+ Post New Thread
Results 1 to 5 of 5
Office Software Thread, Students accessing other students files using Manage Templates in Technical; They are using the insert chart tool. Attachment 23536 And then clicking manage templates, Attachment 23537 and then because their ...
  1. #1

    Join Date
    Dec 2013
    Posts
    13
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Students accessing other students files using Manage Templates

    They are using the insert chart tool.
    Attachment 23536
    And then clicking manage templates,
    Attachment 23537
    and then because their appdata, is stored with their documents they can access all other students document.

    Don't know if anyone else has this problem. thanks guysss

  2. #2

    Join Date
    Nov 2010
    Location
    Maidenhead
    Posts
    55
    Thank Post
    2
    Thanked 10 Times in 10 Posts
    Rep Power
    10
    Surely the documents are held on the server and only the student themselves has access to their own folder only?

    If you have students permissions to everyones docs this is what I had at my old school, I wrote a script to reset the permissions on the folders, I posted a while back on some forum I am sure I can dig out that will grab the name of the folder (guessing this is the username for the users documents) and rewrite the permissions to give them access and domain admins. All you then have to do is remove the students access from the root.

    Let me know if you want it and I will dig it out.

  3. #3

    Join Date
    Dec 2013
    Posts
    13
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Please, that would help a lot,

    Thanks

  4. #4

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,927
    Thank Post
    155
    Thanked 605 Times in 544 Posts
    Rep Power
    160
    Try the NTFSFix utility, it's free (and immense). You can set permissions for each folder in a directory by %username% in AD. Job done.

  5. #5

    Join Date
    Nov 2010
    Location
    Maidenhead
    Posts
    55
    Thank Post
    2
    Thanked 10 Times in 10 Posts
    Rep Power
    10
    Sorry for the long delay. Attached is the script (had to dig it out). It just runs through the folder ie "Q:\Users\Year7" then takes each folder name queries against AD if username doesnt exist it takes ownership as administrators then dumps the folder in the deleted user folder (see inside script).
    It gives access to two AD groups studentdocsread and studentdocsmodify which we use for IT teaching staff who need access to the students docs. It then shares (even if already shared as it was a quick and dirty script) as username$ with relevant permissions.

    I have a ps1 script that calls each year folder up like so:
    Code:
    .\UserHomesCheckStudent2.ps1 -year 13
    .\UserHomesCheckStudent2.ps1 -year 12
    .\UserHomesCheckStudent2.ps1 -year 11
    .\UserHomesCheckStudent2.ps1 -year 10
    .\UserHomesCheckStudent2.ps1 -year 9
    .\UserHomesCheckStudent2.ps1 -year 8
    .\UserHomesCheckStudent2.ps1 -year 7

    Full script below:

    Code:
    param(
    [string]$year
    )
    #Prerequisites
    #Share permissions: Share management in PowerShell - PowerShell Crypto Guy's weblog
    #Subinacl: Download SubInACL (SubInACL.exe) from Official Microsoft Download Centre
    #Quest: PowerShell Commands (CMDLETs) for Active Directory by Quest
    
    #Configure your settings here
    #Set Domain
    $domain = "domain.local"
    #Set admin group
    $admin = "Domain Admins"
    #Set group to modify students docs
    $modify = "StudentDocumentsModify"
    #Set group to read student docs
    $read = "StudentDocumentsRead"
    #Set the folder to work on here
    $homesroot = "Q:\Users\Student\Year$year"
    #Set the deleted homes folder
    $dhomesroot = "Q:\DeletedUsers\"
    #Where is subinacl
    $subinacl = "C:\utils\subinacl.exe"
    #Where to log to
    $LogFileDir = "Q:\Log"
    #Finished config
    
    Write-Host "Cox Green School User Home Folder Check Script"
    Write-Host "Written by Tom Smith"
    Write-Host "Version 1.1"
    Write-Host "Date: 11/05/2013"
    Write-Host "Editing Home Directories within $homesroot"
    Write-Host "Deleted user homes will go to $dhomesroot"
    
    #Load Quest even if installed
    Add-PSSnapin Quest.ActiveRoles.ADManagement
    #Load PSCX
    Import-Module "PSCX"
    Set-Privilege (New-Object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true)#Necessary to set Owner Permissions
    Set-Privilege (New-Object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true)#Necessary to bypass Traverse Checking
    Set-Privilege (New-Object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true)#Necessary to override FilePermissions & take Ownership
    #Load ShareUtils
    Import-Module ShareUtils
    #Create folder in deleted users with todays date
    $date = Get-Date -format "dd-MM-yyyy"
    $dDay = Get-Date -format "dd"
    $dMonth = Get-Date -format "MM"
    $dYear = Get-Date -format "yyyy"
    $dFolder = "$dhomesroot" + "$dYear" + "\" + "$dMonth" + "\" + "$dDay"
    New-Item $dFolder -type directory -Force
    Write-Host "Todays Date is $date"
    $dirlist = gci $homesroot -Exclude *.* | ? { $_.PSIsContainer }
    
    $LogFile = "$LogFileDir\$date.log"
    function Log {
        param ([string]$msg, [int]$flag)
    	$time = Get-Date -Format "HH:mm"
        if ($flag -eq 0) {
            Write-Output "$date INFO: $msg" | Out-File $LogFile -append
        } elseif ($flag -eq 1) {
            Write-Output "$date WARNING: $msg" | Out-File $LogFile -append
        } elseif ($flag -eq 2) {
            Write-Output "$date ERROR: $msg" | Out-File $LogFile -append
        } elseif ($flag -eq 3) {
            Write-Output "$msg" | Out-File $LogFile -append
        }
    } 
    
