+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 33
Windows Server 2000/2003 Thread, NTFS Bulk Permissions Help! in Technical; The only way I could find to prevent users from altering their home folder permissions was to use 'Change' share ...
  1. #16
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    The only way I could find to prevent users from altering their home folder permissions was to use 'Change' share permissions 'but' just giving them modify NTFS permissions might work it's ages since I had this problem. Of course just flicking the share permissions to 'change' solved the problem in one easy go as long as you use a single root share.

  2. #17

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by pnlrogue1 View Post
    Weirdly, this doesn't work as a .bat or .cmd but if I copy and paste it in to command prompt, it works flawlessly

    I love my network...
    Oops! Forgot to mention one other thing that's just designed to make life more fun :-)

    At a command prompt you can use "%i" as a variable. To do the same thing in a batch file you need to use %%i (double up the percent signs)

    There is a reason for this - it's not really done to make your life a misery!

  3. Thanks to srochford from:

    pnlrogue1 (18th August 2009)

  4. #18
    pnlrogue1's Avatar
    Join Date
    Jul 2008
    Location
    Edinburgh, Scotland
    Posts
    72
    Thank Post
    37
    Thanked 5 Times in 3 Posts
    Rep Power
    13
    Quote Originally Posted by srochford View Post
    At a command prompt you can use "%i" as a variable. To do the same thing in a batch file you need to use %%i (double up the percent signs)

    There is a reason for this - it's not really done to make your life a misery!
    Ah, that makes sense!

    Thanks

  5. #19

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by maniac View Post

    edit: sorry if that sounds like a rant, but why use scripts when it's all there built into windows already?
    Rants are good - hopefully gets other people thinking about "why don't I do that?"

    Your method is fine if you're starting from scratch (although the permissions it sets up won't be right for some people; I think MS defaults to giving full control on the home folder and I would never want this)

    If you've got an existing network and you want to clean up the permissions then you've got to be able to script it (and it's a pretty trivial script)

    there's also the scale of the thing - I always smile when I see things like "select all users and right click" - it ain't going to work on anything other than the smallest of Active Directory setups :-)

    Finally, the method you describe gives users a home directory of \\server\share\username - works fine for Windows, completely useless for Linux or Mac. Obviously not a problem for many places (I've used it and like it for all sorts of reasons) but doesn't work for everyone!

  6. #20
    deKay's Avatar
    Join Date
    Sep 2006
    Location
    Narrrfok
    Posts
    66
    Thank Post
    6
    Thanked 11 Times in 7 Posts
    Rep Power
    18
    Quote Originally Posted by maniac View Post
    You can get active directory to create and set permissions on all the home folders for your users in one go by selecting them all at once, RH clicking and going to properties. Tick the box for connect home folder to, and select the drive letter you want to use, then type the correct UNC path using %username% on the end. e.g. \\SERVER\FOLDERS$\YEAR07\%username% Windows will then create all the folders for you, and set the permissions on them as well in about 5 seconds flat, Job done.

    It works,
    *most of the time*

    Unfortunately, if you use Dreamweaver 8 or Flash 8, it insists on referring to images and swf objects you've included via this path (*not* the %homefolder% reference or My Documents), and then gets confused as it then thinks they're write protected. When they're not.

    This only happens sometimes, but it happened often enough for us to ditch that method and do it from scratch the other way.

  7. #21
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by srochford View Post
    Finally, the method you describe gives users a home directory of \\server\share\username - works fine for Windows, completely useless for Linux or Mac. Obviously not a problem for many places (I've used it and like it for all sorts of reasons) but doesn't work for everyone!
    Useless for mac in what way? Seeing as that's how I use it here. Although Macs especially don't like "Modify" over "Full control" as they interpret it as different permissions, so just modify will break quite a lot of things (like saving in Office 2008).

  8. #22

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by DMcCoy View Post
    Useless for mac in what way? Seeing as that's how I use it here. Although Macs especially don't like "Modify" over "Full control" as they interpret it as different permissions, so just modify will break quite a lot of things (like saving in Office 2008).
    Not the permissions but the names - I've always found that Macs won't properly mount a home directory that is "server share folder" - they seem to want "server share"

  9. #23
    deKay's Avatar
    Join Date
    Sep 2006
    Location
    Narrrfok
    Posts
    66
    Thank Post
    6
    Thanked 11 Times in 7 Posts
    Rep Power
    18
    Quote Originally Posted by srochford View Post
    Not the permissions but the names - I've always found that Macs won't properly mount a home directory that is "server share folder" - they seem to want "server share"
    I've found the same - with Tiger at least. We've not moved to Leopard so things may work there.

