1

I’m migrating our userhome location to a new VM. My first mistake was not setting security correctly on the share folder that the users’ folders will live in. I used a script from here:

To fix ownership issues (which it doesn’t look like it’s done, there’s an error ‘Set-Acl : Cannot set the ACL because the method that it needs to invoke, SetSecurityDescriptor, does not exist.’). Unfortunately, at some point, it wiped out the domain admins’ access to the folders. All the folders have the local administrators as having full access, but are missing domain admins, and even though domain admins are part of the local admin group on this server, that’s not enough.

I added Domain Admins with full access to the root folder, but now it’s showing these errors:

Error.jpg

It’s not a huge deal that domain admins have access to these folders, but each user has this error pop 3 times, and if you hit enter by mistake, you have to start over again.

Is there an easier way?

3 Spice ups
2

Take ownership or have the owner add domain admins?

Right but the issue is if there is a sub folder that does not inherit permissions.

We usually blow away all permissions for all sub folders as well and then re-set the permissions, which is easy because of RBAC, right? :¬P

3

Ideally, both. The script I found doesn’t seem to work correctly. I’m more concerned about the missing domain admin rights, though.

4

See more comments above

Why are you concerned? If you need access you can take ownership.

There is no need to have access to all folders at all times, but if you need to, you can take ownership. ¯_(ツ)_/¯

5

Sorry, I should have been more clear. The folder’s owner should be the username that is attached to the folder. So ‘abetts’ should be the owner of her folder. We’re redirecting our users’ My Documents, among other things. They don’t redirect correctly if they don’t own the folder.

So really, I need to set their folders so they own them, and put Domain Admins as full access on all of them as well. Except, when I propogate the Domain Admins access, I get that error about 1500 times.

6

I am missing something.

Why are users involved in this at all?

Set DA to take control/be owner of the userhome root and all subdirs. Done without user knowledge on the server.

Set the user to have control of their userhome directory. Done without user knowledge on the server.

7

well lol that makes more sense.

Have you looked into icacls?

1 Spice up
(Mercutio879) 8

I probably answered this with the previous comment.

Sorry, I’m not the clearest explainer sometimes.

I hadn’t looked into icacls. I don’t do much with CLI in Windows, sadly. I really should get more into it.

9

something like so

get-childitem "C:\parentfolder" |
foreach{
    #icacls.exe d:\test /setowner domain\username /T /C
    icacls.exe $_.name /setowner domain\$_.name /T /C
}

Especially PowerShell :¬ )

1 Spice up
10

How many users do you have? Do you have the old server up still?

11

There are about 350 folders in here. The old server is still up, so, if necessary, I can blow this away and start over.

12

Try adding Administrators with the cacls command:

cacls I:\FolderName /T /E /G Administrators:F

If Admins don’t have rights at all for some reason, you might need to use PSEXEC with CACLS to run CACLS as the System account.

psexec -s -i cacls I:\FolderName /T /E /G Administrators:F

SetACL might help you too: SetACL Command Line-Version (SetACL.exe) - Syntax and Description

1 Spice up
13

CACLS ??

2214tc.jpg

http://www.itprotoday.com/security/icacls-new-and-improved-cacls

https://ss64.com/nt/icacls.html

2 Spice ups
14

Download RICHCOPY a GUI based product… Free Utility: RichCopy, an Advanced Alternative to RoboCopy | Microsoft Learn

Read this to help understand it a little… but it rather easy to use… Deployment Solution - Symantec Enterprise

15

I’ve used Richcopy in the past. It’s good, however, it has a nasty habit of stripping file permissions unless you run it off of the source server. Since I’m pulling the files off our old mini-SAN, I used CLI robocopy with the /copyall switch. It worked fine. It’s just that I our mini-SAN had a habit of changing NTFS file permissions. When I contacted EMC, they said this behavior was by design.

16

Tried running that script. Got this error:

“No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 0 files”

17

Can you post sanitized what exactly you run?
Did you replace the ‘placeholders’ with actual data?
Do the folder names match the usernames (samaccountname)?

18

By and large, the foldernames match the usernames. There are a few exceptions, but I can manually clean those up.

Here’s what I ran:

get-childitem "F:\Userhome\" |
foreach{
    #icacls.exe d:\test /setowner mcc.local\username /T /C
    icacls.exe $_.name /setowner mcc.local\$_.name /T /C
}
19

nkay try like so:

get-childitem "F:\Userhome" |
foreach{
    icacls.exe $_.fullname /setowner "mcc\$($_.name)" /T /C
}
20

Boom! It’s running now. Looks like it’s working how I’d want it to.

Out of curiosity, what’s the difference?