    Log "" 3
    Log "Script start date: $date" 3
    Log "Script start time: $time" 3
    Log "Script currently working on Year$year" 3
    Log "" 3
    foreach ($userdir in $dirlist)
            {
                $username = $userdir.name
                Write-Host "Working on user folder $username"
    			Log "Working on user folder $username"
                $adaccount = Get-QADUser $username
                #Verifies user is an active account, renamed folder to be deleted if not
                If (($adaccount.AccountIsDisabled -eq $TRUE) -or (!$adaccount))
                    {
                        write-host "$username is not a current user in active directory"
    					Log "The user $userame was not found in active directory" 1
                        #takeownership to administrators
                        takeown /f $userdir /R /D Y /A >> $LogFileDir\log.txt
    					Remove-Item "$LogFileDir\log.txt"
                        #rename folder to _DEL_originalname
                        $newname = "_DEL_$username"
                        rename-item -path $userdir -newname $newname
                        #Move deleted user folders to deleted user homes path
                        $oldpath = "$homesroot" + "\" + "$newname" + "\"
                        $newpath = "$dFolder" + "\" + "$newname"
                        move-item $oldpath $dFolder
                        Write-Host "User folder $username was moved to $dFolder "
    					Log "User folder $username was moved to $dFolder, the original was from Year $year" 0
                    }
                Else
                    {
                    #get full path            
                    Write-Host $userdir.name
                    Write-Host "$username is valid in active directory"
    				Log "User $username is valid in active directory" 0
                    $currentDir = $userdir.FullName
                    #Take ownership for admins for setting permissions
                    takeown /f $userdir /R /D Y /A >> $LogFileDir\log.txt
    				Remove-Item "$LogFileDir\log.txt"
    
                    #get ACL of folder and set inheritance to allow parent
                    $acl = Get-Acl $currentDir
    				$acl.SetAccessRuleProtection($false, $true)
    				Set-Acl $currentDir -AclObject $acl
    
                    #get ACL of folder
                    $acl = Get-Acl $currentDir
    
                    #variable to set new permissions for username of folder
                    Write-Host "$domain\$username"
                    $permission = "$domain\$username",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
                    $permission1 = "$domain\$admin",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
    				$permission2 = "$domain\$modify",”Modify”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
    				$permission3 = "$domain\$read",”Read”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
    
                    $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
                    $accessRule1 = new-object System.Security.AccessControl.FileSystemAccessRule $permission1
    				$accessRule2 = new-object System.Security.AccessControl.FileSystemAccessRule $permission2
    				$accessRule3 = new-object System.Security.AccessControl.FileSystemAccessRule $permission3
    
                    #actually set the permissions
                    $acl.SetAccessRule($accessRule)
                    $acl.SetAccessRule($accessRule1)
    				$acl.SetAccessRule($accessRule2)
    				$acl.SetAccessRule($accessRule3)
                    Set-Acl $currentDir $acl
    
                    $acl3 = Get-Acl $currentDir
                    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
                    $acl3.RemoveAccessRuleAll($rule)
                    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($admin,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
                    $acl3.AddAccessRule($rule)
                    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($username,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
                    $acl3.AddAccessRule($rule)
    				$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($modify,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
                    $acl3.AddAccessRule($rule)
    				$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($read,"Read", "ContainerInherit, ObjectInherit", "None", "Allow")
                    $acl3.AddAccessRule($rule)
    				
    				#Set Owner
                    $domuser = "$domain\$username"
                    $accnt = New-Object System.Security.Principal.NTAccount($domuser)
    				$acl.SetOwner($accnt)
                    Set-Acl $currentDir $acl
    				dir -r $currentdir | Set-Acl -AclObject $acl
    				
    				#Set up share
    				$shareperm = "/GRANT:" + $username + ",FULL"
    				function New-Share {
    				param($Path, $Name)
    				try {
    				$ErrorActionPreference = 'Stop'
    				if ( (Test-Path $Path) -eq $false) {
    				$null = New-Item -Path $Path -ItemType Directory
    				}
    				net share $Name=$Path $shareperm
    				}
    				catch {
    				Write-Warning "Create a new share: Failed, $_"
    				}
    				}
    				New-Share $currentDir $username$
    				#Set share permissions for admin keeping old permissions
    				Get-Share -Name $username$ | Add-SharePermission $admin Allow FullControl | Set-Share
    				Get-Share -Name $username$ | Add-SharePermission $modify Allow Change | Set-Share
    				Get-Share -Name $username$ | Add-SharePermission $read Allow Read | Set-Share
    				Write-Host "Share script end"
    				Log "Folder $username was shared" 0
                    #Any further scripts here
                    }
            }
    Write-Host "Script complete todays date is $date "
    Log "Script completed Year$year" 3
    Log "Script end date: $date" 3
    Log "Script end time: $time" 3

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 1
    Last Post: 22nd February 2012, 12:10 PM
  2. Providing wireless internet access for student laptops
    By meastaugh1 in forum How do you do....it?
    Replies: 9
    Last Post: 2nd February 2008, 02:39 PM
  3. Prevent Student Access To Command Prompt
    By DaveP in forum How do you do....it?
    Replies: 13
    Last Post: 21st March 2007, 11:37 AM
  4. Moodle:Parental Access to student work
    By TechMonkey in forum Virtual Learning Platforms
    Replies: 7
    Last Post: 3rd November 2006, 07:54 PM
  5. Students accessing the Servers through Word
    By ninjabeaver in forum Windows
    Replies: 33
    Last Post: 3rd February 2006, 04:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •