Admin access to roaming profiles (existing folders)

[Guest Rickard]

I'm trying to figure out how to give administrators access to roaming

profile folders stored on a server. I've set "Add the administrators

security group to roaming user profiles" in a group policy object

which takes care of any future profiles, but now I'm stuck with approx

5000 existing folder to which administrators do not have access.

 

I believe the process to give admin access is:

 

1. Take ownership as admin (recursively).

2. Grant full control to administrators.

3. Give ownership back to the original user (recursively).

 

However, doing this manually is a huge pain and considering we have

about 5000 folders to go through, I would prefer an automated

solution. Any suggestions would be appreciated.

 

Cheers,

Rickard

[Guest Lanwench [MVP - Exchange]]

Re: Admin access to roaming profiles (existing folders)

 

Rickard <rickard.andersson@gmail.com> wrote:

> I'm trying to figure out how to give administrators access to roaming

> profile folders stored on a server. I've set "Add the administrators

> security group to roaming user profiles" in a group policy object

> which takes care of any future profiles, but now I'm stuck with approx

> 5000 existing folder to which administrators do not have access.

 

Been there :)

>

> I believe the process to give admin access is:

>

> 1. Take ownership as admin (recursively).

> 2. Grant full control to administrators.

> 3. Give ownership back to the original user (recursively).

>

> However, doing this manually is a huge pain and considering we have

> about 5000 folders to go through, I would prefer an automated

> solution. Any suggestions would be appreciated.

>

> Cheers,

> Rickard

 

XCACLS is your friend.

 

This may make it easier:

 

http://www.sh-soft.com/front_content.php?idcat=19

 

I love me a command line, but sometimes a GUI is helpful.

[Guest Pegasus \(MVP\)]

Re: Admin access to roaming profiles (existing folders)

 

 

"Rickard" <rickard.andersson@gmail.com> wrote in message

news:9b3c4044-1370-4211-963c-fd27a21eceb9@f3g2000hsg.googlegroups.com...

> I'm trying to figure out how to give administrators access to roaming

> profile folders stored on a server. I've set "Add the administrators

> security group to roaming user profiles" in a group policy object

> which takes care of any future profiles, but now I'm stuck with approx

> 5000 existing folder to which administrators do not have access.

>

> I believe the process to give admin access is:

>

> 1. Take ownership as admin (recursively).

> 2. Grant full control to administrators.

> 3. Give ownership back to the original user (recursively).

>

> However, doing this manually is a huge pain and considering we have

> about 5000 folders to go through, I would prefer an automated

> solution. Any suggestions would be appreciated.

>

> Cheers,

> Rickard

 

Have a look at the almost identical thread headed

"Admin access denied to view roaming profiles", posted

here less than two days ago. It always pays to look at

existing threads before starting a new one.

[Guest Rickard]

Re: Admin access to roaming profiles (existing folders)

 

On 19 Nov, 17:20, "Lanwench [MVP - Exchange]"

<lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

> XCACLS is your friend.

 

I'm sure it is. I'm no scripting wiz though. I figured this was a

common problem and that maybe there was an existing solution.

 

I had a look at xcacls.vbs and I understand how to use it. I am

however uncertain how to reset the ownership once I've taken ownership

and given administrators full control. You know, I have to make the

original user owner again in order for him/her to be able to login.

 

While we're on the subject, what's the difference between cacls,

xcacls.exe and xcacls.vbs?

> This may make it easier:

>

> http://www.sh-soft.com/front_content.php?idcat=19

>

> I love me a command line, but sometimes a GUI is helpful.

 

Looks cool. It appears to only support a small subset of XCACLS.vbs

though. Look at this: http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png

 

Pegasus: I did search for an existing topic on the subject, but I

wasn't able to find anything. Also, the topic you referred to didn't

exactly contain the solution.

 

Cheers,

Rickard

[Guest Rickard]

Re: Admin access to roaming profiles (existing folders)

 

I've been playing with xacls.vbs a bit and I'm making progress. There

are still some problems though. I created a new account and logged in

in order to get a "template" of the permissions that are to be

assigned to all the old folders. Here's the output from xacls.vbs:

 

Allowed OURDOMAIN\test07ra Full Control This Folder

Only

Allowed NT AUTHORITY\SYSTEM Full Control This Folder

Only

Allowed BUILTIN\Administrators Full Control This Folder

Only

Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and

Files

Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and

Files

Allowed BUILTIN\Administrators Special (Unknown) Subfolders and

Files

 

Here's the output for the same folder using fileacl's /ADVANCED

switch:

 

V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U

V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/

U

V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/

U/U

V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F

V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F

V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F

 

In other words, when the profile folder is created upon first login,

the above permissions are assigned to the folder. What does "Special

(Unknown)" mean?

