Re: Problem to update ACL using ADsSecurity from VBScript

• Previous message: Roger Abell: "Re: Denny SYNCHRONIZE to IUSR_%COMPUTERNAME% causes remote access to prompt for username"
• In reply to: Wilder: "Re: Problem to update ACL using ADsSecurity from VBScript"
• Messages sorted by: [ date ] [ thread ]

Date: Sun, 21 Nov 2004 08:47:11 -0700

IIRC there is a policy setting that accomplishes this very thing,
i.e. adding Administrators permissions to profiles.
Within a GPO that has those machines in its scope of application,
look into the computer settings tree, under admin templates, within
System\User Profiles

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Wilder" <Wilder@discussions.microsoft.com> wrote in message
news:7711EDFE-F20A-48B1-A3C0-932E04647A8D@microsoft.com...
> Hi,
> I'm trying to do pretty much the same thing with the users roaming
profiles
> directory.  Except not moving anything.  I've got a situation where I need
to
> takeownership (I have that piece using win32_directory takeownership
method)
> and add Administrators to the security (got that w/ xcacls.vbs).  The
piece I
> need is how do I modify the workstation(s) policy to include (Add the
> Administrators security group to roaming user profiles) so that we don't
have
> to mess with this anymore.
>
> Any assistance you can provide about adding a policy to a remote
workstation
> will be greatly appreciated.
>
> Thanks,
>
> Wilder
>
> "Kevin Debono" wrote:
>
> > Hi Roger,
> >
> > Thanks a lot for your answer.
> >
> > As for your solution, the problem is that the script is doing other
varies
> > things, like updating the profile of the user, moving the user from one
OU to
> > another, etc.
> >
> > After taking onwership of a file/folder I'm copying the current
permissions
> > and also recurring through all the subfolders.  The  missing bit is to
add
> > myself to the ACL and I'll have a complete solution.  At the moment I'm
> > calling a very cool utility from my script called SecureCopy to handle
this
> > problem.  But I'm a hard headed person and what to have a solution that
is
> > independent from any other utility.  Most probably I will have to use an
API
> > call and I think the one that will do the trick is SetEntriesInAcl.
> >
> > Best regards,
> >
> > Kevin
> >
> > "Roger Abell [MVP]" wrote:
> >
> > > IMO you are taking the long (and messy) road, plus, as you mentioned
> > > an Explorer step you still are not fully automated.
> > >
> > > To do as you are correctly, you need to take note of the preexisting
> > > ownership and permissions and then set them back that way after the
> > > copy over to the other server.  Note that taking ownership and
settings
> > > permissions for you to copy may need to be done recursively down
inside
> > > each home folder.  The user, as owner, may have blocked inheritance.
> > > If you try the shortcut way to avoid the recurse, then you will wipe
out
> > > permissions differences the user may have placed within.
> > >
> > > The quick, easy way to do this is to use NTbackup to grab all the
needed
> > > home directories and then restore them with permissions to the new
server
> > > specifying to preserve permissions.  Using an account with the backup
and
> > > the restore user rights will allow a registered backup/restore
application
> > > to
> > > be immune from NTFS hinderances.
> > >
> > > -- 
> > > Roger Abell
> > > Microsoft MVP (Windows Server System: Security)
> > > MCDBA,  MCSE W2k3+W2k+Nt4
> > > "Kevin Debono" <KevinDebono@discussions.microsoft.com> wrote in
message
> > > news:E2D1BAD8-AE26-4985-AD00-807880F29186@microsoft.com...
> > > > Hi everybody,
> > > >
> > > > At the moment I'm working on a VBScript with which I want to copy
files
> > > > and
> > > > folders from one Server to another.  While doing this I want also to
> > > > transfer
> > > > the NTFS permissions.
> > > >
> > > > The folders that I'm going to copy are user home directories and
even if
> > > > I'm
> > > > an administrator I don't have the rights to access some of the
folders.
> > > > To
> > > > overcome this problem I'm using the CIM_LogicalFile WMI class and
its
> > > > TakeOwnership method.  This works because I use Windows Explorer to
verify
> > > > that I'm the new onwer of the folder/file.  My next step is to add
myself
> > > > to
> > > > the ACL of the file/folder so that I have enough right to perform
the copy
> > > > operation.  To do this I'm using ADsSecurity.  I'm creating an ACE
object
> > > > and
> > > > give myself ReadWrite permissions; the problem is that when I update
the
> > > > ACL
> > > > using the SetSecurityDescriptor nothing happens i.e. the new ACE is
not
> > > > added.
> > > >
> > > > It seems that the problem is coming from the fact that I don't have
Change
> > > > permissions (BUT I CAN PERFORM THE SAME OPERATINO FROM WINODWS
EXPLORER)
> > > > on
> > > > the target file/folder because when I executed the script against a
file
> > > > on
> > > > which I have Change permissions the ACL is updated successfully.
> > > >
> > > > Can anybody out there help?
> > > >
> > > > Sorry if a bit long.
> > > >
> > > > Best regards,
> > > >
> > > > Kevin
> > > >
> > >
> > >
> > >

• Previous message: Roger Abell: "Re: Denny SYNCHRONIZE to IUSR_%COMPUTERNAME% causes remote access to prompt for username"
• In reply to: Wilder: "Re: Problem to update ACL using ADsSecurity from VBScript"
• Messages sorted by: [ date ] [ thread ]