Giving user access to all home directories

[paularmstrong]

I would like to give one of the network support team access to all of the student home directories, without making them a domain admin.

I need to do this so that they can use volume shaddow to restore work for the kids etc. I would normally do this using a script but this will mean that the changes will only effect files that are already there and will not propogate to any new home directories that are created ie. a new student joining. And as i will not be on site i will not be able to keep re-running the script.

Has anyone else had to do anything like this or can it even be done?

[jsnetman]

Easy enough, just add the user to the NTFS permissions at the level where the share is, this will be propogated to all folders/files below the share.

So if you are on the server right click the folder, choose properties then security and add the user with the permissions you want.

I'm not sure if this will solve the problem of allowing shadow copies to be restored though. That should be done through group policy.

[paularmstrong]

Ive tried this but it does not propogate down to the child objects. And obviously i cant replace the permissions in the child objects as this will remove the users permissions from the home directory

[Geoff]

I'd guess inheritance is disabled then. Readd the permissions to the child folders when they have not propagated.

[apeo]

I think you already have your answer, use your script to alter the permission on existing files/folders and just make sure you give the user the appropriate permissions on the root folder. Then even new student would inherit the permission from the folder its in.

[jsnetman]

Download xcacls.exe and use something like the following command on the server

c:\xcacls d:\homefolders /T /e /p theusername:rw /y

Make sure you use the /e option as this edits the acl rather than replace it.

This will give the user read write access. But a big warning here, TEST it on another folder first before you apply it to the root of the home folders. Screwing up these permissions will give you a very big headache.

[paularmstrong]

It would seem that sometimes you cant see the wood for the trees.

[ChrisH]

As much as I have always been a fan of xcacls scripts I have recently been using subinacl

Code:

for /D %%i in (*) do ( 
subinacl /file %%i /grant=domain\%%i=C "/grant=domain\domain admins=f" /grant=domain\Teachers=r /setowner=domain\%%i 

subinacl /subdirectories %%i\* /grant=domain\%%i=f "/grant=domain\domain admins=f" /grant=domain\Teachers=r /setowner=domain\%%i 
 )

Make sure your working directory is the parent directory of the users folders.
Assuming the folders names are the same as the username......

The first set of commands:

Code:

subinacl /file

sorts the folder out. In my case giving users change, admins full and teachers read.

The second near identical code:

Code:

subinacl /subdirectories

Sorts out all the files in the directory.

Some of these lines will have been wrapped by the forum. This script is meant to run as a batch file. Ps it also set the correct ownership as well so those quotas are accurate

Edit: after re-reading your post I see this want quite what you were after but there is subinacl options in there that will help.

[Slartibartfast]

I would create a group ('User Administrators' or something), assign permissions to that and then add the user to that group. Assigning permissions to individual users is a pain to manage.

After setting up a group and assigning the permissions to it, you can just add users to the group as necessary without having to fiddle with xcacls every time.

[Oops_my_bad]

A member of the network support team who doesn't have domain admin rights

Hmmm....

[maniac]

In our school all staff have read only access to the students home areas on a read only basis. The base directory is mapped as U:\ drive for all staff. This is controlled by a group called 'Student Access' so we can remove that feature from admin staff who don't require it.

All ICT teachers have read/write access so they can look at students work and write feedback at the bottom and re-save it, and copy things into areas if required. This is controlled by a groups called 'ICT teachers' which also ties into permissions elsewhere on the network.

Also all of us have read/write access, controlled by group called ICT Team which is its self a member of the domain admins group.

All these permissions were origenally set using XCACLS, and I have a script that runs once a week to re-check them, as new folders added by active directory don't get the permissions to start with.

Mike.

[Slartibartfast]

A member of the network support team who doesn't have domain admin rights

Hmmm....

Domain admin accounts should not be for day-to-day general use.