+ Post New Thread
Results 1 to 11 of 11
Windows Server 2008 R2 Thread, "Elegant" Permissions Restoration? in Technical; Hi folks, Newbie to the forum in slight panic, so please forgive me any faux pas in advance. As background: ...
  1. #1
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    969
    Thank Post
    898
    Thanked 21 Times in 19 Posts
    Rep Power
    11

    Question "Elegant" Permissions Restoration?

    Hi folks,

    Newbie to the forum in slight panic, so please forgive me any faux pas in advance.

    As background: I'm a relatively new (several weeks into it) Network Manager at a school. I completed an MCSE 6 years ago, and my server skills are a little rusty.

    During the Summer holidays, prior to my employment, the school's server were migrated from physical boxes with 2003 to virtual (Hyper-V) servers with 2008 R2.

    A mass data copy was done of the students 2003 home holders to the new 2008 server. It transpires that during this copy the permissions were not copied (I remember mention of an XCOPY issue). So a bodged fix was put in place where each set of home folders were restricted by graduate year, rather than reinstating the individual permissions. There are over 1,500 student folders.

    Some students have discovered that using certain older applications e.g. Adobe CS4, they can gain access to folders below their own home folders, and then browse all the student folders within their year, and both add and delete files from their fellow students. A problem as you can imagine.

    In short, is there any elegant way to restore these individual permissions back, using a program (or whatever!) short of having to manually reinstate the permissions on each individual home folder?

    Note the home folders of course have the username of each individual student.

    TIA

  2. #2

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    46
    If I recall you can add $ like you were to make a new home directory to the end of their homes folders in AD profile and should give the share permission back to that student when AD already finds a folder

    Otherwise I think I have a program at work will sort tomorrow
    Last edited by irsprint84; 17th October 2011 at 07:08 PM.

  3. #3

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Best thing to do if it is simple for each ou in a different share.

    For example have \\server\intake11$\userfolder reset the permissions on the root folder to the students not having access, then do a bulk update in AD (select all properties) then map them to \\server\intake11$\%username%. if the folder already exisits you will be prompted if you would like to give the user full control. Select yes and jobs a goodun. Do this for each year and your laugh.

    IMHO having indiviual shares for each users slows down a file server but i have no real proof as to this theory just a feeling based on experience.

  4. #4

    Join Date
    Nov 2010
    Location
    Sydney, Australia
    Posts
    25
    Thank Post
    3
    Thanked 2 Times in 2 Posts
    Rep Power
    9
    Assuming the folders are named for the students login there are script around that can go through each directory and restrict it to the user with a matching name. If you can't find any I have one around somewhere from our migration.

  5. #5
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,491
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    52
    If the folders are logically named (eg: username=folder name), NTFSFix should be able to handle it: NTFSFix

  6. #6
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    969
    Thank Post
    898
    Thanked 21 Times in 19 Posts
    Rep Power
    11
    Thanks all for the responses.

    I'm trying the AD fix, which seems so elegant. But when I enter a UNC path in the user's record, which was their from previously, I get the error:

    "The specifed path is not valid. Enter a valid path using the form: drive-letter:\directory."

    As mentioned, there were UNC paths there before, but now they cannot be entered. I have even removed, and then copied back the exact UNC path that was there before, and it won't let me enter it.

    What am I missing?

  7. #7

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    if you are wanting to set to a unc path you need to use the bottom half. i.e connect (choose drive letter) unc path

    Like Project1.jpg

  8. #8
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    969
    Thank Post
    898
    Thanked 21 Times in 19 Posts
    Rep Power
    11
    OK, that was me being stupid. I should have used the option to map a drive and connect to it.

    The problem now is that AD will apply to one user quite happily, but if I try and apply it to two or more it complains that the directory exists and will proceed no further. The exact error is "The %1 home folder was not created because it already exists. You might want to select a different name, or make sure that the user has full access privileges to the existing one."

    A further workaround to that is to move all the users data to somewhere else temporarily, this will then allow it to create the directories, then merge all the data back.

    It's still a good fix I think, but I'll try NTFSFix first. So that's next up in the queue!...

  9. #9
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    969
    Thank Post
    898
    Thanked 21 Times in 19 Posts
    Rep Power
    11
    And just to update, NTFSFix solved it. I ran it on over 1,000 directories, and all appears OK. Kudos to the folks that wrote it!

    Thanks again to all that replied. This solved a nasty issue.

  10. #10

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    904
    Thank Post
    287
    Thanked 141 Times in 114 Posts
    Blog Entries
    28
    Rep Power
    42
    I've noticed this little gotcha, brought to my attention my another NM here locally. Students can use CS4 to view the network shares and were gaining access to other peoples areas.

    Problem was that with Server 2008, any folder created on the server has a NTFS permission of SERVERNAME\Users, and if you look at the local groups on the server it has DOMAINNAME\Domain Users in that group. And of course, any new user folders get created then these will inherit this permission. If you kept the default Share permission of Everybody in place then your letting all users access other peoples shared drives.

    We use CSE, it comes with a handy utility which enables us to reset the users home shares and permissions based on a profile. As a quick fix, I've used this to reset the share of each user so they can't gain access to other user areas. But, I'm going to look at this NTFSfix utility to tweak things better.

    Pete

  11. #11
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    969
    Thank Post
    898
    Thanked 21 Times in 19 Posts
    Rep Power
    11
    These folders at least didn't have Domain Users assigned, but these year permissions that had been assigned were still a problem.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 13th August 2009, 01:56 PM
  2. crazy quote for new server! what do you think?
    By titch in forum Budgets and Expenditure
    Replies: 37
    Last Post: 5th December 2008, 11:59 AM
  3. Good quote...
    By tom_newton in forum General Chat
    Replies: 0
    Last Post: 16th October 2006, 12:38 PM
  4. IC Technology - sign an NDA for a quote?!
    By sahmeepee in forum Bad Experiences
    Replies: 7
    Last Post: 4th July 2006, 11:43 AM
  5. Quote of the day
    By NetworkGeezer in forum *nix
    Replies: 3
    Last Post: 5th May 2006, 10:49 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •