Click here to get back home

Re: Admin access to roaming profiles (existing folders)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Re: Admin access to roaming profiles (existing folders) Lanwench [MVP - Exchange] 11-19-2007
Posted by Lanwench [MVP - Exchange] on November 19, 2007, 11:20 am
Please log in for more thread options
> I'm trying to figure out how to give administrators access to roaming
> profile folders stored on a server. I've set "Add the administrators
> security group to roaming user profiles" in a group policy object
> which takes care of any future profiles, but now I'm stuck with approx
> 5000 existing folder to which administrators do not have access.

Been there :)
>
> I believe the process to give admin access is:
>
> 1. Take ownership as admin (recursively).
> 2. Grant full control to administrators.
> 3. Give ownership back to the original user (recursively).
>
> However, doing this manually is a huge pain and considering we have
> about 5000 folders to go through, I would prefer an automated
> solution. Any suggestions would be appreciated.
>
> Cheers,
> Rickard

XCACLS is your friend.

This may make it easier:

http://www.sh-soft.com/front_content.php?idcat=19

I love me a command line, but sometimes a GUI is helpful.



Posted by Lanwench [MVP - Exchange] on November 20, 2007, 9:28 am
Please log in for more thread options
> I've been playing with xacls.vbs a bit and I'm making progress. There
> are still some problems though. I created a new account and logged in
> in order to get a "template" of the permissions that are to be
> assigned to all the old folders. Here's the output from xacls.vbs:
>
> Allowed OURDOMAIN\test07ra Full Control This Folder
> Only
> Allowed NT AUTHORITY\SYSTEM Full Control This Folder
> Only
> Allowed BUILTIN\Administrators Full Control This Folder
> Only
> Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and
> Files
> Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and
> Files
> Allowed BUILTIN\Administrators Special (Unknown) Subfolders and
> Files
>
> Here's the output for the same folder using fileacl's /ADVANCED
> switch:
>
> V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U
> V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/
> U
> V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/
> U/U
> V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F
> V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F
> V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F
>
> In other words, when the profile folder is created upon first login,
> the above permissions are assigned to the folder. What does "Special
> (Unknown)" mean?
>
> What I'm desperately looking for is instructions on how to duplicate
> these exact permissions onto other folders. With test07ra replaced
> with the the respective usernames of course. I've tried fileacl's /
> BATCH switch, but it doesn't work as expected. This is what fileacl
> spits out for the test07ra folder when using the /BATCH switch:
>
> V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS
> FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB
> FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S
> "NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S
> "CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN
> \Administrators":U/F/F /REPLACE /PROTECT
>
> However, if I run these two commands on another folder, I end up with:
>
> V:\Shared\Profile>fileacl.exe test2 /ADVANCED
> V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/
> RrRaRepWwAWaWePXDDcO
> V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/
> RrRaRepWwAWaWePXDDcO
> V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/
> RrRaRepWwAWaWePXDDcO
>
> which is not the same as the folder from which I "copied" the
> permissions.
>
> I'm lost!

Note - I'm not a scripting guru either. And as much as I love command lines,
this particular sort of thing makes me nervous. Last time I did this, I used
the GUI in the link I originally posted for you - and *added* the group
Administrators, without changing anything else. Sorry I can't help further;
you might post in m.p.windows.server.scripting if you want to do this
without the little gui helper.



Posted by Al Dunbar on November 20, 2007, 11:39 pm
Please log in for more thread options

> On 19 Nov, 17:20, "Lanwench [MVP - Exchange]"
>> XCACLS is your friend.
>
> I'm sure it is. I'm no scripting wiz though. I figured this was a
> common problem and that maybe there was an existing solution.
>
> I had a look at xcacls.vbs and I understand how to use it. I am
> however uncertain how to reset the ownership once I've taken ownership
> and given administrators full control. You know, I have to make the
> original user owner again in order for him/her to be able to login.
>
> While we're on the subject, what's the difference between cacls,
> xcacls.exe and xcacls.vbs?

CACLS.exe is the version that comes with windows. The earlier versions (i.e.
in the earlier versions of windows) were such that XCACLS.exe started
showing up in various resource kits. I'm not sure what versions of this
might exist, but until xp/2k3, XCACLS.exe was generally the way to go. I use
CACLS.exe from XP and from 2k3 with no problems. Note that some of the older
versions might cause problems when working with the newer version of NTFS
(i.e. the one with dynamic inheritance.

XCACLS.vbs - I think this was devised with NTFS versions in mind, but I
don't know what functional differences there might be with CACLS.exe.

/Al

>> This may make it easier:
>>
>> http://www.sh-soft.com/front_content.php?idcat=19
>>
>> I love me a command line, but sometimes a GUI is helpful.
>
> Looks cool. It appears to only support a small subset of XCACLS.vbs
> though. Look at this:
> http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png
>
> Pegasus: I did search for an existing topic on the subject, but I
> wasn't able to find anything. Also, the topic you referred to didn't
> exactly contain the solution.
>
> Cheers,
> Rickard



Similar ThreadsPosted
Re: Admin access to roaming profiles (existing folders) November 19, 2007, 11:32 am
Please help. Cannot access hotmail or run CMD after playing with roaming profiles May 30, 2005, 12:31 am
Backing up roaming profiles on W2K3 January 11, 2006, 1:37 pm
Stop syncronization of ALL roaming profiles at logout March 30, 2006, 4:17 pm
Custom NTFS permissions on roaming profiles? April 11, 2006, 7:48 am
Delete cached local copy of mandatory profile and non roaming domain user profiles ? May 1, 2008, 5:50 am
Tech Support access to roaming profile directory on server(s) January 4, 2008, 11:30 am
Demote Root CA to subordinate - lose existing certs? February 26, 2008, 11:28 pm
Hide folders / files with no access October 4, 2006, 12:10 pm
Finding folders where user was specifically given access September 11, 2006, 1:45 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap