Setting permissons on Userareas

[Gonk]

Evening All,

I'm in need of some help...

Just had a phone call from a member of SMT. He decided, because he couldn't access a pupils userarea, to replace all the permissions on the userarea share.

This means that currently the SMT Group have full control and noone else can access it.

This is a bit of an issue as I redirect my documents to the userarea share.

I've had a look at Transfer User Area's - Permissions Issues ?? and had a quick attempt top fix the issue using Ric_'s script.

My users are set up like this:

Under the root domain in active directory there is the pupils OU and under that, I have OU's for each year e.g. 2009 Pupils, 2008 Pupils etc

All the users under 200x Pupils OU's then belong to a security group in the Users folder.

I use the security group to redirect the users my dos to their userarea e.g. \\dc02\Students\2001\%username%

I've modified the vbs script to mirror the set up:

Set FSO = CreateObject("Scripting.FileSystemObject")
Set ObjShell = Wscript.CreateObject("Wscript.Shell")

ShowSubfolders FSO.GetFolder("D:\Students\2001")

Sub ShowSubFolders(Folder)
For Each Subfolder in Folder.SubFolders
WScript.Echo "Folder = " & Subfolder
userName = SubFolder.Name
CMDLine1 = "cscript xcacls.vbs " & """" & Subfolder & """" & " /T /G staff:r ""Domain admins:f"" " & "academic\pupils\2001 Pupils" & userName & ":m"
' WScript.echo "Command = " & CMDline1
WScript.Echo "Running XCACLS..."
ObjShell.Run CMDLine1

CMDLine2 = "chown -r " & userName & " """ & Subfolder & """"
' WScript.Echo "Command = " & CMDLine2
WScript.Echo "Running CHOWN..."
ObjShell.Run CMDLine2
Next
End Sub

and it doesn't work. I get the error - Can not find user: <username>

Can't see the wood for the trees now so any suggestions greatly accepted!

Cheers

Ross

[PiqueABoo]

I'm not a VBS person, but at a very quick glance this bit looks wrong:

"academic\pupils\2001 Pupils" & userName

You need the <Domain>\<samAccountName> to end up there e.g. "CONTOSO\jbloggs". If your domain was called CONTOSO then that line should be:

CMDLine1 = "cscript xcacls.vbs " & """" & Subfolder & """" & " /T /G staff:r ""Domain admins:f"" " & "CONTOSO\" & userName & ":m"

PS: Uncomment the WScript.echo "Command = " & CMDline1 line so you can see whether it looks right.

[round2it]

Your SMT have that much access to the system.............OMG our system would die within an hour

We only allow teachers to view pupils documents now as they used to have full access but things were going missing so now i only allow write access to the ICT teacher who does not have the sudden urge to press the delete key.

Hope you get it fixed.

[elsiegee40]

Why do your SMT have this level of permissions on your server?

Passwords need to be made available in case of runaway buses/swine flu, but should be kept in a locked safe well away from those who don't have the technical expertise!

I think you need to get this issue raised asap. If you're not the NM, get him/her to do it! A little knowledge is a dangerous thing... which is why I work with a logon that has the same access as my teachers 90% of the time... I only use my domain admin login if I have to... accident prevention!

[ChrisH]

Use NTFS Fix from wisesoft. Nice simple GUI will let you set everything as you need it.

[Gonk]

Your SMT have that much access to the system.............OMG our system would die within an hour

We only allow teachers to view pupils documents now as they used to have full access but things were going missing so now i only allow write access to the ICT teacher who does not have the sudden urge to press the delete key.

Hope you get it fixed.

@elsiegee40 & round2it :

All the doumentation is kept in the fireproof safe, along with the passwords in a sealed envelope. According to the said member of SMT, if myself or the PFY can't be contacted why shouldn't he use the information in the safe. It was an emergancy (in his mind).

[round2it]

how did you get on.?

[Abaddon]

@elsiegee40 & round2it :

All the doumentation is kept in the fireproof safe, along with the passwords in a sealed envelope. According to the said member of SMT, if myself or the PFY can't be contacted why shouldn't he use the information in the safe. It was an emergancy (in his mind).

I guess he's got his answer though! Those details are available here in case of an emergency that takes me or my tech out of the picture, but they would be given to a suitably qualified person from a support company at least. Nobody here on the SMT has any doubt about their ability to break everything if they touch it.

[Gonk]

Hi all,

many thanks for your help with this little issue!

all fixed now!

Cheers

Ross

[elsiegee40]

I guess he's got his answer though! Those details are available here in case of an emergency that takes me or my tech out of the picture, but they would be given to a suitably qualified person from a support company at least. Nobody here on the SMT has any doubt about their ability to break everything if they touch it.

SMT feel the same about their IT skills here... the biggest danger is our caretaker who thinks he knows a bit about computers... but the SMT have different ideas about his skills fortunately!