Click here to get back home

Create a domain account with full access to all files and folders?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Create a domain account with full access to all files and folders? strsury 10-24-2006
Posted by strsury on October 24, 2006, 11:03 am
Please log in for more thread options
 Hi all,

We are starting a document retention project. As part of this project,
we need to index all data on all file servers. The indexing program
runs under a domain account.

How do I create the account in such a way that it has full access to
every file and folder in the domain? (I've explained the security
implications to mgmt)

I tried it as both a "domain administrator" and "backup operator" but
neither account was able to access everything. Is there another way to
go about it?

Thanks in advance for any tips.

Cheers!


Posted by MPerrault on October 24, 2006, 1:00 pm
Please log in for more thread options
 You need to take over ownership as domain admin and push out allow
inheritable permisions to all subfolders. Security Explorer does a
great job of this.

http://www.scriptlogic.com/products/securityexplorer/

Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@scriptlogic.com
www.scriptlogic.com


On Oct 24, 8:03 am, strs...@gmail.com wrote:
> Hi all,
>
> We are starting a document retention project. As part of this project,
> we need to index all data on all file servers. The indexing program
> runs under a domain account.
>
> How do I create the account in such a way that it has full access to
> every file and folder in the domain? (I've explained the security
> implications to mgmt)
>
> I tried it as both a "domain administrator" and "backup operator" but
> neither account was able to access everything. Is there another way to
> go about it?
>
> Thanks in advance for any tips.
>
> Cheers!


Posted by Roger Abell [MVP] on October 25, 2006, 1:16 am
Please log in for more thread options
You would likely be wary about doing massive changes
to the existing permissions of stored content. There is no
magic account, as the NTFS permissions are always obeyed,
except when access is done via the backup/restore APIs.
If the current permissions do not reliably provide a grant of
permissions to such as Administrators, then there is no group
you could use to allow an account to "become magic".
If your content is not too huge, you could try use of NTbackup
to copy content to an area where, when restored, it is restored
without restoring permissions. You would have the same
structures, but differently rooted, and if these new restore
roots granted to the magic group, then this could be indexed
by an account in the group.
Otherwise, you would need alter permissions on the originals.

> Hi all,
>
> We are starting a document retention project. As part of this project,
> we need to index all data on all file servers. The indexing program
> runs under a domain account.
>
> How do I create the account in such a way that it has full access to
> every file and folder in the domain? (I've explained the security
> implications to mgmt)
>
> I tried it as both a "domain administrator" and "backup operator" but
> neither account was able to access everything. Is there another way to
> go about it?
>
> Thanks in advance for any tips.
>
> Cheers!
>



Posted by strsury on November 20, 2006, 3:25 am
Please log in for more thread options
Thank-you both for your timely reply! Apologies for not thanking you
sooner, we went with the
"backup-to-a-place-with-full-perms-and-index-from-there" route.

Thanks again!


Roger Abell [MVP] wrote:
> You would likely be wary about doing massive changes
> to the existing permissions of stored content. There is no
> magic account, as the NTFS permissions are always obeyed,
> except when access is done via the backup/restore APIs.
> If the current permissions do not reliably provide a grant of
> permissions to such as Administrators, then there is no group
> you could use to allow an account to "become magic".
> If your content is not too huge, you could try use of NTbackup
> to copy content to an area where, when restored, it is restored
> without restoring permissions. You would have the same
> structures, but differently rooted, and if these new restore
> roots granted to the magic group, then this could be indexed
> by an account in the group.
> Otherwise, you would need alter permissions on the originals.
>
> > Hi all,
> >
> > We are starting a document retention project. As part of this project,
> > we need to index all data on all file servers. The indexing program
> > runs under a domain account.
> >
> > How do I create the account in such a way that it has full access to
> > every file and folder in the domain? (I've explained the security
> > implications to mgmt)
> >
> > I tried it as both a "domain administrator" and "backup operator" but
> > neither account was able to access everything. Is there another way to
> > go about it?
> >
> > Thanks in advance for any tips.
> >
> > Cheers!
> >


Posted by Roger Abell [MVP] on November 22, 2006, 11:45 pm
Please log in for more thread options
Blast from the past ! You're welcome.
--
ra

> Thank-you both for your timely reply! Apologies for not thanking you
> sooner, we went with the
> "backup-to-a-place-with-full-perms-and-index-from-there" route.
>
> Thanks again!
>
>
> Roger Abell [MVP] wrote:
>> You would likely be wary about doing massive changes
>> to the existing permissions of stored content. There is no
>> magic account, as the NTFS permissions are always obeyed,
>> except when access is done via the backup/restore APIs.
>> If the current permissions do not reliably provide a grant of
>> permissions to such as Administrators, then there is no group
>> you could use to allow an account to "become magic".
>> If your content is not too huge, you could try use of NTbackup
>> to copy content to an area where, when restored, it is restored
>> without restoring permissions. You would have the same
>> structures, but differently rooted, and if these new restore
>> roots granted to the magic group, then this could be indexed
>> by an account in the group.
>> Otherwise, you would need alter permissions on the originals.
>>
>> > Hi all,
>> >
>> > We are starting a document retention project. As part of this project,
>> > we need to index all data on all file servers. The indexing program
>> > runs under a domain account.
>> >
>> > How do I create the account in such a way that it has full access to
>> > every file and folder in the domain? (I've explained the security
>> > implications to mgmt)
>> >
>> > I tried it as both a "domain administrator" and "backup operator" but
>> > neither account was able to access everything. Is there another way to
>> > go about it?
>> >
>> > Thanks in advance for any tips.
>> >
>> > Cheers!
>> >
>



Similar ThreadsPosted
Trusted NT domain users have full access to 2K3 server shares January 23, 2007, 6:51 am
Hide folders / files with no access October 4, 2006, 12:10 pm
Read-Only Access to the entire server - everything , not just the Files & Folders October 23, 2005, 8:12 pm
deny create folder but allow create files June 16, 2005, 12:08 pm
Create restricted user account, 2003 server AD domain November 10, 2005, 10:39 pm
Create Folders permission June 17, 2006, 12:50 pm
Had to rebuild server. Now I can't create folders October 30, 2008, 10:29 pm
Limiting the ability to create folders in network filing structure November 16, 2005, 12:56 pm
Files and Folders April 3, 2006, 4:40 am
Locking folders but NOT files. How? January 5, 2007, 9:20 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap