| Author | Messages | |
bonnie.pohlschneider@xxxx.yyy
 | | 02/17/2006 3:41 AM |
| We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer that
they have the ability to read-write, but not to modify the permissions. Two
questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect permissions
already setup. Is there a script or utility that can be used to remove the "Full
Access" check box from the individual user accounts on the folders? (just for a
bit of background, only the domain admins and the user have access to each home
folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider | | | |
| dharris
Posts:0
| | 02/17/2006 7:16 AM |
| I'd like to have one that adds the perms back in the
right order: the attached one is supposed to reorder them, but doesn't.
The fix is simple but tedious -- open the security tab for each folder, and
Explorer will reorder them correctly. I modified this from one I found;
anyone have a better one?
Derek
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
bonnie.pohlschneider@xxxxxxxxxxxxxxxxxxSent: Friday, February 17,
2006 8:36 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Setting up Home Folder Gives User Full Access
We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer that
they have the ability to read-write, but not to modify the permissions. Two
questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect permissions
already setup. Is there a script or utility that can be used to remove the "Full
Access" check box from the individual user accounts on the folders? (just for a
bit of background, only the domain admins and the user have access to each home
folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider
On Error Resume Next
Dom = "Domain\" 'Enter your domain here
strFolder = "e:\users" 'Root for user dirs
Set objFSO = CreateObject("Scripting.FileSystemObject")
strFolder = objFSO.GetAbsolutePathName(strFolder)
Set objFolder = objFSO.GetFolder(strFolder)
Set colSubFolders = objFolder.SubFolders
For Each objSubFolder In colSubfolders
SubFolderName = objSubFolder.Name
FullPath = strFolder & "\" & SubFolderName
WScript.Echo FullPath
Action = "ADD(" & Dom & SubFolderName & ":F)+DEL(EVERYONE:R)"
EditACL FullPath,Action
Next
Function EditACL(filenm, permspart)
' Edit permissions on a single file or folder
'Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
chkfile=objFSO.fileexists(filenm) ' make sure the file exists or wscript will crash
If chkfile=true Then
ChangeACLS filenm, permspart, "EDIT", "FILE"
Else
chkfolder=objFSO.folderexists(filenm) ' if its not a file, is it a folder ?
If chkfolder=true Then
ChangeACLS filenm, permspart, "EDIT", "FOLDER"
End If
End If
Set fs=nothing
End Function
Function ReplaceACL(filenm, permspart)
'-- Replace ACL on single file or folder-------
'Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
chkfile=objFSO.fileexists(filenm) ' make sure file exists
If chkfile=true Then
ChangeACLS filenm, permspart, "REPLACE", "FILE"
Else
chkfolder=objFSO.folderexists(filenm) ' if its not a file, is it a folder?
If chkfolder=true Then
ChangeACLS filenm, permspart, "REPLACE", "FOLDER"
End If
End If
Set fs=nothing
End Function
Function RecursiveEdit(rootfolder,permspart)
'--- Edit ACL's on rootfolder and all its subfolders and files----
Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
Set rfldr=objFSO.getfolder(rootfolder)
ChangeACLS rfldr.path, permspart, "EDIT", "FOLDER" 'edit rootfolder first
For Each file In rfldr.files
'edit all files in root folder
ChangeACLS rfldr.path & "\" & file.name, permspart, "EDIT", "FILE"
Next
For Each sfldr In rfldr.subfolders
RecursiveEdit sfldr, permspart ' recurse through subfolders
Next
Set fs=nothing
Set rfldr=nothing
End Function
Function RecursiveReplace(rootfolder,permspart)
'--Replace ACLS on rootfolder and all its subfolders and files ----
Set fs=Wscript.CreateObject("Scripting.FileSystemObject")
Set rfldr=objFSO.getfolder(rootfolder)
ChangeACLS rfldr.path, permspart, "REPLACE","FOLDER"
For Each file In rfldr.files
ChangeACLS rfldr.path & "\" & file.name, permspart,"REPLACE","FILE"
Next
For Each sfldr In rfldr.subfolders
RecursiveReplace sfldr, permspart
Next
Set fs=nothing
Set rfldr=nothing
End Function
Function ChangeACLS(FILE,PERMS,REDIT,FFOLDER)
'- Edit ACLS of specified file -----
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACEFLAG_INHERIT_ACE = 2
Const ADS_ACEFLAG_SUB_NEW = 9
Set sec = Wscript.CreateObject("ADsSecurity")
Set sd = sec.GetSecurityDescriptor("FILE://" & FILE)
Set dacl = sd.DiscretionaryAcl
'if flagged Replace then remove all existing aces from dacl first
If ucase(REDIT)="REPLACE" Then
For Each existingAce In dacl
dacl.removeace existingace
Next
End If
'break up Perms into individual actions
cmdArray=split(perms,"+")
For x=0 To UBound(cmdarray)
tmpVar1=cmdarray(x)
If ucase(left(tmpVar1,3))="DEL" Then
ACLAction="DEL"
Else
ACLAction="ADD"
End If
tmpcmdVar=left(tmpVar1,len(tmpVar1)-1)
tmpcmdVar=right(tmpcmdVar,len(tmpcmdVar)-4)
cmdparts=split(tmpcmdVar,":")
nameVar=cmdparts(0)
rightVar=cmdparts(1)
' if flagged edit, delete ACE's belonging to user about to add an ace for
If ucase(REDIT)="EDIT" Then
For Each existingAce In dacl
trusteeVar=existingAce.trustee
If instr(trusteeVar,"\") Then
trunameVar=right(trusteeVar,len(trusteeVar)-instr(trusteeVar,"\"))
Else
trunameVar=trusteeVar
End If
uctrunameVar=ucase(trunameVar)
ucnameVar=ucase(nameVar)
If uctrunameVar=ucnameVar Then
dacl.removeace existingace
End If
Next
End If
' if action is to del ace then following clause skips addace
If ACLAction="ADD" Then
If ucase(FFOLDER)="FOLDER" Then
' folders require 2 aces for user (to do with inheritance)
addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_SUB_NEW
addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE
Else
addace dacl, namevar, rightvar, ADS_ACETYPE_ACCESS_ALLOWED,0
End If
End If
Next
For Each ace In dacl
' for some reason if ace includes "NT AUTHORITY" then existing ace does not get readded to dacl
If instr(ucase(ace.trustee),"NT AUTHORITY\") Then
newtrustee=right(ace.trustee, len(ace.trustee)-instr(ace.trustee, "\"))
ace.trustee=newtrustee
End If
Next
' final sets and cleanup
sd.DiscretionaryAcl = dacl
sec.SetSecurityDescriptor sd
Set sd=nothing
Set dacl=nothing
Set sec=nothing
End Function
Function addace(dacl,trustee, maskvar, acetype, aceflags)
' add ace to the specified dacl
Const RIGHT_READ = &H80000000
Const RIGHT_EXECUTE = &H20000000
Const RIGHT_WRITE = &H40000000
Const RIGHT_DELETE = &H10000
Const RIGHT_FULL = &H10000000
Const RIGHT_CHANGE_PERMS = &H40000
Const RIGHT_TAKE_OWNERSHIP = &H80000
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = trustee
Select Case ucase(MaskVar)
' specified rights so far only include FC & R. Could be expanded though
Case "F"
ace.AccessMask = RIGHT_FULL
Case "C"
ace.AccessMask = RIGHT_READ Or RIGHT_WRITE Or RIGHT_EXECUTE Or RIGHT_DELETE
Case "R"
ace.AccessMask = RIGHT_READ Or RIGHT_EXECUTE
End Select
ace.AceType = acetype
ace.AceFlags = aceflags
dacl.AddAce ace
Set ace=nothing
End Function | | | |
| bdesmond
Posts:416
| | 02/21/2006 3:06 AM |
| There's a group policy that
controls the homefolder creation to a certain extent, but not in ADUC. I
wouldn't be using ADUC to make them - use some sort of tool. As for fixing the
existing ones, something like cacls and a simple _vbscript_ will do the
trick.