 

What I'm desperately looking for is instructions on how to duplicate

these exact permissions onto other folders. With test07ra replaced

with the the respective usernames of course. I've tried fileacl's /

BATCH switch, but it doesn't work as expected. This is what fileacl

spits out for the test07ra folder when using the /BATCH switch:

 

V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS

FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB

FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S

"NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S

"CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN

\Administrators":U/F/F /REPLACE /PROTECT

 

However, if I run these two commands on another folder, I end up with:

 

V:\Shared\Profile>fileacl.exe test2 /ADVANCED

V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/

RrRaRepWwAWaWePXDDcO

V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/

RrRaRepWwAWaWePXDDcO

V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/

RrRaRepWwAWaWePXDDcO

 

which is not the same as the folder from which I "copied" the

permissions.

 

I'm lost!

[Guest Lanwench [MVP - Exchange]]

Re: Admin access to roaming profiles (existing folders)

 

Rickard <rickard.andersson@gmail.com> wrote:

> I've been playing with xacls.vbs a bit and I'm making progress. There

> are still some problems though. I created a new account and logged in

> in order to get a "template" of the permissions that are to be

> assigned to all the old folders. Here's the output from xacls.vbs:

>

> Allowed OURDOMAIN\test07ra Full Control This Folder

> Only

> Allowed NT AUTHORITY\SYSTEM Full Control This Folder

> Only

> Allowed BUILTIN\Administrators Full Control This Folder

> Only

> Allowed OURDOMAIN\test07ra Special (Unknown) Subfolders and

> Files

> Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and

> Files

> Allowed BUILTIN\Administrators Special (Unknown) Subfolders and

> Files

>

> Here's the output for the same folder using fileacl's /ADVANCED

> switch:

>

> V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:RrRaRepWwAWaWePXDDcO/U/U

> V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO/U/

> U

> V:\Shared\Profile\test07ra;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO/

> U/U

> V:\Shared\Profile\test07ra;OURDOMAIN\test07ra:U/F/F

> V:\Shared\Profile\test07ra;NT AUTHORITY\SYSTEM:U/F/F

> V:\Shared\Profile\test07ra;BUILTIN\Administrators:U/F/F

>

> In other words, when the profile folder is created upon first login,

> the above permissions are assigned to the folder. What does "Special

> (Unknown)" mean?

>

> What I'm desperately looking for is instructions on how to duplicate

> these exact permissions onto other folders. With test07ra replaced

> with the the respective usernames of course. I've tried fileacl's /

> BATCH switch, but it doesn't work as expected. This is what fileacl

> spits out for the test07ra folder when using the /BATCH switch:

>

> V:\Shared\Profile>fileacl.exe test07ra /BATCH /SUBS

> FILEACL V:\Shared\Profile\test07ra /INHERIT /REPLACE /SUB

> FILEACL V:\Shared\Profile\test07ra /S "CAMPUSHBG\test07ra":F/U/U /S

> "NT AUTHORITY\SYSTEM":F/U/U /S "BUILTIN\Administrators":F/U/U /S

> "CAMPUSHBG\test07ra":U/F/F /S "NT AUTHORITY\SYSTEM":U/F/F /S "BUILTIN

> \Administrators":U/F/F /REPLACE /PROTECT

>

> However, if I run these two commands on another folder, I end up with:

>

> V:\Shared\Profile>fileacl.exe test2 /ADVANCED

> V:\Shared\Profile\test2;BUILTIN\Administrators:U/RrRaRepWwAWaWePXDDcO/

> RrRaRepWwAWaWePXDDcO

> V:\Shared\Profile\test2;NT AUTHORITY\SYSTEM:U/RrRaRepWwAWaWePXDDcO/

> RrRaRepWwAWaWePXDDcO

> V:\Shared\Profile\test2;CAMPUSHBG\test2:U/RrRaRepWwAWaWePXDDcO/

> RrRaRepWwAWaWePXDDcO

>

> which is not the same as the folder from which I "copied" the

> permissions.

