Student Only Sees Own Files

[goaliepride]

Hi All. I am looking for a solution where I can map a drive for students and staff. I want staff to be able to put files in for students to use (easy part). I also want students to be able to put files into the directory/directories (maybe one per teacher), but only see their own files. In this way we can avoid them changing other students work, cheating by reading other students work, e.t.c. .

 

Is there a good way to do this without using "home directories" ala active directory? The computers are XP pro, and the file servers are 2008R2

Edited March 1, 2011 by goaliepride
forgot to include XP/2008 reference.

[sukh]

Hi

 

You can set the permissions on the folder so that the Creator Owner has full control and use a group for all students to have only Read access.

 

Regards

Sukh

[elsiegee40]

Stuff for staff to give the students, assuming every student is allowed to see it, is easy in it's own folder.

 

To be honest, the rest of what you are describing is email... I don't think it can be sensibly achieved on a shared drive without setting up a duplicate Home Drive structure or by giving staff access to actual pupil home drives. In my school, a primary, the latter is what happens, but in secondary schools this is often discouraged because the exam boards take a dim view and because students don't want staff routinel accessing their home drives as a privacy issue.

[Jamo]

You can use a 'drop folder' style where the users only have write access not read? We have a student shared drive where staff can read/write and students can drop their work off in a folder which the teacher can then pick up.

[sukh]

Hi

 

What if you create a shared folder for say a Maths teacher and called it Mr X. Then share this folder (change permission) and also set the permssions on the folder as Creator Owner Full control and create another group for the students with READ only access?

 

Regards

Sukh

[Slartibartfast]

Access based enumeration.

[goaliepride]

Thanks everyone. I've created a main folder which everyone connects to.

 

Main Folder (staff, change permissions. Students (apply to this folder only), Traverse folder / execute file, list folder / read data, read attributed, read extended attributes, read permissions.

 

Subfolders created for each teacher. Students (Apply to: This folder and subfolders), same as above + , create files /write data.

 

I'm going to try to write some powershell or something to script this too, but we'll see on that. The method is sound, though

[goaliepride]

I've created a powershell script to do this for me. The teachers.txt has a list of teacher last names (the folders I want to create). The DontDelete folder has the correct permissions set on it, which I copy to the others. I found a few ways of doing powershell where it can set permissions I specify, but they kept seeming to overwrite each other rather than add (so replace, rather than edit) and it was bugging me so I went the easy but imperfect route. Enjoy!

 

#Read a text file to know what folders to create

$names = Get-Content "\\**Path hidden for privacy**\teachers.txt"

 

#Count the names for future loop usage

$nametotal = $names.length

 

#The root folder for what we're going to create

$root = "\\**Path hidden for privacy**\StudentTurnIn\"

 

#grab the ACL for the folder we'd like to mimic the permissions of

$templateacl = get-acl "\\**Path hidden for privacy**\StudentTurnIn\DontDelete"

 

#For loop to create folders that don't exist and assign permission

For($loopcount=0; $loopcount -ne $nametotal; $loopcount+=1) {

 

#Find the name of the next teacher folder

$currentteach = $names[$loopcount]

 

#Add the root path to the teacher to create

$folderinquestion = join-path $root $currentteach

 

#test is the path already exists

$pathexists = test-path $folderinquestion

 

#Create the folder if it doesn't exist

if ($pathexists -eq $False){New-Item $folderinquestion -type directory}

 

#Set the new ACL

Set-Acl -Path $folderinquestion -AclObject $templateacl -Passthru:$PassThru}

[goaliepride]

Here's another version. I changed it so that it created folder for periods within the main folders. My teacher list also evolved to go "Last name (next line) firstinitial (next line) Last name (next line) first initial" and so forth. Our domains naming convention is firstinitiallastname, so by getting this I copy the ACL from my template folders, apply it to their folders, and then add them as full control to their folder. In this way I can prevent other teachers from accessing their stuff, or more likely, prevent some rogue student from logging on as his teacher and wiping everything every teacher has. Neat huh?

 

#Read a text file to know what folders to create

$names = Get-Content "\\bogusfs02\bogus-Students\StudentTurnIn\DontDelete\teachers.txt"

#Count the names for future loop usage

$nametotal = $names.length

#The root folder for what we're going to create

$root = "\\bogusfs02\bogus-Students\StudentTurnIn"

#grab the ACL for the folder we'd like to mimic the permissions of

$templateacl = get-acl "\\bogusfs02\bogus-Students\StudentTurnIn\DontDelete"

 

#For loop to create folders that don't exist and assign permission

For($loopcount=0; $loopcount -ne $nametotal; $loopcount+=1) {

 

#Find the name of the next teacher folder

$currentteach = $names[$loopcount]

 

#Add the root path to the teacher to create

$folderinquestion = join-path $root $currentteach

 

#test is the path already exists

$pathexists = test-path $folderinquestion

 

#Create the folder if it doesn't exist

if ($pathexists -eq $False){New-Item $folderinquestion -type directory}

 

#Set the new ACL

Set-Acl -Path $folderinquestion -AclObject $templateacl -Passthru:$PassThru

 

#Create an array with the number of period at the school, including zer0

$PeriodArray = 0..7

#Count the length of the period array

$periodarraytotal = $periodarray.length

 

#Get the name of the teacher, and the username

$lastname = $names[$loopcount]

$loopcount=$loopcount+1

$firstinitial = $names[$loopcount]

$username = "$firstinitial$lastname"

 

#Grab the current acl, add the user as full control, set them to the acl

$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"

$propagation = [system.security.accesscontrol.PropagationFlags]"None"

$acl = get-acl $folderinquestion

$permission = "LOSAL\$username","FullControl", $inherit, $propagation, "Allow"

$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule ($permission)

$acl.SetAccessRule($accessRule)

$acl | Set-Acl $folderinquestion

 

#For loop to add the Period folders. Permissions are taken from inheritance

For($perloopcount=0; $perloopcount -ne $periodarraytotal; $perloopcount+=1)

{

$currentperiod = $periodarray[$perloopcount]

$periodfolder = "$folderinquestion\Period $currentperiod"

$pathexists = test-path $periodfolder

if ($pathexists -eq $False){New-Item $periodfolder -type directory}

}

}

[Gibbo]

We have two mapped drives - DISTRIB and DROP.

 

DISTRIB has full access for staff, read-only for pupils.

 

DROP is a folder where pupils can save their work. Its done with CREATOR OWNER permissions:

 

domain admins - everything

staff - read/write/modify

Pupil Group - write

CREATOR/OWNER - read, modify (and write if you have to have it to get modify enabled)

[bondbill2k2]

We have a few mapped drives

 

Central resources- students have read permission only, staff have creator permission. This is used for stuff like spreadsheets or files they want pupils to have for a lesson.

 

Pupil resources- This is located off the server on a NSbox and same permissions as central resources. Used to store stuff like pictures and videos (larger files) split into department folders

 

Staff resources- Resources for staff only with creator permissions for staff members, also on NSbox and mainly used for large files again like videos and photos.

 

Staff docs- On server with same permission as staff resources, contains more genral things like bulletins for staff, manuals and instructions for stuff, extra curric days, staff meeting minutes etc...

[Heebeejeebee]

Access based enumeration.

 

What he said !!

 

Works brillilantly.

 

HBJB