Solved

Correcting Folder Redirection Permissions post implementation - script explanation !

Posted on 2014-10-20
14
316 Views
Last Modified: 2014-11-18
Ouch my brain hurts !!! I'm running Server 2012 Essentials with a mixture of Vista SP2 Business PC's and some Windows 7 pro SP1 machines. All joined to the domain (server 2012 is single DC)

I have made the mistake of using the defaults for folder redirection on the above and a number of Server 2012 installations and only recently discovered the issues with backup (or rather restoration from a backup I believe)

Firstly can someone confirm that all data is backed up when using the native Server 2012 R2 backup solution and it is only recovery of Redirected folder data by administrators (not actual owners) which is the problem ???

Secondly I'm looking for someone to fill in the bits I don't understand in an attempt to change the permissions of the existing Redirected Folders before I run the following script which I believe provides Administrators full access permissions without disturbing user level exclusiveness. From http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/ which is referenced in a number of other articles on this matter.

I have left the CACLS line that actually makes the change commented out until I understand what this is going to do for me. (Carrying on below script)


#ChangePermissions.ps1
 # CACLS rights are usually
 # F = FullControl
 # C = Change
 # R = Readonly
 # W = Write

$StartingDir= "E:\ServerFolders\Folder Redirection"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
 "files starting at"$StartingDir.ToUpper() `n "for security"`
 "principal"$Principal.ToUpper() `
 "with new right of"$Permission.ToUpper()"."`n `
 "Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir  -recurse)) {
 #display filename and old permissions
 write-Host -foregroundcolor Yellow $file.FullName
 #uncomment if you want to see old permissions
 CACLS $file.FullName

#ADD new permission with CACLS
#CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
 Write-Host -foregroundcolor Green "New Permissions"
 CACLS $file.FullName
 }
 }

So I run this Powershell script using PSEXEC which allows it to run under the system users account through the use of the -s switch , I added the redirection to get a view of the parsed file permissions.

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1' >c:\PSTOOLS\RESULTS.log"

Aaaaaaaaa  . . .  now as I write this I think I see what its doing.
OK so its not changing administrator permissions its adding them. So when I uncomment the line its going to add additional permissions for each file and folder ???

If someone could confirm this I'd be grateful.
I need to run this on three servers to allow sensible recovery from the backups in the future.

Thanks
0
Comment
Question by:TrevorWhite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
14 Comments
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40393546
add the user to do the restore to the backup operators group and you should be able to restore without messing up with the folder permissions.
0
 

Author Comment

by:TrevorWhite
ID: 40393781
Do you know I was thinking about this last night . . . if I can get access to change permissions then surely I can get access to do a restore ???? I'll check this out. Thanks

REgards
0
 

Author Comment

by:TrevorWhite
ID: 40395562
Hi David and others,
So I have read up on this and if you run the backup (and restore) program with a user who's a member of the Backup Operators group then it can read anything but just can't change anything. Good!

Now the Default Server 2012 R2 backup program appears to create a backup task running under SYSTEM in Task Scheduler.

My immediate assumption is that I should place the SYSTEM user into the Backup Operators security group. Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup

This all feels right so why doesn't MS do it from the off ???

Regards
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40396154
SYSTEM is the god user it has access to everything.

Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup recommended
0
 

Author Comment

by:TrevorWhite
ID: 40396201
Hmmmm, not quite so god like as a normal user in the Backup Operators group though eh? But point taken.
Thanks
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40444650
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40444651
Information provided and as per usual once a soluton is given the asker walks away content.
0
 

Author Comment

by:TrevorWhite
ID: 40445008
Hi David,
I must offer apologies. Yes information was provided and it was indeed the correct information.
It was I that did not stay in touch and award points.
It would have been better if EE prompted me to close or award points . . .  that is not to absolve myself from the responsibility though.

Dave should indeed be awarded the points

REgards
0
 

Author Closing Comment

by:TrevorWhite
ID: 40445011
Sorry for not staying in touch or closing and awarding the points

Regards
0
 

Author Comment

by:TrevorWhite
ID: 40445574
One last comment in this thread, directed at EE moderation.
Again without abdicating my responsibility to remain engaged on issues.
I am noting that I received three notices from EE moderation/Administration within 3 minutes.

I appreciate that something may have gone wrong here, but it would have helped the situation (IE David justifiably feeling necessary to vent frustration) to have spread these notifications out over perhaps a number of days.

There are many types that help make EE and similar boards like this work. I would like to offer my thanks to them all in many cases it must be a thankless task. Thank you all for your commitment, knowledge and tenacity.

Regards
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40445674
you would have got the
1. an administrative comment has been added
2. the question will be closed in x days
3. my objection.

many times if I see the first 2 I skip the emails.
0
 

Author Comment

by:TrevorWhite
ID: 40445922
I'm really sorry but I have not seen previous emails apart from the ones that appeared in my mailbox all within a matter of minutes. David, none of this is absolves me from the responsibility of remaining engaged which I did not do. You had every right to complain as you did.

My comment to moderation was to notify what had happened not to try and defend my position

Thanks

Regards
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question