>

> I'm lost!

 

Note - I'm not a scripting guru either. And as much as I love command lines,

this particular sort of thing makes me nervous. Last time I did this, I used

the GUI in the link I originally posted for you - and *added* the group

Administrators, without changing anything else. Sorry I can't help further;

you might post in m.p.windows.server.scripting if you want to do this

without the little gui helper.

[Guest Al Dunbar]

Re: Admin access to roaming profiles (existing folders)

 

 

"Rickard" <rickard.andersson@gmail.com> wrote in message

news:ee85d50d-d768-4211-bb48-c822fb90317c@n20g2000hsh.googlegroups.com...

> On 19 Nov, 17:20, "Lanwench [MVP - Exchange]"

> <lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

>> XCACLS is your friend.

>

> I'm sure it is. I'm no scripting wiz though. I figured this was a

> common problem and that maybe there was an existing solution.

>

> I had a look at xcacls.vbs and I understand how to use it. I am

> however uncertain how to reset the ownership once I've taken ownership

> and given administrators full control. You know, I have to make the

> original user owner again in order for him/her to be able to login.

>

> While we're on the subject, what's the difference between cacls,

> xcacls.exe and xcacls.vbs?

 

CACLS.exe is the version that comes with windows. The earlier versions (i.e.

in the earlier versions of windows) were such that XCACLS.exe started

showing up in various resource kits. I'm not sure what versions of this

might exist, but until xp/2k3, XCACLS.exe was generally the way to go. I use

CACLS.exe from XP and from 2k3 with no problems. Note that some of the older

versions might cause problems when working with the newer version of NTFS

(i.e. the one with dynamic inheritance.

 

XCACLS.vbs - I think this was devised with NTFS versions in mind, but I

don't know what functional differences there might be with CACLS.exe.

 

/Al

>> This may make it easier:

>>

>> http://www.sh-soft.com/front_content.php?idcat=19

>>

>> I love me a command line, but sometimes a GUI is helpful.

>

> Looks cool. It appears to only support a small subset of XCACLS.vbs

> though. Look at this:

> http://www.sh-soft.com/upload/50-Tools/xcacls/mainform_sections_1.png

>

> Pegasus: I did search for an existing topic on the subject, but I

> wasn't able to find anything. Also, the topic you referred to didn't

> exactly contain the solution.

>

> Cheers,

> Rickard

[Guest Rickard]

Re: Admin access to roaming profiles (existing folders)

 

On 20 Nov, 15:28, "Lanwench [MVP - Exchange]"

<lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

> Note - I'm not a scripting guru either. And as much as I love command lines,

> this particular sort of thing makes me nervous. Last time I did this, I used

> the GUI in the link I originally posted for you - and *added* the group

> Administrators, without changing anything else. Sorry I can't help further;

> you might post in m.p.windows.server.scripting if you want to do this

> without the little gui helper.

 

After a few hours of trial and error, this is what I came up with:

 

@echo off

for /F "tokens=*" %%* in ('dir /ad /b *') do call :Sub %%*

goto :eof

 

:Sub

echo Processing %* ...

subinacl.exe /file %* /objectcopysecurity=templateuser >> fix.log

subinacl.exe /file %* /replace=templateuser=%* >> fix.log

fileacl.exe %* /INHERIT /REPLACE /NOROOT /SUB /FILES >> fix.log

fileacl.exe %* /O %* /NOROOT /SUB /FILES >> fix.log

 

It iterates through all directories and for each directory does the

following:

 

1. Copies the permissions from the folder templateuser to the current

directory (this also changes the owner).

2. Replaces the permissions for "templateuser" that were copied in

step 1 with the username that matches the current directory.

3. Removes all non-standard permissions from subdirectories and files

in the current directory and sets the inherit flag (inherit from

parent).

4. Sets the owner back to the current user.

 

At first I was attempting to set the permissions manually as opposed

to copying them from a folder with the correct permissions, but I was

unable to replicate the permissions perfectly. subinacl.exe with the /

objectcopysecurity and /replace switches really came to the rescue.

 

I just ran it overnight. I'm going to browse through fix.log to see if

there were any problems, but looking at a sample of maybe 10 folders,

it appears to have worked beautifully! Thanks for the help.

 

Cheers,

Rickard