+ Post New Thread
Results 1 to 9 of 9
Windows Server 2000/2003 Thread, Setting folder owners programatically in Technical; The server which stored our profiles died recently, so they're all been restored to another. However, in that transition the ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831

    Setting folder owners programatically

    The server which stored our profiles died recently, so they're all been restored to another. However, in that transition the folder ownership details have all vanished... No problem, I thought, a small bit of c# will do it but no. Windows doesn't let you programatically set the ownership of a folder to anything other than the account the program/script is running in or an administrator.

    So, has anyone got a quicker way that I can set the directory ownership of 107 profiles rather than me having to manually go through them all?

  2. #2
    jack0w's Avatar
    Join Date
    Jan 2008
    Posts
    123
    Thank Post
    12
    Thanked 4 Times in 4 Posts
    Rep Power
    14
    Is there not an option in your backup software so you can restore the data with the permissions/ownership intact?

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,039
    Thank Post
    852
    Thanked 2,666 Times in 2,263 Posts
    Blog Entries
    9
    Rep Power
    767
    Just use SetACL in either VBS or batch to itterate through and sort it, its a little bit of scripting but nothing you can't handle

    SetACL - Windows permission management

    Site (source forge) seems to be down for me at the moment though.

    Here is download link http://sourceforge.net/projects/setacl/files/

  4. Thanks to SYNACK from:

    localzuk (19th February 2010)

  5. #4

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by jack0w View Post
    Is there not an option in your backup software so you can restore the data with the permissions/ownership intact?
    Yep, it just doesn't do anything. They get restored without any permissions whatever settings I tick.

    The permissions isn't an issue, as a script fixes that straight away. But the ownership, that is a pain...

  6. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,039
    Thank Post
    852
    Thanked 2,666 Times in 2,263 Posts
    Blog Entries
    9
    Rep Power
    767
    SetACL does do ownership changes too, have done it at another site. Have no longer got the automated script I made for it though

  7. Thanks to SYNACK from:

    localzuk (19th February 2010)

  8. #6
    limbo's Avatar
    Join Date
    Aug 2005
    Location
    Birmingham
    Posts
    460
    Thank Post
    2
    Thanked 41 Times in 36 Posts
    Rep Power
    25
    Could you produce a script that is run by the user when they login?

    Then the person running the script is the person who needs the ownership.

  9. #7

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by SYNACK View Post
    SetACL does do ownership changes too, have done it at another site. Have no longer got the automated script I made for it though
    SetACL seems to do the trick. Now just to include it in my existing app, so it does it automatically

  10. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Right, the following c# application seems to do the trick.

    It can do 2 things - without the 'all' argument, it will add full control permissions to each directory for the user with the account of the same name as that directory. It also then uses SetACLs to set ownership (recursively) to those directories.

    With the 'all' argument, it will add full control to the System and Domain Admins groups, and remove access to the everyone group, if it exists.

    So, if this is any use to anyone else, feel free to use it.

    Code:
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.IO;
    using System.Security.AccessControl;
    using System.Security.Principal;
    using System.Diagnostics;
    
    namespace UserProfilePermissionProvider
    {
        class Program
        {
            static void Main(string[] args)
            {
                bool all = false;
                foreach (string s in args)
                {
                    if (s == "all")
                    {
                        all = true;
                    }
                }
                Console.WriteLine("Path: " + Directory.GetCurrentDirectory());
                string[] dirs = Directory.GetDirectories(Directory.GetCurrentDirectory());
                Console.WriteLine(dirs.Length.ToString() + " Directories");
                foreach (string s in dirs)
                {
                    string at = "";
                    Console.WriteLine(s);
                    try {
                        string name = new DirectoryInfo(s).Name;
                        Console.WriteLine("In: " + name);
                        DirectorySecurity dirSec = Directory.GetAccessControl(s);
                        if (all)
                        {
                            at = "SYSTEM";
                            dirSec.AddAccessRule(new FileSystemAccessRule("SYSTEM", FileSystemRights.FullControl, AccessControlType.Allow));
                            at = Environment.UserDomainName + "\\Domain Admins";
                            dirSec.AddAccessRule(new FileSystemAccessRule(Environment.UserDomainName + "\\Domain Admins", FileSystemRights.FullControl, AccessControlType.Allow));
                            at = "Everyone";
                            dirSec.PurgeAccessRules(new NTAccount("Everyone"));
                        }
                        at = Environment.UserDomainName + "\\" + name;
                        dirSec.AddAccessRule(new FileSystemAccessRule(Environment.UserDomainName + "\\" + name, FileSystemRights.FullControl,InheritanceFlags.ObjectInherit,PropagationFlags.InheritOnly,AccessControlType.Allow));
                        
                        at = "SetACL";
                        ProcessStartInfo p = new ProcessStartInfo();
                        p.FileName = "SetACL.exe";
                        p.Arguments = " -silent -on \"" + s + "\" -ot file -actn setprot -op \"dacl:np;sacl:np\" -rec cont_obj -actn setowner -ownr \"n:" + Environment.UserDomainName + "\\" + name + ";s:n\"";
                        Process.Start(p);
    
                        DirectoryInfo d = new DirectoryInfo(s);
                        d.SetAccessControl(dirSec);
                        Console.WriteLine(name + " set");
    
                    }
                    catch (Exception ex)
                    {
                        Console.WriteLine("Error: " + ex.Message + " At " + at);
                    }
                }
                    
    
            }
        }
    }
    Last edited by localzuk; 19th February 2010 at 06:49 PM. Reason: Changed from SID use to NTAccount use. Removed comment about being untested, as it is now tested. Fix

  11. Thanks to localzuk from:

    SYNACK (19th February 2010)

  12. #9

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    It also then uses SetACLs to set ownership (recursively) to those directories.
    I did (j)script for this kind of thing a while back. I've got one hooked into the ADUC user object context menu, but the "bulk reset all" script enumerates AD to get user folders and then points SetACL at them like this:

    Code:
    'SetACL.exe -on "' + root + '" -ot file -actn setprot -op "dacl:np;sacl:nc" -rec cont_obj -actn setowner -ownr "n:' + SID +';s:y"'
    "root" is the root of a given user's folder. "SID" is their SID.

    SetACL does my head in a bit. This is slightly different to yours, maybe that's why I couldn't get it to work with an account name as opposed to a SID.

    Edit: Having just re-learnt why I made my line:

    sacl:nc => No Change. I'm skipped changing SACLs (auditing etc.)
    SID + ";s:y" => I'm using a SID (was changed to 'y' *after* the account name wasn't working).

    So it's just the SACL bit that's different. ::shrug:
    Last edited by PiqueABoo; 19th February 2010 at 07:04 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. Problems setting folder permissions in GP
    By TheWhiteWiltord in forum Windows
    Replies: 3
    Last Post: 27th January 2009, 12:42 PM
  2. Replies: 5
    Last Post: 17th October 2008, 03:34 PM
  3. Replies: 3
    Last Post: 18th August 2008, 01:59 PM
  4. Replies: 0
    Last Post: 19th September 2007, 02:02 PM
  5. Replies: 3
    Last Post: 19th October 2006, 01:31 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •