?
Solved

How to change NTFS permission to the folder based on the time of the day?

Posted on 2014-11-30
10
Medium Priority
?
267 Views
Last Modified: 2015-01-12
Active Directory group ‘Help Desk’ will have ‘Read & execute’ permission to the ‘Support’ folder between 7 am – 5 pm. All other time access to the ‘Support’ folder for 'Help Desk' AD group must be denied.
 
I’m guessing that I need to create two batch files which will be running on the Windows 2008 R2 file server. One is to enable NTFS permission on a folder, and second one is to disable NTFS permission. First batch file I will run as a scheduler task at 7 am (to enable permission) and second batch file will be running as a scheduler task at 5 pm (to disable permission)

I need some help with creating these permission controlling batch files. If the batch file failed to run successfully I need to know about it.

Thanks in advance.
0
Comment
Question by:Olevo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
10 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40473136
Just quick look here at the mo., that sounds potentially all sorts of issues with permissons given to folders below helpdesk being removed etc?

Also would a possible way may be to make sure the folder is only accessible via its own share and adjust the share permissions, or even remove the share at different times of day?

Can help with scripts later if no-one else has.

Steve
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40473199
I'd remove/add the group that gives rights from the Helpdesk group instead of changing ntfs rights.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40473242
That was the other way I was thinking too, if you remove the users from the groups of course it will not work because the user would still have access to that group's data until they logged off.

So thinking this through.... assuming it is part of an existing shared drive and can't be it's own share to simplify things then:

User A = member of users_Helpdesk group
Helpdesk directory has permissions at NTFS level for permissions_Helpdesk group
users_Helpdesk group is in permissions_Helpdesk group...

So does that work if you remove the group?

Also another way maybe would be to add / remove a "Deny" for the Helpdesk group to NTFS, or the share permissions.

Olevo - can you clarify if share methods is feasible?

Steve
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:Olevo
ID: 40474829
Help Desk group just an example here. Since I don’t know how to block users (DirectAccess) from accessing some of the company resources remotely, I thought that simple NTFS permission will do the trick for me. Basically, we don’t want our users to have remote access to few network folders after 5 pm!

I am thinking of using iCACLS.exe (or similar utility) in my batch file for changing folder permission. However, I am a bit stack with the syntax of the command.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40474840
Switch the server off :-)
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40474842
Sorry... are these just select folders within mapped drives / UNC / DFS shares that they need access to other folders still at any time?

Steve
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 2000 total points
ID: 40474868
I think if you did want to use icacls etc. you could do it like this to add a "deny" then remove it... have amended these from similar scripts I use for adding already so think they are right but obviously test on a sample or one with simple ntfs structure under that point!

Add Deny for HelpDeskgroup to all files and folders below X:\Helpdesk

icacls x:\Helpdesk /deny domain\HelpdeskGroup:f /c /t

Open in new window


Reset permissions to inherit from above Helpdesk

icalcs x:\Helpdesk /reset /c /t

Open in new window


Remove any deny entries under x:\Helpdesk for the group:

icacls x:\Helpdesk /remove:d domain\HelpdeskGroup /c /t

Open in new window


Steve
0
 
LVL 1

Author Comment

by:Olevo
ID: 40477513
Thanks Steve, after running command:

icacls x:\Helpdesk /deny domain\HelpdeskGroup:f /c /t

Permission applied to files but not folders (failed processing) within 'Helpdesk' folder. And, 'HelpDesk' group still have access to 'HelpDesk' folder?!

Since denying or granting permission takes time to propagate down the ACL chain, doing this two times a day for a folder with thousands of files and folders might be not so good idea to do... And, what about if the user/s belongs to multiple groups and this groups have different permission on a 'HelpDesk' folder. However I think, explicit deny will win anyway...

Maybe simply changing name of the folder or share is far better and simpler solution in my case? What do you think?
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40477581
deny will always lose over another group so a specific deny to Helpdesk.

If it can be mapped only via a specific share then all you have to do is either stop the share at specific times of day and re-add it, or add/remove the share permissions to deny.  Other non-helpdesk users could get to it from a different share.

e.g.  ShareA = All users who need it.  Put "deny" for Helpdesk users group, map 'normal' users here who need it
ShareB = Added  and removed...

net share HelpdeskShare=x:\data\helpdesk /grant:Helpdeskgroup,read
net share HelpdeskShare /delete

Would mean maybe moving the folder to a different area if currently on a general shared area so that they can only get to it that route though.

If that is an option the share permissions apart from adding like above can be done from VBScript or powershell afaik.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40496016
Did you get anywhere with this, need any more help?
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question