Network share log folder permissions

I've been asked by management to log IM chats.  I've already got the logon script and gpo that will edit the registry keys and point the IM client to save the log files to a network share folder that is created when the logon script is run.

Now my concern is end users snooping around the network and finding this folder and reading everyone else's IM chats.  Chances are slim that this will even be noticed but if one person finds it this could be a huge problem.

So I would like to know how to setup permissions on the log folder that will allow the script to run and create the user folder but set permission in a way that will only allow the user and domain admins to have access to their folder.  The user folder should also allow the user with access to this folder to write but not view/read/delete/edit the log files it creates in this folder.

Any help will be appreciated.
FvengAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITCommented:
Hi Fveng...

I did a test of that link I gave you on your last topic, i.e. http://community.spiceworks.com/scripts/show/2522-windows-user-share-exclusive-access

It seems to work. But, I think it needs adjustments, depending on the users/groups in your network. For example, in the folder I tested, the Domain Users was still able to see the contents. But, I didn't want this. So, I added a line below the "icacls %1\%2 /remove "CREATOR OWNER" line.

icacls %1\%2 /remove "CREATOR OWNER" /T /C /Q 2>NUL

REM Remove the Domain Users permission as it's not needed.
icacls %1\%2 /remove "Domain Users" /T /C /Q 2>NUL

Open in new window


This worked. A domain user was still able to see the user folder but not the contents. I can't remember but I think there's a setting or fix for that but that's another topic.

Just customize that line for your use, adding your users/groups as needed.

To run it on all the folders, use something like:

for /d %%a in (*.*) do (
  echo Filename.bat E:\Shares\UserProfiles %%a
)

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FvengAuthor Commented:
Can't this be done just using windows permissions rather than a login script?  Sorry I'm not a script guy and the correct permissions could be set on the parent folder rather than a script.
0
NVITCommented:
If you mean using the Security tab, you'll have to enter each user manually.

If users have full control of their folder, they should be able to manually revise the rights as needed.

The batch file in this topic must be run by the domain admin. If all your users already ran the Shoretel script from your other topic they now have a chat folder. All that's left is for you as domain admin to run this batch file once and you'd be done.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.