Solved

Correcting Folder Redirection Permissions post implementation - script explanation !

Posted on 2014-10-20
14
320 Views
Last Modified: 2014-11-18
Ouch my brain hurts !!! I'm running Server 2012 Essentials with a mixture of Vista SP2 Business PC's and some Windows 7 pro SP1 machines. All joined to the domain (server 2012 is single DC)

I have made the mistake of using the defaults for folder redirection on the above and a number of Server 2012 installations and only recently discovered the issues with backup (or rather restoration from a backup I believe)

Firstly can someone confirm that all data is backed up when using the native Server 2012 R2 backup solution and it is only recovery of Redirected folder data by administrators (not actual owners) which is the problem ???

Secondly I'm looking for someone to fill in the bits I don't understand in an attempt to change the permissions of the existing Redirected Folders before I run the following script which I believe provides Administrators full access permissions without disturbing user level exclusiveness. From http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/ which is referenced in a number of other articles on this matter.

I have left the CACLS line that actually makes the change commented out until I understand what this is going to do for me. (Carrying on below script)


#ChangePermissions.ps1
 # CACLS rights are usually
 # F = FullControl
 # C = Change
 # R = Readonly
 # W = Write

$StartingDir= "E:\ServerFolders\Folder Redirection"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
 "files starting at"$StartingDir.ToUpper() `n "for security"`
 "principal"$Principal.ToUpper() `
 "with new right of"$Permission.ToUpper()"."`n `
 "Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir  -recurse)) {
 #display filename and old permissions
 write-Host -foregroundcolor Yellow $file.FullName
 #uncomment if you want to see old permissions
 CACLS $file.FullName

#ADD new permission with CACLS
#CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
 Write-Host -foregroundcolor Green "New Permissions"
 CACLS $file.FullName
 }
 }

So I run this Powershell script using PSEXEC which allows it to run under the system users account through the use of the -s switch , I added the redirection to get a view of the parsed file permissions.

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1' >c:\PSTOOLS\RESULTS.log"

Aaaaaaaaa  . . .  now as I write this I think I see what its doing.
OK so its not changing administrator permissions its adding them. So when I uncomment the line its going to add additional permissions for each file and folder ???

If someone could confirm this I'd be grateful.
I need to run this on three servers to allow sensible recovery from the backups in the future.

Thanks
0
Comment
Question by:TrevorWhite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
14 Comments
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40393546
add the user to do the restore to the backup operators group and you should be able to restore without messing up with the folder permissions.
0
 

Author Comment

by:TrevorWhite
ID: 40393781
Do you know I was thinking about this last night . . . if I can get access to change permissions then surely I can get access to do a restore ???? I'll check this out. Thanks

REgards
0
 

Author Comment

by:TrevorWhite
ID: 40395562
Hi David and others,
So I have read up on this and if you run the backup (and restore) program with a user who's a member of the Backup Operators group then it can read anything but just can't change anything. Good!

Now the Default Server 2012 R2 backup program appears to create a backup task running under SYSTEM in Task Scheduler.

My immediate assumption is that I should place the SYSTEM user into the Backup Operators security group. Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup

This all feels right so why doesn't MS do it from the off ???

Regards
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40396154
SYSTEM is the god user it has access to everything.

Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup recommended
0
 

Author Comment

by:TrevorWhite
ID: 40396201
Hmmmm, not quite so god like as a normal user in the Backup Operators group though eh? But point taken.
Thanks
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40444650
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40444651
Information provided and as per usual once a soluton is given the asker walks away content.
0
 

Author Comment

by:TrevorWhite
ID: 40445008
Hi David,
I must offer apologies. Yes information was provided and it was indeed the correct information.
It was I that did not stay in touch and award points.
It would have been better if EE prompted me to close or award points . . .  that is not to absolve myself from the responsibility though.

Dave should indeed be awarded the points

REgards
0
 

Author Closing Comment

by:TrevorWhite
ID: 40445011
Sorry for not staying in touch or closing and awarding the points

Regards
0
 

Author Comment

by:TrevorWhite
ID: 40445574
One last comment in this thread, directed at EE moderation.
Again without abdicating my responsibility to remain engaged on issues.
I am noting that I received three notices from EE moderation/Administration within 3 minutes.

I appreciate that something may have gone wrong here, but it would have helped the situation (IE David justifiably feeling necessary to vent frustration) to have spread these notifications out over perhaps a number of days.

There are many types that help make EE and similar boards like this work. I would like to offer my thanks to them all in many cases it must be a thankless task. Thank you all for your commitment, knowledge and tenacity.

Regards
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40445674
you would have got the
1. an administrative comment has been added
2. the question will be closed in x days
3. my objection.

many times if I see the first 2 I skip the emails.
0
 

Author Comment

by:TrevorWhite
ID: 40445922
I'm really sorry but I have not seen previous emails apart from the ones that appeared in my mailbox all within a matter of minutes. David, none of this is absolves me from the responsibility of remaining engaged which I did not do. You had every right to complain as you did.

My comment to moderation was to notify what had happened not to try and defend my position

Thanks

Regards
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question