<div>
Well, there's no domain or domain controller but I can imagine doing the same sort of thing.<br />
I'm not quite sure how though...
</div>


<div>
You can do the same sort of thing by using local groups, however, if the user is an administrator on the machine they will be able o over-ride this access.<br />
<br />
If you aren't worried about users per-se and are more trying to stop an automated process or normal human errors from causing a problem, then it would meet your needs pretty handily.
</div>


<div>
I see that there are a lot of localgroups including *backup*. &nbsp;<br />
<br />
Here is the situation:<br />
<br />
I have a backup drive and need to be able to allow users to access it &quot;read only&quot; for selective retrieval.<br />
They will be using credentials for this.<br />
So, from what you've told me, I need the credentials to be for a Standard user if they are going to be blocked from writing.<br />
Otherwise, if the credentials are for an Administrator, then they would be able to write as an Administrator - even though the permissions are specific for that User.<br />
?<br />
<br />
Ideally, I would block writing by any user account on the system on this drive - well most of the time.<br />
Barring that, I suppose the Administrators could be very limited, etc. and the User running the backup could be a Standard user with privileges based on which localgroup as we've been discussing. &nbsp;maybe...
</div>


<div>
Hi Fred,<br />
<br />
&nbsp; So there are a lot of groups used for roles which are created by default. &nbsp;The backup user actually gives a user more rights than a standard user.<br />
<br />
&nbsp; A standard user can only backup or restore files they are the owner of, while a backup operator can backups and restore regardless of the permissions on the items or who owns them, and can unlock files and gain exclusive lock on them to get a backup, they also can perform volume snapshots and restores for data they do not own (otherwise a user can only do this for data they do own)<br />
<br />
It sounds like you are saying you will be running a backup service as a specific user on the machine, such as say backup exec, and you want to give users full rights to get into the backup exec interface and look around, but you don;t want them to be able to do more than reading data, so you plan to stop the windows account that's this service is running under from being able to access the files except to read on that directory, and I'd imagine restoring on theirs, is that it?<br />
<br />
&nbsp; Are you certain your software doesn;t allow you to create users within it that can be restricted to certain levels of access? &nbsp;It's not often a touted feature of the backup software, but it is usually present. &nbsp;This way you can allow auditors read-only access or allow users to restore specific information without worrying they could do something like erase a tape.
</div>


<div>
It's a little different:<br />
The backup is a simple program which is launched by whatever user is set up in Task Scheduler. <br />
Or, the backup program can schedule backups as well. &nbsp;Each method has its advantages.<br />
<br />
A select set of users can restore files from the backup / thus read.<br />
We don't want them to be able to write.<br />
The backup program has to write of course.
</div>


<div>
We have evolved from &quot;file server&quot; to &quot;file server and backup computer&quot; to &quot;file server computer&quot; + &quot;backup computer&quot;.<br />
The backup computer pulls files from various file servers and writes them to a backup store.<br />
So, I was wanting to protect the backup store from malicious writes such as could be done by ransomware.<br />
(This in addition to other ransomware protections).<br />
<br />
Some clients have to be able to read the backup store on the backup computer (because that's where it is) in order to perform file restores.<br />
So this can be &quot;read only&quot; and a standard user with read only permissions and credentials can do this.<br />
<br />
And, on the backup computer, we would have a user and groups that we've been talking about here so far - that would write to the backup store when appropriate.<br />
Of course, it's all automated with no human intervention other than reviewing simple log messages.<br />
So, other than the timing, which is easy to do, I'm wondering how one might automate the switch you outlined?<br />
<br />
For example:<br />
If there were a ransomware attack then we would want to stop writing the backups.<br />
I suppose a script with a big red handle on it would do! <br />
We already have scripts that start the backups and they could read a flag.. that sort of thing.<br />
But, there may be other ideas and things I've not thought of.
</div>


<div>
OK. &nbsp;So here is what I've done:<br />
Define localgroups WRITE_Backup and READ_ONLY.<br />
On a drive dedicated to containing backups:<br />
Sharing and Security privileges are granted ONLY to these two groups in the obvious way:<br />
READ_ONLY group only has read privileges.<br />
Write_Backup has full privileges.<br />
<br />
I've written batch files:<br />
<br />
Backer to ReadOnly.bat<br />

<pre><code class="code-1 nolinks" id="code-20-42121540-1"><span>net localgroup READ_ONLY    Backer /add</span>
<span>net localgroup WRITE_Backup Backer /delete</span>
</code></pre>
Backer to Write.bat<br />

<pre><code class="code-1 nolinks" id="code-20-42121540-2"><span>net localgroup WRITE_Backup Backer /add</span>
<span>net localgroup READ_ONLY    Backer /delete</span>
</code></pre>
So this uses the idea of switching groups - which would seem to work well.<br />
My current problem is that I can't schedule these batch files to run successfully.<br />
The user &quot;Backer&quot; will be logged in and will run the backup jobs when it is a member of WRITE_Backup group.<br />
Backer is not a member of any other localgroup.
</div>


<div>
well, this will work, however, to make your life simpler, and avoid the complication issues of accidentally missing a run of one or the other batch file, what I suggested, and still, suggest, is:<br />
<br />

