #uncomment if you want to see old permissions
 CACLS $file.FullName

#ADD new permission with CACLS
#CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
 Write-Host -foregroundcolor Green "New Permissions"
 CACLS $file.FullName
 }
 }

So I run this Powershell script using PSEXEC which allows it to run under the system users account through the use of the -s switch , I added the redirection to get a view of the parsed file permissions.

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1' >c:\PSTOOLS\RESULTS.log"

Aaaaaaaaa  . . .  now as I write this I think I see what its doing.
OK so its not changing administrator permissions its adding them. So when I uncomment the line its going to add additional permissions for each file and folder ???

If someone could confirm this I'd be grateful.
I need to run this on three servers to allow sensible recovery from the backups in the future.

Thanks
0
Comment
Question by:TrevorWhite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
14 Comments
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40393546
add the user to do the restore to the backup operators group and you should be able to restore without messing up with the folder permissions.
0
 

Author Comment

by:TrevorWhite
ID: 40393781
Do you know I was thinking about this last night . . . if I can get access to change permissions then surely I can get access to do a restore ???? I'll check this out. Thanks

REgards
0
 

Author Comment

by:TrevorWhite
ID: 40395562
Hi David and others,
So I have read up on this and if you run the backup (and restore) program with a user who's a member of the Backup Operators group then it can read anything but just can't change anything. Good!

Now the Default Server 2012 R2 backup program appears to create a backup task running under SYSTEM in Task Scheduler.

My immediate assumption is that I should place the SYSTEM user into the Backup Operators security group. Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup

This all feels right so why doesn't MS do it from the off ???

Regards
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40396154
SYSTEM is the god user it has access to everything.

Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup recommended
0
 

Author Comment

by:TrevorWhite
ID: 40396201
Hmmmm, not quite so god like as a normal user in the Backup Operators group though eh? But point taken.
Thanks
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40444650
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40444651
Information provided and as per usual once a soluton is given the asker walks away content.
0
 

Author Comment

by:TrevorWhite
ID: 40445008
Hi David,
I must offer apologies. Yes information was provided and it was indeed the correct information.
It was I that did not stay in touch and award points.
It would have been better if EE prompted me to close or award points . . .  that is not to absolve myself from the responsibility though.

Dave should indeed be awarded the points

REgards
0
 

Author Closing Comment

by:TrevorWhite
ID: 40445011
Sorry for not staying in touch or closing and awarding the points

Regards
0
 

Author Comment

by:TrevorWhite
ID: 40445574
One last comment in this thread, directed at EE moderation.
Again without abdicating my responsibility to remain engaged on issues.
I am noting that I received three notices from EE moderation/Administration within 3 minutes.

I appreciate that something may have gone wrong here, but it would have helped the situation (IE David justifiably feeling necessary to vent frustration) to have spread these notifications out over perhaps a number of days.

There are many types that help make EE and similar boards like this work. I would like to offer my thanks to them all in many cases it must be a thankless task. Thank you all for your commitment, knowledge and tenacity.

Regards
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40445674
you would have got the
1. an administrative comment has been added
2. the question will be closed in x days
3. my objection.

many times if I see the first 2 I skip the emails.
0
 

Author Comment

by:TrevorWhite
ID: 40445922
I'm really sorry but I have not seen previous emails apart from the ones that appeared in my mailbox all within a matter of minutes. David, none of this is absolves me from the responsibility of remaining engaged which I did not do. You had every right to complain as you did.

My comment to moderation was to notify what had happened not to try and defend my position

Thanks

Regards
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question