Redirected Folders

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I just took over a network that uses redirected documents. They were not set
up originally to allow administrators to access these documents. How can I
fix this? Will the steps in KB article 288991 mess up the permissions for
current users?
 
I just took over a network that uses redirected documents. They were not set
up originally to allow administrators to access these documents. How can I
fix this? Will the steps in KB article 288991 mess up the permissions for
current users?
Click to expand...


The steps in that KB will not mess up user permissions.
If will set things up properly for new users.

To fix administrator access for the current users, you need to grant Administrators Full Control on all folders and subfolders,
and force User Ownership and Full Control.

The best way to do that is via a script that runs in the System context:
See tip 3215 » How do I schedule a job to run under the SYSTEM context?
in the 'Tips & Tricks' at http://www.jsifaq.com

NOTE: tip 8530 » Corrected version of SubInAcl.


In the script, enumerate sub-folders from parent folder and use CACLS.
If the parent folder is C:\Users, then:

@echo off
setlocal
pushd c:\users
for /f "Tokens=*" %%a in ('dir /b /a c:\users') do (
echo y| cacls "c:\users\%%a" /T /E /C /g Administrators:F
echo y| cacls "c:\users\%%a" /T /E /C /g "%USERDOMAIN%\%%a":F
subinacl /subdirectories "c:\users\%%a" /setowner="%USERDOMAIN%\%%a"
subinacl /subdirectories "c:\users\%%a\*.*" /setowner="%USERDOMAIN%\%%a"
)
popd
endlocal
 
lforbes said:
Hi,

That is indeed a problem. I always create users folders via AD and
that automatically puts Admins as Full Control.

The issue is ownership. To modify the folders permission you must take
ownership of them and all the files. This is an issue if you are using
quotas.

The KB article is if you are starting from scratch. If you remove
access to the users you will be in trouble.

Are you running Windows 2000 or 2003? This is done far easier with
2003 because it gives you the ability to "give ownership back".

Cheers,

Lara
Click to expand...


I am using Windows 2000 SBS. I am not using quotas right now. Part of the
reason for allowing admins access to the folders is to see if we need to
being using them.

Ron
 
I am using Windows 2000 SBS. I am not using quotas right now. Part of
the reason for allowing admins access to the folders is to see if we
need to being using them.
Click to expand...

Actually the nice thing about Quotas is it lets you see what you don’t
have access to. You can enable it and set the limit really high so it
doesn’t affect the users. Then go into Quota manager and view
"containers" and sort via OU. You can see the size/amount of files
your users have ownership of. If you want to "View" the actual
files, click click on the user in Quota Manager and click "Delete"
(from quota manager not files). It will pop up a box listing all the
users files. If you click "close" it will say "you cannot delete a
user from quotas that has files on the drive". I use it all the time
to view the files.

The nice thing about 2003 quotas is they let you view the folders as
well.

Unfortunately with 2000 you cannot "give ownership" back (once you
take it in order to have admin access) without a third party utility.
My friend said this about this cool utility he uses.
For those of you who don’t run 2003, and need to change
ownership of a folder to a specific user, check out this utility:
http://wwwthep.physik.uni-mainz.de/~frink/nt.html
It’s very similar to the unix command of the same name.
It’s a command line utility to change the owner of files and
folders. (It’s distributed under GNU Public Licencing, in other
words: Free.)
It’s really nice if you’ve got 1200 user folders whose
owner settings have been scrambled... All you need is to have a list
of all the user name, and excel! (for "Vertical-Editing" of batch
files) Takes 5 minutes!
Click to expand...

Cheers,

Lara
 
Back
Top