Solved

adding an admin group to files and folders

Posted on 2015-02-17
7
40 Views
Last Modified: 2016-04-19
Hi, the Windows file and folder permissions on our shared drives have not been applied consistently over the years and I now need to add  one of our admin groups to the permissions on every file and folder, the new admin group will have full control assigned to it.

The existing permissions structure is quite complex and I do not want to remove the existing permissions, all I want to do is add an admin group to the existing permissions.   I would like some advice on how best to do this.  I have tried doing it from the GUI in the past but this often falls over half way through leaving inconsistent permissions, so I think scripting this may be better.  There is a large amount of data go through (about 1.5TB).  Although these are Windows NTFS permissions the files and folders are on Netapp filer, not sure that makes a difference.
0
Comment
Question by:carbonbase
  • 3
  • 2
  • 2
7 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40614488
Why not just put this group into Domain Administrators?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40614498
you can use cacls, icacls, xcacls depending on the one available to you and the granularity of the settings.

Using VBscript might be the best since you likely have to recurse through the directory structure adding the group to the top folder and then checking the ones below in the event some have not set the inherit from parent.  Those who have inherit from parent unchecked, you would add the again.

The other issue deals with whether you want to reapply the addition through the structure.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40614513
You can also go into Group Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups

Group = Builtin\Administrators
Members = YourDomain\YourGroup
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:carbonbase
ID: 40614537
@ Toby

The admin group is for help desk people, really don't want to give them domain admins.

@ Arnold

I would imagine there are a lot of inheritance breaks, I think it best to take a copy of the permissions before I start modifying them.

General question:

Does anyone have any experience of doing this in Powershell? or are the old tools still the best?
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40614569
Then apply my group policy suggestion to the OU(s) that contains all of the client workstations. Make sure servers and especially domain controllers are not included in that OU(s).
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 40614622
If you are knowledgeable/comfortable with powershell, use that.  The older tools have a larger scope of ready made examples that might need a few modifications.

I've some exposure to powershell seems like one has to use cmdlets in sequence.
I prefer to use scripting that is self contain where I have more control and has more function to deal with analysis of data and the application of new settings as in your case.
I.e, check the directory, is this group have access, if not add the group with the following rights.

You can use powershell to create the cataloging part I.e, navigate through the driectory structure mapping existing rights.
Are you planing to storing this data In a DB or as a csv/xml?
Presumably you may need the same to get share settings/permission.
One thing you have to be aware of if your shares are part of a DFS, permission change would trigger a DFS replication so you have to take that into account.
0
 

Author Comment

by:carbonbase
ID: 40618467
@Toby

I'm just trying to give an admin group permissions to all files and folders on my network drives, not to client computers

@arnold

I think I'll use icacls to backup the existing permissions, although I will also investigate using SDDL with Powershell

this is quite a good article:



Powershell also does a pretty good job of listing out permissions in a more readable format which I can export to a CSV as an extra backup.  

Not using DFS for the shared folders
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now