Guest Rickard Posted November 19, 2007 Posted November 19, 2007 I'm trying to figure out how to give administrators access to roaming profile folders stored on a server. I've set "Add the administrators security group to roaming user profiles" in a group policy object which takes care of any future profiles, but now I'm stuck with approx 5000 existing folder to which administrators do not have access. I believe the process to give admin access is: 1. Take ownership as admin (recursively). 2. Grant full control to administrators. 3. Give ownership back to the original user (recursively). However, doing this manually is a huge pain and considering we have about 5000 folders to go through, I would prefer an automated solution. Any suggestions would be appreciated. Cheers, Rickard
Guest Lanwench [MVP - Exchange] Posted November 19, 2007 Posted November 19, 2007 Re: Admin access to roaming profiles (existing folders) Rickard <rickard.andersson@gmail.com> wrote: > I'm trying to figure out how to give administrators access to roaming > profile folders stored on a server. I've set "Add the administrators > security group to roaming user profiles" in a group policy object > which takes care of any future profiles, but now I'm stuck with approx > 5000 existing folder to which administrators do not have access. Been there :) > > I believe the process to give admin access is: > > 1. Take ownership as admin (recursively). > 2. Grant full control to administrators. > 3. Give ownership back to the original user (recursively). > > However, doing this manually is a huge pain and considering we have > about 5000 folders to go through, I would prefer an automated > solution. Any suggestions would be appreciated. > > Cheers, > Rickard XCACLS is your friend. This may make it easier: http://www.sh-soft.com/front_content.php?idcat=19 I love me a command line, but sometimes a GUI is helpful.
Guest Pegasus \(MVP\) Posted November 19, 2007 Posted November 19, 2007 Re: Admin access to roaming profiles (existing folders) "Rickard" <rickard.andersson@gmail.com> wrote in message news:9b3c4044-1370-4211-963c-fd27a21eceb9@f3g2000hsg.googlegroups.com... > I'm trying to figure out how to give administrators access to roaming > profile folders stored on a server. I've set "Add the administrators > security group to roaming user profiles" in a group policy object > which takes care of any future profiles, but now I'm stuck with approx > 5000 existing folder to which administrators do not have access. > > I believe the process to give admin access is: > > 1. Take ownership as admin (recursively). > 2. Grant full control to administrators. > 3. Give ownership back to the original user (recursively). > > However, doing this manually is a huge pain and considering we have > about 5000 folders to go through, I would prefer an automated > solution. Any suggestions would be appreciated. > > Cheers, > Rickard Have a look at the almost identical thread headed "Admin access denied to view roaming profiles", posted here less than two days ago. It always pays to look at existing threads before starting a new one.
Guest Rickard Posted November 20, 2007 Posted November 20, 2007 Re: Admin access to roaming profiles (existing folders) On 19 Nov, 17:20, "Lanwench [MVP - Exchange]" <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote: > XCACLS is your friend. I'm sure it is. I'm no scripting wiz though. I figured this was a common problem and that maybe there was an existing solution. I had a look at xcacls.vbs and I understand how to use it. I am however uncertain how to reset the ownership once I've taken ownership and given administrators full control. You know, I have to make the original user owner again in order for him/her to be able to login. While we're on the subject, what's the difference between cacls, xcacls.exe and xcacls.vbs? > This may make it easier: > > http://www.sh-soft.com/front_content.php?idcat=19 > > I love me a command line, but sometimes a GUI is helpful. Looks cool. It appears to only support a small subset of XCACLS.vbs though. Look at this: http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png Pegasus: I did search for an existing topic on the subject, but I wasn't able to find anything. Also, the topic you referred to didn't exactly contain the solution. Cheers, Rickard
Guest Rickard Posted November 20, 2007 Posted November 20, 2007 Re: Admin access to roaming profiles (existing folders) I've been playing with xacls.vbs a bit and I'm making progress. There are still some problems though. I created a new account and logged in in order to get a "template" of the permissions that are to be assigned to all the old folders. Here's the output from xacls.vbs: Allowed OURDOMAIN\test07ra Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and Files Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and Files Allowed BUILTIN\Administrators Special (Unknown) Subfolders and Files Here's the output for the same folder using fileacl's /ADVANCED switch: V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/ U V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/ U/U V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F In other words, when the profile folder is created upon first login, the above permissions are assigned to the folder. What does "Special (Unknown)" mean? What I'm desperately looking for is instructions on how to duplicate these exact permissions onto other folders. With test07ra replaced with the the respective usernames of course. I've tried fileacl's / BATCH switch, but it doesn't work as expected. This is what fileacl spits out for the test07ra folder when using the /BATCH switch: V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S "NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S "CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN \Administrators":U/F/F /REPLACE /PROTECT However, if I run these two commands on another folder, I end up with: V:\Shared\Profile>fileacl.exe test2 /ADVANCED V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/ RrRaRepWwAWaWePXDDcO V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/ RrRaRepWwAWaWePXDDcO V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/ RrRaRepWwAWaWePXDDcO which is not the same as the folder from which I "copied" the permissions. I'm lost!
Guest Lanwench [MVP - Exchange] Posted November 20, 2007 Posted November 20, 2007 Re: Admin access to roaming profiles (existing folders) Rickard <rickard.andersson@gmail.com> wrote: > I've been playing with xacls.vbs a bit and I'm making progress. There > are still some problems though. I created a new account and logged in > in order to get a "template" of the permissions that are to be > assigned to all the old folders. Here's the output from xacls.vbs: > > Allowed OURDOMAIN\test07ra Full Control This Folder > Only > Allowed NT AUTHORITY\SYSTEM Full Control This Folder > Only > Allowed BUILTIN\Administrators Full Control This Folder > Only > Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and > Files > Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and > Files > Allowed BUILTIN\Administrators Special (Unknown) Subfolders and > Files > > Here's the output for the same folder using fileacl's /ADVANCED > switch: > > V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U > V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/ > U > V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/ > U/U > V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F > V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F > V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F > > In other words, when the profile folder is created upon first login, > the above permissions are assigned to the folder. What does "Special > (Unknown)" mean? > > What I'm desperately looking for is instructions on how to duplicate > these exact permissions onto other folders. With test07ra replaced > with the the respective usernames of course. I've tried fileacl's / > BATCH switch, but it doesn't work as expected. This is what fileacl > spits out for the test07ra folder when using the /BATCH switch: > > V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS > FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB > FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S > "NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S > "CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN > \Administrators":U/F/F /REPLACE /PROTECT > > However, if I run these two commands on another folder, I end up with: > > V:\Shared\Profile>fileacl.exe test2 /ADVANCED > V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/ > RrRaRepWwAWaWePXDDcO > V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/ > RrRaRepWwAWaWePXDDcO > V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/ > RrRaRepWwAWaWePXDDcO > > which is not the same as the folder from which I "copied" the > permissions. > > I'm lost! Note - I'm not a scripting guru either. And as much as I love command lines, this particular sort of thing makes me nervous. Last time I did this, I used the GUI in the link I originally posted for you - and *added* the group Administrators, without changing anything else. Sorry I can't help further; you might post in m.p.windows.server.scripting if you want to do this without the little gui helper.
Guest Al Dunbar Posted November 21, 2007 Posted November 21, 2007 Re: Admin access to roaming profiles (existing folders) "Rickard" <rickard.andersson@gmail.com> wrote in message news:ee85d50d-d768-4211-bb48-c822fb90317c@n20g2000hsh.googlegroups.com... > On 19 Nov, 17:20, "Lanwench [MVP - Exchange]" > <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote: >> XCACLS is your friend. > > I'm sure it is. I'm no scripting wiz though. I figured this was a > common problem and that maybe there was an existing solution. > > I had a look at xcacls.vbs and I understand how to use it. I am > however uncertain how to reset the ownership once I've taken ownership > and given administrators full control. You know, I have to make the > original user owner again in order for him/her to be able to login. > > While we're on the subject, what's the difference between cacls, > xcacls.exe and xcacls.vbs? CACLS.exe is the version that comes with windows. The earlier versions (i.e. in the earlier versions of windows) were such that XCACLS.exe started showing up in various resource kits. I'm not sure what versions of this might exist, but until xp/2k3, XCACLS.exe was generally the way to go. I use CACLS.exe from XP and from 2k3 with no problems. Note that some of the older versions might cause problems when working with the newer version of NTFS (i.e. the one with dynamic inheritance. XCACLS.vbs - I think this was devised with NTFS versions in mind, but I don't know what functional differences there might be with CACLS.exe. /Al >> This may make it easier: >> >> http://www.sh-soft.com/front_content.php?idcat=19 >> >> I love me a command line, but sometimes a GUI is helpful. > > Looks cool. It appears to only support a small subset of XCACLS.vbs > though. Look at this: > http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png > > Pegasus: I did search for an existing topic on the subject, but I > wasn't able to find anything. Also, the topic you referred to didn't > exactly contain the solution. > > Cheers, > Rickard
Guest Rickard Posted November 21, 2007 Posted November 21, 2007 Re: Admin access to roaming profiles (existing folders) On 20 Nov, 15:28, "Lanwench [MVP - Exchange]" <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote: > Note - I'm not a scripting guru either. And as much as I love command lines, > this particular sort of thing makes me nervous. Last time I did this, I used > the GUI in the link I originally posted for you - and *added* the group > Administrators, without changing anything else. Sorry I can't help further; > you might post in m.p.windows.server.scripting if you want to do this > without the little gui helper. After a few hours of trial and error, this is what I came up with: @echo off for /F "tokens=*" %%* in ('dir /ad /b *') do call :Sub %%* goto :eof :Sub echo Processing %* ... subinacl.exe /file %* /objectcopysecurity=templateuser >> fix.log subinacl.exe /file %* /replace=templateuser=%* >> fix.log fileacl.exe %* /INHERIT /REPLACE /NOROOT /SUB /FILES >> fix.log fileacl.exe %* /O %* /NOROOT /SUB /FILES >> fix.log It iterates through all directories and for each directory does the following: 1. Copies the permissions from the folder templateuser to the current directory (this also changes the owner). 2. Replaces the permissions for "templateuser" that were copied in step 1 with the username that matches the current directory. 3. Removes all non-standard permissions from subdirectories and files in the current directory and sets the inherit flag (inherit from parent). 4. Sets the owner back to the current user. At first I was attempting to set the permissions manually as opposed to copying them from a folder with the correct permissions, but I was unable to replicate the permissions perfectly. subinacl.exe with the / objectcopysecurity and /replace switches really came to the rescue. I just ran it overnight. I'm going to browse through fix.log to see if there were any problems, but looking at a sample of maybe 10 folders, it appears to have worked beautifully! Thanks for the help. Cheers, Rickard
Recommended Posts