Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, December 2, 2011

Ownership in Windows 2003, Part I

There is a Group Policy option that can hide the security tab that would hide it for all files on the computer. Look under user configuration/administrative templates/Windows components/Windows explorer - hide security tab. Set that to disabled in local Group Policy [gpedit.msc] or whatever Group Policy that is applying to the user that you are logging on as. You can use the Resultant Set of Policy mmc snapin on that server to see what Group Policies and what settings are being applied to that computer and user. Also the security tab will not appear if the user does not have read permissions to the Rshx32.dll file in the %systemroot%\system32 folder.
You can also view and manage security permissions with command line utilities such as cacls and xcacls.vbs and my favorite is fileacl. Both xcacls.vbs and fileacl can also change ownership of folders or files.
--Steve  --- fileacl  --- xcacls.vbs

I have tried using xcacls, but I am getting an access denied message
there as well when I attempt to change the permissions.
use of cacls for changing ownership and permissions for users profile folder
A program titled NTFSFIX has solved my problems. See below for the link:

System Requirements
  • Windows 2000, XP or 2003 Server
  • .NET Framework version 1.1 (Download from Microsoft or Windows Update)
  • A user account that has full control permissions on the work areas, or has ownership of the folders.
OverviewThis tool is used to fix the permissions on user work areas. Specify your custom permissions and select the root folder where your user work areas are stored. A user account with the same name as the folder is given full control permissions by default.
Product Tour
  • Select Mode (Add or Replace)
NTFSFix - Welcome
  • Add custom permissions to the work area (Default permissions shown below)
NTFSFix - Wiz1
  • Select the root folder. (UNC or local path supported) You can also exlude folders here.
NTFSFix - Wiz2
  • Confirm the selection & start the permissions change.
NTFSFix - Wiz2
In the above screenprint two folders were not configured properly. This is because no users exist in the domain with the same name as the folder.

You can use subinacl.exe or fileacl.exe to replace the current owner.
The syntax for fileacl.exe is much easier than for subinacl.exe. FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64
 Denied message. I omitted the /c option so
"Replace owner on subcontainers and objects"
Got it to work (mostly, haha)
Had to run "fileacl.exe \\server\share /o Administrators /s Administrators /SUB /FILES" twice (for whatever reason the
files don't take the first time around). In theory after that "fileacl.exe //server/share /replace /inherit" should
have worked, but it causes fileacl to fault on large trees.
So SetACL/xcacls/whatever works to reset inheritance after that.
Set Up and Use Xcacls.vbs
To set up and to use Xcacls.vbs, follow these steps:
  1. Obtain the latest version of Xcacls.vbs from the following Microsoft Web site:
  2. Double-click Xcacls_Installer.exe. When you are prompted for a location to place the extracted files, specify a folder that is in your computer's search-path setting, such as C:\Windows.
  3. Change the default scripting engine from Wscript to Cscript. (The Xcacls.vbs script works best in Cscript.) To do this, type the following at a command prompt, and then press ENTER:
    cscript.exe /h:cscript
    Note Changing the default scripting engine to Cscript only affects how scripts write to the screen. Wscript writes each line individually to an OK dialog box. Cscript writes each line to the command window. If you do not want to change the default scripting engine, you must run the script by using the following command
    cscript.exe xcacls.vbs
    whereas if you change the default to Cscript, you can run the script with the following command:
  4. To see the Xcacls.vbs command syntax, type the following at a command prompt:
    xcacls.vbs /?

Syntax for the Xcacls.vbs Command

No comments: