Solved

Correcting Folder Redirection Permissions post implementation - script explanation !

Posted on 2014-10-20
14
310 Views
Last Modified: 2014-11-18
Ouch my brain hurts !!! I'm running Server 2012 Essentials with a mixture of Vista SP2 Business PC's and some Windows 7 pro SP1 machines. All joined to the domain (server 2012 is single DC)

I have made the mistake of using the defaults for folder redirection on the above and a number of Server 2012 installations and only recently discovered the issues with backup (or rather restoration from a backup I believe)

Firstly can someone confirm that all data is backed up when using the native Server 2012 R2 backup solution and it is only recovery of Redirected folder data by administrators (not actual owners) which is the problem ???

Secondly I'm looking for someone to fill in the bits I don't understand in an attempt to change the permissions of the existing Redirected Folders before I run the following script which I believe provides Administrators full access permissions without disturbing user level exclusiveness. From http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/ which is referenced in a number of other articles on this matter.

I have left the CACLS line that actually makes the change commented out until I understand what this is going to do for me. (Carrying on below script)


#ChangePermissions.ps1
 # CACLS rights are usually
 # F = FullControl
 # C = Change
 # R = Readonly
 # W = Write

$StartingDir= "E:\ServerFolders\Folder Redirection"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
 "files starting at"$StartingDir.ToUpper() `n "for security"`
 "principal"$Principal.ToUpper() `
 "with new right of"$Permission.ToUpper()"."`n `
 "Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir  -recurse)) {
 #display filename and old permissions
 write-Host -foregroundcolor Yellow $file.FullName
 #uncomment if you want to see old permissions
 CACLS $file.FullName

#ADD new permission with CACLS
#CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
 Write-Host -foregroundcolor Green "New Permissions"
 CACLS $file.FullName
 }
 }

So I run this Powershell script using PSEXEC which allows it to run under the system users account through the use of the -s switch , I added the redirection to get a view of the parsed file permissions.

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1' >c:\PSTOOLS\RESULTS.log"

Aaaaaaaaa  . . .  now as I write this I think I see what its doing.
OK so its not changing administrator permissions its adding them. So when I uncomment the line its going to add additional permissions for each file and folder ???

If someone could confirm this I'd be grateful.
I need to run this on three servers to allow sensible recovery from the backups in the future.

Thanks
0
Comment
Question by:TrevorWhite
  • 7
  • 4
14 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40393546
add the user to do the restore to the backup operators group and you should be able to restore without messing up with the folder permissions.
0
 

Author Comment

by:TrevorWhite
ID: 40393781
Do you know I was thinking about this last night . . . if I can get access to change permissions then surely I can get access to do a restore ???? I'll check this out. Thanks

REgards
0
 

Author Comment

by:TrevorWhite
ID: 40395562
Hi David and others,
So I have read up on this and if you run the backup (and restore) program with a user who's a member of the Backup Operators group then it can read anything but just can't change anything. Good!

Now the Default Server 2012 R2 backup program appears to create a backup task running under SYSTEM in Task Scheduler.

My immediate assumption is that I should place the SYSTEM user into the Backup Operators security group. Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup

This all feels right so why doesn't MS do it from the off ???

Regards
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40396154
SYSTEM is the god user it has access to everything.

Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup recommended
0
 

Author Comment

by:TrevorWhite
ID: 40396201
Hmmmm, not quite so god like as a normal user in the Backup Operators group though eh? But point taken.
Thanks
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40444650
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40444651
Information provided and as per usual once a soluton is given the asker walks away content.
0
 

Author Comment

by:TrevorWhite
ID: 40445008
Hi David,
I must offer apologies. Yes information was provided and it was indeed the correct information.
It was I that did not stay in touch and award points.
It would have been better if EE prompted me to close or award points . . .  that is not to absolve myself from the responsibility though.

Dave should indeed be awarded the points

REgards
0
 

Author Closing Comment

by:TrevorWhite
ID: 40445011
Sorry for not staying in touch or closing and awarding the points

Regards
0
 

Author Comment

by:TrevorWhite
ID: 40445574
One last comment in this thread, directed at EE moderation.
Again without abdicating my responsibility to remain engaged on issues.
I am noting that I received three notices from EE moderation/Administration within 3 minutes.

I appreciate that something may have gone wrong here, but it would have helped the situation (IE David justifiably feeling necessary to vent frustration) to have spread these notifications out over perhaps a number of days.

There are many types that help make EE and similar boards like this work. I would like to offer my thanks to them all in many cases it must be a thankless task. Thank you all for your commitment, knowledge and tenacity.

Regards
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40445674
you would have got the
1. an administrative comment has been added
2. the question will be closed in x days
3. my objection.

many times if I see the first 2 I skip the emails.
0
 

Author Comment

by:TrevorWhite
ID: 40445922
I'm really sorry but I have not seen previous emails apart from the ones that appeared in my mailbox all within a matter of minutes. David, none of this is absolves me from the responsibility of remaining engaged which I did not do. You had every right to complain as you did.

My comment to moderation was to notify what had happened not to try and defend my position

Thanks

Regards
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now