Re: Replacing groupname on share permissions

From: Al Dunbar [MS-MVP] (alan-no-drub-spam_at_hotmail.com)
Date: 07/24/04 

Date: Sat, 24 Jul 2004 17:16:10 -0600

"Randy Snyder" <aggie07@austin.rr.com> wrote in message
news:sFBMc.25830$pR5.19229@fe2.texas.rr.com...
> I am needing to change the share level permission where GroupA replaces
> GroupB. Has anyone done this? Can you point me in the right location. I
> have looked at Win32_Share for WMI and it doesn't have this functionality.

IMHO, the replacement of group with another in an ACL is not an elemental
operation. What you need to do is to create a new ACL to give groupA the
required access, and then revoke the access of GroupB. I suppose you could
create your own function to simulate this, i.e.:

    function permreplace(object, oldgroup, newgroup)
        for each acl on object that oldgroup has
            create a similar acl for newgroup
            revoke the acl for oldgroup
        next
    end function

I think, though, that this would imply a poorly thought out permissions
management strategy. Better to have a single group given access to the
share, and populate that group with whatever other groups need access.
Changing permissions is generally something that should be done when the
resource is created, and as infrequently as possible thereafter.

/Al

Relevant Pages

  • Re: Conflicting AD groups
    ... So if a Windows User1 is a member of GroupA and GroupB and SQL Server creates a login for both GroupA and GroupB, the User1 will be able to connect and will have the permissions of both. ...
    (microsoft.public.sqlserver.security)
  • Re: Everyone take ownership
    ... I change its permissions so only GROUPA and ... > in GROUPA or GROUPB can claim Ownership of the folder. ... Looks like the permission is inherited from the parent folder. ...
    (microsoft.public.win2000.security)
  • Re: Replacing groupname on share permissions
    ... What you need to do is to create a new ACL to give groupA the ... and then revoke the access of GroupB. ... > Changing permissions is generally something that should be done when the ... from a large number of shares and replace ...
    (microsoft.public.scripting.wsh)
  • Re: Win2k - Account Operator not working properly
    ... You very likely have other ACL issues other than what was mentioned and I can point them out here for you for free or you can pay someone $200-500 an hour to come check it out. ... In order for that to result in inheritence protection it means the schema had to be modified. ... set the account in the GUI to inherit from its parents. ... Used the delegation wizard, on the top level OU, to assign the desired permissions. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Migrationn from Exch 5.5 on NT to Exch 2003 on 2003
    ... Jason Tan wrote: ... Security translation is a function of ADMT 2.0 that updates access control lists when migrating objects across domains. ... subinacl is recommended to reset the permissions in this scenario. ... you may use subinacl to replace the ACL. ...
    (microsoft.public.windows.server.migration)