Solved

Network share log folder permissions

Posted on 2014-11-24
3
191 Views
Last Modified: 2014-12-02
I've been asked by management to log IM chats.  I've already got the logon script and gpo that will edit the registry keys and point the IM client to save the log files to a network share folder that is created when the logon script is run.

Now my concern is end users snooping around the network and finding this folder and reading everyone else's IM chats.  Chances are slim that this will even be noticed but if one person finds it this could be a huge problem.

So I would like to know how to setup permissions on the log folder that will allow the script to run and create the user folder but set permission in a way that will only allow the user and domain admins to have access to their folder.  The user folder should also allow the user with access to this folder to write but not view/read/delete/edit the log files it creates in this folder.

Any help will be appreciated.
0
Comment
Question by:Fveng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 24

Accepted Solution

by:
NVIT earned 500 total points
ID: 40462826
Hi Fveng...

I did a test of that link I gave you on your last topic, i.e. http://community.spiceworks.com/scripts/show/2522-windows-user-share-exclusive-access

It seems to work. But, I think it needs adjustments, depending on the users/groups in your network. For example, in the folder I tested, the Domain Users was still able to see the contents. But, I didn't want this. So, I added a line below the "icacls %1\%2 /remove "CREATOR OWNER" line.

icacls %1\%2 /remove "CREATOR OWNER" /T /C /Q 2>NUL

REM Remove the Domain Users permission as it's not needed.
icacls %1\%2 /remove "Domain Users" /T /C /Q 2>NUL

Open in new window


This worked. A domain user was still able to see the user folder but not the contents. I can't remember but I think there's a setting or fix for that but that's another topic.

Just customize that line for your use, adding your users/groups as needed.

To run it on all the folders, use something like:

for /d %%a in (*.*) do (
  echo Filename.bat E:\Shares\UserProfiles %%a
)

Open in new window

0
 

Author Comment

by:Fveng
ID: 40463164
Can't this be done just using windows permissions rather than a login script?  Sorry I'm not a script guy and the correct permissions could be set on the parent folder rather than a script.
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40463205
If you mean using the Security tab, you'll have to enter each user manually.

If users have full control of their folder, they should be able to manually revise the rights as needed.

The batch file in this topic must be run by the domain admin. If all your users already ran the Shoretel script from your other topic they now have a chat folder. All that's left is for you as domain admin to run this batch file once and you'd be done.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question