Thanks,Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Monday, February 20, 2006 7:26 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Setting up
Home Folder Gives User Full Access
To my knowledge you can not control what ACLs are placed
on the folder.
I would recommend what I usually recommend though, create
users through a provisioning script or tool, don't do it through ADUC. If you
are at 2000 users you are easily into the realm where the ADUC is not the
greatest most efficient way to do your management.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
bonnie.pohlschneider@xxxxxxxxxxxxxxxxxxSent: Friday, February
17, 2006 10:36 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Setting up Home
Folder Gives User Full Access
We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer
that they have the ability to read-write, but not to modify the permissions.
Two questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect
permissions already setup. Is there a script or utility that can be used to
remove the "Full Access" check box from the individual user accounts on the
folders? (just for a bit of background, only the domain admins and the user
have access to each home folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider | | | |
| CrawfordS
Posts:51
| | 02/21/2006 5:38 AM |
| I'm a pretty big fan of FileACL as well.
http://www.gbordier.com/gbtools/fileacl.htm. The syntax is MUCH easier
to deal with IMHO, but SetACL is definitely more flexible, allowing you
to set perms on a wide range of objects: files and directories, registry
keys, printers, services, network shares.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of matheesha
weerasinghe
Sent: Tuesday, February 21, 2006 5:00 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Setting up Home Folder Gives User Full Access
Personally I wouldnt use cacls/xcacls or the vbscript based
xcacls.vbs. cacls/xcacls are probably not granular enough for your
purposes. Assuming you want to give just modify then cacls/xcacls are
fine. But if you want to give full control except for the modify
perms/takeonership bit, then you need to use a more granular tool.
xcacls.vbs can do the job but is very slow. Even if you hack it to
modify perms on a list of folders/subfolders I dont think you'll find
it that fast. Ad hoc jobs are OK but for modifying 2000 folders its
not my tool of choice.
Setacl is the way to go (setacl.sourceforge.net). The syntax is a
little hard to grasp initially but there are plenty of examples on the
site. Once you figure it out ,you can use a for loop and coupled with
setacl I think you'll get this done quicker.
M@
On 21/02/06, joe wrote:
> To my knowledge you can not control what ACLs are placed on the
folder.
>
> I would recommend what I usually recommend though, create users
through a
> provisioning script or tool, don't do it through ADUC. If you are at
2000
> users you are easily into the realm where the ADUC is not the greatest
most
> efficient way to do your management.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> ________________________________
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> bonnie.pohlschneider@xxxxxxxxxxxxxxxxxx
> Sent: Friday, February 17, 2006 10:36 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Setting up Home Folder Gives User Full Access
>
>
> We create a home folder for each of our users in ADUC by adding the
server
> path to the Profile Tab. When we setup the home folder, ADUC by
default
> grants the user "Full Control" to this folder, which we would like to
stop.
> We would prefer that they have the ability to read-write, but not to
modify
> the permissions. Two questions here:
>
> 1) How do we stop ADUC from automatically granting full access to the
end
> user on their home folder?
> 2) We have about 2000 home folders that have already been created with
the
> incorrect permissions already setup. Is there a script or utility that
can
> be used to remove the "Full Access" check box from the individual user
> accounts on the folders? (just for a bit of background, only the
domain
> admins and the user have access to each home folder).
>
> Any guidance would be much appreciated.
>
>
> Bonnie Pohlschneider
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| lists1
Posts:4
| | 02/21/2006 7:39 AM |
| 1) You can not do that, however you can control a bit
through group policy (IIRC Admin access to Home folders), and you may be able to
experiment with the permissions of the folder above, and modify the parent share
not to have full control, then ADUC is not able to modify permissions. However I
doubt that you are able to accomblish what you want. You'll propably have to
create the users or at least the home folders with a different mechanism, or run
2) regulary.
2) You can do that with subinacls, download it from
Microsoft and do not use the version which is in the resource kit. The new
download works pretty well, and subinacl is very good in changing
ACEs.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
bonnie.pohlschneider@xxxxxxxxxxxxxxxxxxSent: Friday, February
17, 2006 4:36 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Setting up Home Folder Gives User Full Access
We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer
that they have the ability to read-write, but not to modify the permissions.
Two questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect
permissions already setup. Is there a script or utility that can be used to
remove the "Full Access" check box from the individual user accounts on the
folders? (just for a bit of background, only the domain admins and the user
have access to each home folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider | | | |
| dasadasanudas@xxxx.yyy
| | 02/21/2006 11:01 AM |
| Personally I wouldnt use cacls/xcacls or the vbscript based
xcacls.vbs. cacls/xcacls are probably not granular enough for your
purposes. Assuming you want to give just modify then cacls/xcacls are
fine. But if you want to give full control except for the modify
perms/takeonership bit, then you need to use a more granular tool.
xcacls.vbs can do the job but is very slow. Even if you hack it to
modify perms on a list of folders/subfolders I dont think you'll find
it that fast. Ad hoc jobs are OK but for modifying 2000 folders its
not my tool of choice.
Setacl is the way to go (setacl.sourceforge.net). The syntax is a
little hard to grasp initially but there are plenty of examples on the
site. Once you figure it out ,you can use a for loop and coupled with
setacl I think you'll get this done quicker.
M@
On 21/02/06, joe wrote:
> To my knowledge you can not control what ACLs are placed on the folder.
>
> I would recommend what I usually recommend though, create users through a
> provisioning script or tool, don't do it through ADUC. If you are at 2000
> users you are easily into the realm where the ADUC is not the greatest most
> efficient way to do your management.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> ________________________________
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> bonnie.pohlschneider@xxxxxxxxxxxxxxxxxx
> Sent: Friday, February 17, 2006 10:36 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Setting up Home Folder Gives User Full Access
>
>
> We create a home folder for each of our users in ADUC by adding the server
> path to the Profile Tab. When we setup the home folder, ADUC by default
> grants the user "Full Control" to this folder, which we would like to stop.
> We would prefer that they have the ability to read-write, but not to modify
> the permissions. Two questions here:
>
> 1) How do we stop ADUC from automatically granting full access to the end
> user on their home folder?
> 2) We have about 2000 home folders that have already been created with the
> incorrect permissions already setup. Is there a script or utility that can
> be used to remove the "Full Access" check box from the individual user
> accounts on the folders? (just for a bit of background, only the domain
> admins and the user have access to each home folder).
>
> Any guidance would be much appreciated.
>
>
> Bonnie Pohlschneider
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:497
| | 02/21/2006 12:26 PM |
| To my knowledge you can not control what ACLs are placed on
the folder.
I would recommend what I usually recommend though, create
users through a provisioning script or tool, don't do it through ADUC. If you
are at 2000 users you are easily into the realm where the ADUC is not the
greatest most efficient way to do your management.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
bonnie.pohlschneider@xxxxxxxxxxxxxxxxxxSent: Friday, February 17,
2006 10:36 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Setting up Home Folder Gives User Full Access
We create a home
folder for each of our users in ADUC by adding the server path to the Profile
Tab. When we setup the home folder, ADUC by default grants the user "Full
Control" to this folder, which we would like to stop. We would prefer that
they have the ability to read-write, but not to modify the permissions. Two
questions here:
1) How do we stop
ADUC from automatically granting full access to the end user on their home
folder?
2) We have about
2000 home folders that have already been created with the incorrect permissions
already setup. Is there a script or utility that can be used to remove the "Full
Access" check box from the individual user accounts on the folders? (just for a
bit of background, only the domain admins and the user have access to each home
folder).
Any guidance would
be much appreciated.
Bonnie
Pohlschneider | | | |
|
|