LinkBack URL
About LinkBacks
Reply With Quotepnlrogue1 (18th August 2009)
Hey
I can see loads of references to this but can't get my head around any of them - I have folders containing student home directories and I need them to have permissions to access them
The folders are stored in "E:\Users\Students\Work\Intake08" (or Intake07 etc) on one of my servers
The folder and user logon name are the same (e.g. 07smitha) and the share names are username$ and everyone has full access to the share
I've seen so many scripts today that my head is aching - can someone please provide a script that will scan the directory for me and allocate permissions or walk through their one with me so I can customise it to my needs?
Thanks
Have a look at Autoshare. Very easy to use and free.
pnlrogue1 (18th August 2009)
Not sure exactly what you're trying to achieve so let's start with the basics - apologies if it's too basic :-)
The permissions that a user sees are made up from 2 parts - the permissions set on the share (you've said it's full control on all of them) and the NTFS permissions on the actual folder/files.
The result is the most restrictive of the two - eg if either of them is "read/only" then that's all you can do. Given this, I like to make the shares full permission and focus on getting the folder permissions right.
The cacls command is part of Windows and you can use it like this:
This says, take the folder e:\users etc and edit the existing perms (/e) Do this to the whole tree (/t - ie everything under this folder) and grant (/g) change permission to user 07smitha (change permission means read, write, delete - basically, everything but change permissions - in general you don't want your users changing the permissions)Code:cacls E:\Users\Students\Work\Intake07\07smitha /e /t /g 07smitha:c
If the permissions on e:\users\students\work are set right (I would normally have administrators - full; system - full) then this is good.
so, how do you do all the folders in intake07 in 1 go? this is where simple batch commands come in. If you type:
then you'll see a list of folders flash by - the for command is saying do "something" multiple times. The /d says "only match directories". The %i is a variable - basically, you're going to look at every folder (* means match every folder; try using s* and see what happens) and put it's name in %i and then the "do" bit says what you want it to do - in this case echo (show on screen) its valueCode:E: cd \Users\Students\Work\Intake07\ for /d %i in (*) do echo %i
Well, that's pretty but no use. To make it do something "real" you change that echo to something meaningful:
this will give you a series of commands and because your username matches the folder name it will work - eg you'll getCode:E: cd \Users\Students\Work\Intake07\ for /d %i in (*) do cacls %i /e /t /g %i:c
and so on.Code:cacls aardvark /e /t /g aardvark:c cacls buffalo /e /t /g buffalo:c cacls cheetah /e /t /g cheetah:c
I hope that get's you started - shout if it doesn't help or is going completely the wrong way!
joe90bass (25th March 2011), pnlrogue1 (18th August 2009), projector1 (18th August 2009)
Active Directory will do this for you, I don't know why a lot of people don't take advantage of the fact that it's all geared up to do it providing you set it up correctly. Why make this simple task any harder than it has to be?
What you need to do is share the root of the student home directories, and map the home folders through the one share instead of having individual shares for each user. It does work and is a perfectly acceptable, safe and reliable method of providing home folders.
The way we do it is as follows;
We have a share called Folders on our storage server which is shared as folders$ on the server.
Each year group has a sub folder in this
The users home folders are sub folders of the relevant year group.
The important thing before you do anything else is to turn off inheritance of permissions and set the students group on your network to have read only access for this folder only otherwise the home folders will inherit the permissions, and you end up in the nightmare scenario where students can read each others home folders. Set the permissions properly at this stage and there's no worries security wise. Also add any other groups you want to have access to the student folders and set the permissions accordingly. It's easier to do this now, as once you have a load of folders and data in them it takes a while to change NTFS permissions.
You don't even need to give students full read permissions, you can get away with Read Attributes, Read Extended Attributes and Read Permissions at this point, it will stop students being able to browse the root folder, but it still lets them access folders further up the tree that they have correct permissions for. Word of caution, if you use offline files, users will require full read access to the root of the share or syncronisation won't work.
Incidently on the sharing tab, make sure that everyone is granted full permissions. The NTFS permissions you set on the security tab will keep everyone out of places they shouldn't be, you can pretty much dis-regard the actual sharing permissions.
You can get active directory to create and set permissions on all the home folders for your users in one go by selecting them all at once, RH clicking and going to properties. Tick the box for connect home folder to, and select the drive letter you want to use, then type the correct UNC path using %username% on the end. e.g. \\SERVER\FOLDERS$\YEAR07\%username% Windows will then create all the folders for you, and set the permissions on them as well in about 5 seconds flat, Job done.
It works, and in my opinion it's a whole lot easier than using scripts or 3rd party applications and what's more once you've got it working, any new users you setup will automatically get their home folder created for them and the permissions set.
If I remember rightly, this is Microsoft's recommended method of assigning home folders to users on Server 2000 and 2003 which is why it works so well.
I hope that's of some help,
Mike.
edit: sorry if that sounds like a rant, but why use scripts when it's all there built into windows already?
Last edited by maniac; 18th August 2009 at 12:44 AM.
I've tried to do it that way and our AD just won't set the permissions (we're coming away from an RM system so the AD is a huge mess). All it says is 'you will need to check the permissions yourself' which isn't overly helpful!Originally Posted by maniac
wisesoft has a bulk NTFS permissions app - not sure if that helps or not but worth a look
Registration is free and then you can download all the apps including the NTFS perms one.
WiseSoft - Resources for IT Professionals
http://wisesoft.co.uk/software/ntfsfix/default.aspx
pnlrogue1 (18th August 2009)
Absolutely perfect! That was exactly what I was looking for!
I'm a pretty good programmer who can usually take what I'm given and make it work but I just don't speak DOS and can't get my head around it so that was brilliant!
Thank you so much for that!
I saw them when I was searching yesterday but their site was broken so I couldn't see what apps they had!
seems fine to me now - they have a password reset tool and a few others not to mention a whole wodge of scripts from vbscripts to power script examples afaik
Very useful site along with Windows Server 2008, Exchange advice. Help solving computer problems. VBScript
I still can't get to the pagemaybe the site doesn't like Google Chrome!
Try firefox or something elseI still can't get to the page
works fine for me here
pnlrogue1 (18th August 2009)
Must be Chrome then - I'll have a look later in IE/FF and see
Thanks!
Just one word of warning here I haven't tested this for a while but when we gave students full 'Share' permissions they could take ownership of their home folders and change NTFS permissions thus locking out admins and the backup software. This became a bit of a pain as I would then have to change the permissions back. If you give Everyone or Authenticated Users 'Change' 'Share' permissions then they cannot modify NTFS permissions.Incidently on the sharing tab, make sure that everyone is granted full permissions. The NTFS permissions you set on the security tab will keep everyone out of places they shouldn't be, you can pretty much dis-regard the actual sharing permissions.
pnlrogue1 (18th August 2009)
Thankfully, our students aren't smart enough for that!
To be honest, our NM is checking through permissions and has, I think, locked students out of the permissions tab somehow but I'll check and follow that up
Thanks!
Weirdly, this doesn't work as a .bat or .cmd but if I copy and paste it in to command prompt, it works flawlessly
I love my network...
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