  10. #24
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,427
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by srochford View Post
    Not the permissions but the names - I've always found that Macs won't properly mount a home directory that is "server share folder" - they seem to want "server share"
    You will find that they need read on the root of the share and will only map to \\server\share\folder but not \\server\share\folder\folder.

  11. #25

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,710
    Thank Post
    3,246
    Thanked 1,048 Times in 970 Posts
    Rep Power
    364
    Quote Originally Posted by cookie_monster View Post
    If you give Everyone or Authenticated Users 'Change' 'Share' permissions then they cannot modify NTFS permissions.
    Is there a quick tutorial / guide somewhere you can link to so as to show me what you are trying to explain - one of my dense moments ( yet again ) lol

  12. #26

    Join Date
    Jun 2009
    Location
    North
    Posts
    114
    Thank Post
    28
    Thanked 17 Times in 17 Posts
    Rep Power
    15
    This is excellent saved me heps of work

  13. #27
    pnlrogue1's Avatar
    Join Date
    Jul 2008
    Location
    Edinburgh, Scotland
    Posts
    72
    Thank Post
    37
    Thanked 5 Times in 3 Posts
    Rep Power
    13
    Thanks for all of the interest in this but I was just wondering how it could be modified slightly - at the moment, it works great for giving the students/staff access to their respective folders, but how could it be changed to give Administrator access without having to go through and take ownership? Would it be something like this:

    Code:
    E:
    cd \Users\Students\Work\Intake07\ 
    for /d %i in (*) do cacls %i /e /t /g %i:c
    for /d %i in (*) do cacls %i /e /t /g Administrator:c
    Could I also add a line for the Domain Admins group by taking the line with administrator and replacing it with "Domain Admins" (in speech marks, presumably) giving us:

    Code:
    E:
    cd \Users\Students\Work\Intake07\ 
    for /d %i in (*) do cacls %i /e /t /g %i:c
    for /d %i in (*) do cacls %i /e /t /g Administrator:c
    for /d %i in (*) do cacls %i /e /t /g "Domain Admins":c
    Thanks!

  14. #28
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    @ mac_shinobi, sorry I didn't see that reply.

    Just go to the share and right click it then add a group with all students in and uncheck the 'full control' box and check the 'Change' box. You can also add staff groups so they could have full control.

    Windows 2003 Share Permissions

    Windows 2000/2003 NTFS and Share Permissions

  15. #29

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by pnlrogue1 View Post
    Thanks for all of the interest in this but I was just wondering how it could be modified slightly - at the moment, it works great for giving the students/staff access to their respective folders, but how could it be changed to give Administrator access without having to go through and take ownership?
    Code:
    E:
    cd \Users\Students\Work\Intake07\ 
    for /d %i in (*) do cacls %i /e /t /g %i:c
    for /d %i in (*) do cacls %i /e /t /g Administrator:c
    for /d %i in (*) do cacls %i /e /t /g "Domain Admins":c
    Yes, but you can simplify it and speed it up:


    Code:
    for /d %i in (*) do cacls %i /e /t /g %i:c administrator:c "domain admins":f
    not too relevant on a server which will probably always stay in the domain, but it can be better to set the permissions to the local group rather than domain (assuming that you add domain admins to local administrators group)

  16. Thanks to srochford from:

    pnlrogue1 (18th September 2009)

  17. #30
    pnlrogue1's Avatar
    Join Date
    Jul 2008
    Location
    Edinburgh, Scotland
    Posts
    72
    Thank Post
    37
    Thanked 5 Times in 3 Posts
    Rep Power
    13
    Quote Originally Posted by srochford View Post
    Yes, but you can simplify it and speed it up:


    Code:
    for /d %i in (*) do cacls %i /e /t /g %i:c administrator:c "domain admins":f
    not too relevant on a server which will probably always stay in the domain, but it can be better to set the permissions to the local group rather than domain (assuming that you add domain admins to local administrators group)
    We inherited an RM network so we just try to keep it running! One of the things the RM systems do is make Administrators and Domain Admins really powerful and not use the local admins!

    Thanks for your feedback and advice

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. SIMS NTFS Permissions?
    By techyphil in forum MIS Systems
    Replies: 29
    Last Post: 1st March 2010, 12:54 PM
  2. Script to change NTFS permissions
    By FN-GM in forum Scripts
    Replies: 7
    Last Post: 20th March 2009, 11:03 AM
  3. Help with NTFS permissions problem...
    By kennysarmy in forum Windows
    Replies: 5
    Last Post: 7th February 2008, 02:29 PM
  4. C: drive NTFS permissions?
    By cookie_monster in forum Windows
    Replies: 4
    Last Post: 6th February 2008, 08:24 AM
  5. Mass setting NTFS permissions
    By localzuk in forum Windows
    Replies: 7
    Last Post: 8th January 2007, 04:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •