Solved

Correcting Folder Redirection Permissions post implementation - script explanation !

Posted on 2014-10-20
14
302 Views
Last Modified: 2014-11-18
Ouch my brain hurts !!! I'm running Server 2012 Essentials with a mixture of Vista SP2 Business PC's and some Windows 7 pro SP1 machines. All joined to the domain (server 2012 is single DC)

I have made the mistake of using the defaults for folder redirection on the above and a number of Server 2012 installations and only recently discovered the issues with backup (or rather restoration from a backup I believe)

Firstly can someone confirm that all data is backed up when using the native Server 2012 R2 backup solution and it is only recovery of Redirected folder data by administrators (not actual owners) which is the problem ???

Secondly I'm looking for someone to fill in the bits I don't understand in an attempt to change the permissions of the existing Redirected Folders before I run the following script which I believe provides Administrators full access permissions without disturbing user level exclusiveness. From http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/ which is referenced in a number of other articles on this matter.

I have left the CACLS line that actually makes the change commented out until I understand what this is going to do for me. (Carrying on below script)


#ChangePermissions.ps1
 # CACLS rights are usually
 # F = FullControl
 # C = Change
 # R = Readonly
 # W = Write

$StartingDir= "E:\ServerFolders\Folder Redirection"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
 "files starting at"$StartingDir.ToUpper() `n "for security"`
 "principal"$Principal.ToUpper() `
 "with new right of"$Permission.ToUpper()"."`n `
 "Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir  -recurse)) {
 #display filename and old permissions
 write-Host -foregroundcolor Yellow $file.FullName
 #uncomment if you want to see old permissions
 CACLS $file.FullName

#ADD new permission with CACLS
#CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
 Write-Host -foregroundcolor Green "New Permissions"
 CACLS $file.FullName
 }
 }

So I run this Powershell script using PSEXEC which allows it to run under the system users account through the use of the -s switch , I added the redirection to get a view of the parsed file permissions.

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1' >c:\PSTOOLS\RESULTS.log"

Aaaaaaaaa  . . .  now as I write this I think I see what its doing.
OK so its not changing administrator permissions its adding them. So when I uncomment the line its going to add additional permissions for each file and folder ???

If someone could confirm this I'd be grateful.
I need to run this on three servers to allow sensible recovery from the backups in the future.

Thanks
0
Comment
Question by:TrevorWhite
  • 7
  • 4
14 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
Comment Utility
add the user to do the restore to the backup operators group and you should be able to restore without messing up with the folder permissions.
0
 

Author Comment

by:TrevorWhite
Comment Utility
Do you know I was thinking about this last night . . . if I can get access to change permissions then surely I can get access to do a restore ???? I'll check this out. Thanks

REgards
0
 

Author Comment

by:TrevorWhite
Comment Utility
Hi David and others,
So I have read up on this and if you run the backup (and restore) program with a user who's a member of the Backup Operators group then it can read anything but just can't change anything. Good!

Now the Default Server 2012 R2 backup program appears to create a backup task running under SYSTEM in Task Scheduler.

My immediate assumption is that I should place the SYSTEM user into the Backup Operators security group. Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup

This all feels right so why doesn't MS do it from the off ???

Regards
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
SYSTEM is the god user it has access to everything.

Would this be wise or is it better to create perhaps use a specific SysBackup user account and place that in the Backup Operators group and change the user that runs the Server Backup Task to SysBackup recommended
0
 

Author Comment

by:TrevorWhite
Comment Utility
Hmmmm, not quite so god like as a normal user in the Backup Operators group though eh? But point taken.
Thanks
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
Information provided and as per usual once a soluton is given the asker walks away content.
0
 

Author Comment

by:TrevorWhite
Comment Utility
Hi David,
I must offer apologies. Yes information was provided and it was indeed the correct information.
It was I that did not stay in touch and award points.
It would have been better if EE prompted me to close or award points . . .  that is not to absolve myself from the responsibility though.

Dave should indeed be awarded the points

REgards
0
 

Author Closing Comment

by:TrevorWhite
Comment Utility
Sorry for not staying in touch or closing and awarding the points

Regards
0
 

Author Comment

by:TrevorWhite
Comment Utility
One last comment in this thread, directed at EE moderation.
Again without abdicating my responsibility to remain engaged on issues.
I am noting that I received three notices from EE moderation/Administration within 3 minutes.

I appreciate that something may have gone wrong here, but it would have helped the situation (IE David justifiably feeling necessary to vent frustration) to have spread these notifications out over perhaps a number of days.

There are many types that help make EE and similar boards like this work. I would like to offer my thanks to them all in many cases it must be a thankless task. Thank you all for your commitment, knowledge and tenacity.

Regards
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
you would have got the
1. an administrative comment has been added
2. the question will be closed in x days
3. my objection.

many times if I see the first 2 I skip the emails.
0
 

Author Comment

by:TrevorWhite
Comment Utility
I'm really sorry but I have not seen previous emails apart from the ones that appeared in my mailbox all within a matter of minutes. David, none of this is absolves me from the responsibility of remaining engaged which I did not do. You had every right to complain as you did.

My comment to moderation was to notify what had happened not to try and defend my position

Thanks

Regards
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now