<ul>
<li>Leave your Write group with &quot;Full&quot; permission.</li>
<li>Instead of having a &quot;Read Only&quot; group, have a &quot;Deny Write&quot; group.</li>
<li>the user backer is ALWAYS a member of the &quot;full&quot; group, and ONLy added and removed from the &quot;DENY&quot; group.</li>
<li>Your batch script can run every 5 minutes, check if the user a is a member of the deny group, check the system time, and decide if it should add or remove the user based on the time.</li>
<li>This way a user who logs in and messes with this backer user by adding or removing the account would also have to know about and disable the script in order for the permission to stay.</li>
</ul>
<br />
<b>Now for your scheduled task:</b><br />
<br />
&nbsp;can you successfully run your batch script by hand?<br />
<br />
&nbsp; If so:<br />
<br />

<ul>
<li> When you create your scheduled task make sure not to choose &quot;Basic task&quot; those can never be converted to full tasks if you created it that way delete it and start over.</li>
<li>Make sure to set the task to runs as a user that is a local administrator.Select Allow the task to run when not logged on checkbox/tickbox</li>
<li>Make sure the user has the logon as a batch local security right enabled (using the local security policy MMC)</li>
<li>Set the Scheduled Task to be the same compatibility as the windows OS you are currently running.</li>
<li>Check the tickbox for &quot;Run with highest privileges&quot;</li>
<li>Set the task to be able to be run manually. -- great for testing.</li>
</ul>
<br />
Make sure your cmd file is set to log all of it's actions to a log file including errors.<br />
<br />
Run the scheduled task by hand and see what happens.
</div>


<div>
oh, and I prefer to use a domain account to do it all anyway because dsmod is a little more robust IMO, and it keeps all the groups and users and the script and scheduled task off of the computer being affected, and on a DC or utility machine that only administrators log into.<br />
<br />
but that doesn't mean using local groups can't work, or that using a read and write group instead of a write and deny-write group can't work.<br />
<br />
I outlined the reasons for those choices in methodology but your choices would still work in general.
</div>


<div>
Thanks!!<br />

<blockquote>
<ul>
<li>Instead of having a &quot;Read Only&quot; group, have a &quot;Deny Write&quot; group.</li>
<li>The user backer is ALWAYS a member of the &quot;full&quot; group, and ONLy added and removed from the &quot;DENY&quot; group.</li>
</ul>
</blockquote>
I get it that you're suggesting dual membership which has a hierarchical preference re privileges. &nbsp;Otherwise, what's in a name?<br />
Dual membership is clearly possible. &nbsp;But, how does this work?<br />
<br />

<blockquote>
<ul>
<li>Your batch script can run every 5 minutes, check if the user a is a member of the deny group, check the system time, and decide if it should add or remove the user based on the time.</li>
<li>This way a user who logs in and messes with this backer user by adding or removing the account would also have to know about and disable the script in order for the permission to stay.</li>
</ul>
</blockquote>
So continually check if the membership is as intended...<br />
Create Basic Task and Create Task generate different results, really? &nbsp;ant the membership and not the account, eh?<br />
So then, simple membership wouldn't be so &quot;static&quot; and subject to change for long. &nbsp;Interesting idea!<br />
<br />

<blockquote>
Make sure your cmd file is set to log all of it's actions to a log file including errors.
</blockquote>
I want to make sure I understand this and how to do it. &nbsp;(I tried). &nbsp;Do you mean the .bat file or something else? &nbsp;Do you mean inserting code in the bat file to generate some kind of log or might you recommend some particular scheme that will log more valuable results?
</div>


<div>
This is going along quite well but there are still some issues that are due to my lack of experience with all of these things running together:<br />
Task Scheduler, the App, batch files, permissions.
</div>


<div>
Hey Fred,<br />
<br />
&nbsp; I think when I read your last comment a few days ago I started to respond on my phone and when never did, sorry I will try to respond ot both parts in a bit.
</div>


<div>
Creating those groups was really an important idea!<br />
Thanks!
</div>


<div>
<div class="content wysiwyg-content">
I'm thinking that one approach to protecting files is to make them write-protected most of the time.<br />
- One idea would be to use a User Profile that has no write privileges - but then there's really no need for a User to be logged into the computer anyway. &nbsp;But maybe it could be done (i.e. logged in) as a default.<br />
- Another idea would be to switch the permissions on the drive (but propagating that might take too long).<br />
<br />
The idea is to switch the capability, write some files and switch back. &nbsp;Thus, minimizing the write window in time.<br />
Probably a scheduled task. &nbsp;Perhaps a Powershell script.<br />
<br />
I'm looking for ideas.
</div>
</div>


I'm thinking that one approach to protecting files is to make them write-protected most of the time.
- One idea would be to use a User Profile that has no write privileges - but then there's really no need for a User to be logged into the computer anyway.  But maybe it could be done (i.e. logged in) as a default.
- Another idea would be to switch the permissions on the drive (but propagating that might take too long).

The idea is to switch the capability, write some files and switch back.  Thus, minimizing the write window in time.
Probably a scheduled task.  Perhaps a Powershell script.

I'm looking for ideas.

Temporary Write Permission for a Drive

Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell provides full access to the Component Object Model (COM) and Windows Management Instrumentation (WMI), enabling administrators to perform administrative tasks on both local and remote Windows systems as well as WS-Management and Common Information Model (CIM) enabling management of remote Linux systems and network devices.

Powershell

File sharing is the practice of distributing or providing access to digital media, such as computer programs, multimedia (audio, images and video), documents or electronic books. Common methods of storage, transmission and dispersion include manual sharing utilizing removable media, centralized servers on computer networks, World Wide Web-based hyperlinked documents, distributed peer-to-peer networking (P2P) and cloud-based file syncing.