File ownership pita!

[SpuffMonkey]

Hi - I was using robocopy to move user's folders around onto some new diskspace today (W2003) - when it burped on one user's folders. This kid had contrived to remove permissions from everyone but himself - meaning I (as administrator) couldn't move the files. I managed to take ownership and change the perms back - but only one file at a time - very irritating and time consuming - anyone know of a way to do bulk changes on ownership should this happen again - and even better - prevent them fiddling in the first place (I thought I had - but there you go)

See some of you guys tomorrow

Cheers

[Geoff]

1. Don't give them full control. Just read/write/modify.
2. Set the permissions on the top level folder then go into advanced and set the inheritance up.
3. There's also a button in the advanced controls to overwrite all the permissions on the sub folders/files in one go.

[ChrisH]

I use a similar approach to when I have to apply mass permission changes using xcacls.

You need the windows version of chown and this code:

Code:

rem sets permission on all files according to home directory name

for /D %%i in (*) do (
chown -r %%i "%%i\*.*"
)

Execute this at the same level as the users folders. You must take ownership yourself before hand. I just select all the folders and do it through the GUI.

For file permissions I use:

Code:

for /D %%i in (*) do (
   xcacls %%i /T /E/G yourdomain\domain admins:F /y
   xcacls %%i /T /E /G yourdomain\%%i:C /y
)

This is obviously for a full folder worth of home directories though.

[sahmeepee]

You can also accomplish this with the subinacl resource kit tool from Microsoft

[ajbritton]

You can remove the 'security' tab from explorer via a group policy setting, but you would also need to prevent access to the command line (use of cacls, xcacls or similar).

Any file/folder created by any user becomes 'owned' by that user and when a user 'owns' a file/folder, they can always modify the permissions, regardless of the permissions set on the parent folder.

The only suggestion I have ever seen to prevent this is to modify the permissions on the share that users connect via such that they are limited to 'modify'. I always redirect 'My Documents' to the home directory and XP refused to do this when it realised that the user did not have full access to the folder.

[ChrisH]

You can also accomplish this with the subinacl resource kit tool from Microsoft

I tried this and found it hard to work with Ownership. Thats when I found the Windows version of chown.

[SpuffMonkey]

Execute this at the same level as the users folders. You must take ownership yourself before hand. I just select all the folders and do it through the GUI.

Alas - the GUI wouldn't let me select more than one file at a time - and selecting the folder just changed the folder ownership - but not the files within - real pita - I'll have a play with the scripts suggested tho' - thanks

[DMcCoy]

Execute this at the same level as the users folders. You must take ownership yourself before hand. I just select all the folders and do it through the GUI.

Alas - the GUI wouldn't let me select more than one file at a time - and selecting the folder just changed the folder ownership - but not the files within - real pita - I'll have a play with the scripts suggested tho' - thanks

Properties, Security, Advanced. See attached picture, the tickbox

[ChrisH]

^^^^^ Thats what I meant select all folders then tick that box.
If your going to change their permissions as suggested you will need to do things in this order.
1. Take ownership of all their files and folders.
2. Run the permission batch file.
3. Run the ownership batch file.

[SpuffMonkey]

^^^^^ Thats what I meant select all folders then tick that box.
If your going to change their permissions as suggested you will need to do things in this order.
1. Take ownership of all their files and folders.
2. Run the permission batch file.
3. Run the ownership batch file.

Doh! ops:

[sahmeepee]

You can also accomplish this with the subinacl resource kit tool from Microsoft

I tried this and found it hard to work with Ownership. Thats when I found the Windows version of chown.

True enough. Subinacl is pretty powerful, but not much fun to work with.

[ChrisH]

When I tried it just wasnt doing what I asked very frustrating. CHOWN is far easier to work with and involves less teeth grinding and hair pulling

[DMcCoy]

When I tried it just wasnt doing what I asked very frustrating. CHOWN is far easier to work with and involves less teeth grinding and hair pulling

I forget which command line util it was, but one of the ownership tools that shipped with 2003 original cd completed sucessfully but didn't do anything, there was a kb about it.

Was quite frustrating at the time and forced me to abandon the ms quota system and go for quota server.

[tarquel]

I use xcalcs in my usermaker script - it does need tweaking tho

its a pain at the moment because I've got 98 machines so i precreate the profile so that 98 is happy when logging on.

Still get the "you havent logged on to this machine before. Would you like windows to remember you" type window appearing on 98

but it works and thats all that matters lol

N.