+ Post New Thread
Results 1 to 12 of 12
Windows Thread, Giving user access to all home directories in Technical; I would like to give one of the network support team access to all of the student home directories, without ...
  1. #1

    Join Date
    Nov 2007
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Giving user access to all home directories

    I would like to give one of the network support team access to all of the student home directories, without making them a domain admin.

    I need to do this so that they can use volume shaddow to restore work for the kids etc. I would normally do this using a script but this will mean that the changes will only effect files that are already there and will not propogate to any new home directories that are created ie. a new student joining. And as i will not be on site i will not be able to keep re-running the script.

    Has anyone else had to do anything like this or can it even be done?

  2. #2
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39

    Re: Giving user access to all home directories

    Easy enough, just add the user to the NTFS permissions at the level where the share is, this will be propogated to all folders/files below the share.

    So if you are on the server right click the folder, choose properties then security and add the user with the permissions you want.

    I'm not sure if this will solve the problem of allowing shadow copies to be restored though. That should be done through group policy.

  3. #3

    Join Date
    Nov 2007
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Giving user access to all home directories

    Ive tried this but it does not propogate down to the child objects. And obviously i cant replace the permissions in the child objects as this will remove the users permissions from the home directory

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Giving user access to all home directories

    I'd guess inheritance is disabled then. Readd the permissions to the child folders when they have not propagated.

  5. #5
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    41

    Re: Giving user access to all home directories

    I think you already have your answer, use your script to alter the permission on existing files/folders and just make sure you give the user the appropriate permissions on the root folder. Then even new student would inherit the permission from the folder its in.

  6. #6
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39

    Re: Giving user access to all home directories

    Download xcacls.exe and use something like the following command on the server

    c:\xcacls d:\homefolders /T /e /p theusername:rw /y

    Make sure you use the /e option as this edits the acl rather than replace it.

    This will give the user read write access. But a big warning here, TEST it on another folder first before you apply it to the root of the home folders. Screwing up these permissions will give you a very big headache.

  7. #7

    Join Date
    Nov 2007
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Giving user access to all home directories

    It would seem that sometimes you cant see the wood for the trees.

  8. #8
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,996
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106

    Re: Giving user access to all home directories

    As much as I have always been a fan of xcacls scripts I have recently been using subinacl

    Code:
    for /D %%i in (*) do ( 
    subinacl /file %%i /grant=domain\%%i=C "/grant=domain\domain admins=f" /grant=domain\Teachers=r /setowner=domain\%%i 
    
    subinacl /subdirectories %%i\* /grant=domain\%%i=f "/grant=domain\domain admins=f" /grant=domain\Teachers=r /setowner=domain\%%i 
     )
    Make sure your working directory is the parent directory of the users folders.
    Assuming the folders names are the same as the username......

    The first set of commands:
    Code:
    subinacl /file
    sorts the folder out. In my case giving users change, admins full and teachers read.

    The second near identical code:
    Code:
    subinacl /subdirectories
    Sorts out all the files in the directory.

    Some of these lines will have been wrapped by the forum. This script is meant to run as a batch file. Ps it also set the correct ownership as well so those quotas are accurate

    Edit: after re-reading your post I see this want quite what you were after but there is subinacl options in there that will help.

  9. #9

    Join Date
    Jun 2005
    Location
    London, UK
    Posts
    115
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    20

    Re: Giving user access to all home directories

    I would create a group ('User Administrators' or something), assign permissions to that and then add the user to that group. Assigning permissions to individual users is a pain to manage.

    After setting up a group and assigning the permissions to it, you can just add users to the group as necessary without having to fiddle with xcacls every time.

  10. #10
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30

    Re: Giving user access to all home directories

    A member of the network support team who doesn't have domain admin rights

    Hmmm....

  11. #11

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144

    Re: Giving user access to all home directories

    In our school all staff have read only access to the students home areas on a read only basis. The base directory is mapped as U:\ drive for all staff. This is controlled by a group called 'Student Access' so we can remove that feature from admin staff who don't require it.

    All ICT teachers have read/write access so they can look at students work and write feedback at the bottom and re-save it, and copy things into areas if required. This is controlled by a groups called 'ICT teachers' which also ties into permissions elsewhere on the network.

    Also all of us have read/write access, controlled by group called ICT Team which is its self a member of the domain admins group.

    All these permissions were origenally set using XCACLS, and I have a script that runs once a week to re-check them, as new folders added by active directory don't get the permissions to start with.

    Mike.

  12. #12

    Join Date
    Jun 2005
    Location
    London, UK
    Posts
    115
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    20

    Re: Giving user access to all home directories

    Quote Originally Posted by TeddyKGB
    A member of the network support team who doesn't have domain admin rights

    Hmmm....
    Domain admin accounts should not be for day-to-day general use.

SHARE:
+ Post New Thread

Similar Threads

  1. SharePoint Server 2003 Home Directories
    By plock in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 10th December 2007, 09:32 AM
  2. Replies: 2
    Last Post: 6th October 2007, 09:46 AM
  3. Home Directories on Moodle
    By apeo in forum Virtual Learning Platforms
    Replies: 4
    Last Post: 13th June 2007, 11:20 AM
  4. Replies: 2
    Last Post: 27th April 2007, 06:41 AM
  5. Replies: 9
    Last Post: 16th June 2006, 09:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •