Solved

adding an admin group to files and folders

Posted on 2015-02-17
7
52 Views
Last Modified: 2016-04-19
Hi, the Windows file and folder permissions on our shared drives have not been applied consistently over the years and I now need to add  one of our admin groups to the permissions on every file and folder, the new admin group will have full control assigned to it.

The existing permissions structure is quite complex and I do not want to remove the existing permissions, all I want to do is add an admin group to the existing permissions.   I would like some advice on how best to do this.  I have tried doing it from the GUI in the past but this often falls over half way through leaving inconsistent permissions, so I think scripting this may be better.  There is a large amount of data go through (about 1.5TB).  Although these are Windows NTFS permissions the files and folders are on Netapp filer, not sure that makes a difference.
0
Comment
Question by:carbonbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40614488
Why not just put this group into Domain Administrators?
0
 
LVL 79

Expert Comment

by:arnold
ID: 40614498
you can use cacls, icacls, xcacls depending on the one available to you and the granularity of the settings.

Using VBscript might be the best since you likely have to recurse through the directory structure adding the group to the top folder and then checking the ones below in the event some have not set the inherit from parent.  Those who have inherit from parent unchecked, you would add the again.

The other issue deals with whether you want to reapply the addition through the structure.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40614513
You can also go into Group Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups

Group = Builtin\Administrators
Members = YourDomain\YourGroup
0
Cloud Training Guides

FREE GUIDES: In-depth and hand-crafted Linux, AWS, OpenStack, DevOps, Azure, and Cloud training guides created by Linux Academy instructors and the community.

 

Author Comment

by:carbonbase
ID: 40614537
@ Toby

The admin group is for help desk people, really don't want to give them domain admins.

@ Arnold

I would imagine there are a lot of inheritance breaks, I think it best to take a copy of the permissions before I start modifying them.

General question:

Does anyone have any experience of doing this in Powershell? or are the old tools still the best?
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40614569
Then apply my group policy suggestion to the OU(s) that contains all of the client workstations. Make sure servers and especially domain controllers are not included in that OU(s).
0
 
LVL 79

Accepted Solution

by:
arnold earned 500 total points
ID: 40614622
If you are knowledgeable/comfortable with powershell, use that.  The older tools have a larger scope of ready made examples that might need a few modifications.

I've some exposure to powershell seems like one has to use cmdlets in sequence.
I prefer to use scripting that is self contain where I have more control and has more function to deal with analysis of data and the application of new settings as in your case.
I.e, check the directory, is this group have access, if not add the group with the following rights.

You can use powershell to create the cataloging part I.e, navigate through the driectory structure mapping existing rights.
Are you planing to storing this data In a DB or as a csv/xml?
Presumably you may need the same to get share settings/permission.
One thing you have to be aware of if your shares are part of a DFS, permission change would trigger a DFS replication so you have to take that into account.
0
 

Author Comment

by:carbonbase
ID: 40618467
@Toby

I'm just trying to give an admin group permissions to all files and folders on my network drives, not to client computers

@arnold

I think I'll use icacls to backup the existing permissions, although I will also investigate using SDDL with Powershell

this is quite a good article:



Powershell also does a pretty good job of listing out permissions in a more readable format which I can export to a CSV as an extra backup.  

Not using DFS for the shared folders
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question