Newbie to the forum in slight panic, so please forgive me any faux pas in advance.
As background: I'm a relatively new (several weeks into it) Network Manager at a school. I completed an MCSE 6 years ago, and my server skills are a little rusty.
During the Summer holidays, prior to my employment, the school's server were migrated from physical boxes with 2003 to virtual (Hyper-V) servers with 2008 R2.
A mass data copy was done of the students 2003 home holders to the new 2008 server. It transpires that during this copy the permissions were not copied (I remember mention of an XCOPY issue). So a bodged fix was put in place where each set of home folders were restricted by graduate year, rather than reinstating the individual permissions. There are over 1,500 student folders.
Some students have discovered that using certain older applications e.g. Adobe CS4, they can gain access to folders below their own home folders, and then browse all the student folders within their year, and both add and delete files from their fellow students. A problem as you can imagine.
In short, is there any elegant way to restore these individual permissions back, using a program (or whatever!) short of having to manually reinstate the permissions on each individual home folder?
Note the home folders of course have the username of each individual student.
If I recall you can add $ like you were to make a new home directory to the end of their homes folders in AD profile and should give the share permission back to that student when AD already finds a folder
Otherwise I think I have a program at work will sort tomorrow
Last edited by irsprint84; 17th October 2011 at 07:08 PM.
Best thing to do if it is simple for each ou in a different share.
For example have \\server\intake11$\userfolder reset the permissions on the root folder to the students not having access, then do a bulk update in AD (select all properties) then map them to \\server\intake11$\%username%. if the folder already exisits you will be prompted if you would like to give the user full control. Select yes and jobs a goodun. Do this for each year and your laugh.
IMHO having indiviual shares for each users slows down a file server but i have no real proof as to this theory just a feeling based on experience.
Assuming the folders are named for the students login there are script around that can go through each directory and restrict it to the user with a matching name. If you can't find any I have one around somewhere from our migration.
OK, that was me being stupid. I should have used the option to map a drive and connect to it.
The problem now is that AD will apply to one user quite happily, but if I try and apply it to two or more it complains that the directory exists and will proceed no further. The exact error is "The %1 home folder was not created because it already exists. You might want to select a different name, or make sure that the user has full access privileges to the existing one."
A further workaround to that is to move all the users data to somewhere else temporarily, this will then allow it to create the directories, then merge all the data back.
It's still a good fix I think, but I'll try NTFSFix first. So that's next up in the queue!...
I've noticed this little gotcha, brought to my attention my another NM here locally. Students can use CS4 to view the network shares and were gaining access to other peoples areas.
Problem was that with Server 2008, any folder created on the server has a NTFS permission of SERVERNAME\Users, and if you look at the local groups on the server it has DOMAINNAME\Domain Users in that group. And of course, any new user folders get created then these will inherit this permission. If you kept the default Share permission of Everybody in place then your letting all users access other peoples shared drives.
We use CSE, it comes with a handy utility which enables us to reset the users home shares and permissions based on a profile. As a quick fix, I've used this to reset the share of each user so they can't gain access to other user areas. But, I'm going to look at this NTFSfix utility to tweak things better.