Calling network managers

Azzy · 03-22-2007, 01:16 PM

Ive been tasiked with changing the user permissions on the network like so

Code:

%Projects ->
     %Folder1->
          @Files->
     %Folder2->
          @Folder3->
               @Files->


@ = Able to read, edit contents, and delete contents
% = Not able to delete folder or subfolders

Ive tried setting this up in our windows SBS2003 environment. I can effectively set it to be able to delete Folder1 or Folder2, or set it so when you delete either of those folders, it wont let you but removes all of the subfolders

Or, I can set it so they cant me moved, deleted or worked on, but you can see them.

This is setting these via the basic "Users" groups on our domain.

IR Confused

The basic problem is this. We've lost project folders before (folders1&2 above) because they get dragged and moved.. or someone just accidentally deletes them without knowing. Moving is fine, I can move them back, but we only keep projects for so long (a few years on the server, and further in archives) so when they get deleted, and like today, dont find out until 4 months later, then I run into trying to recover this stuff.

Keeping more backups off site is what we do, but I have to wait for my boss to go home this evening to get them, and use up both of our time trying to recover them. Add to it that he doesn't want to keep records going back to far ("just a couple months is fine..." ) im stuck trying to prevent the issue in the first place.

Any help? Should I be trying to do this all form a command line since I have a lot of folders to change attributes to?

Rayodder · 03-22-2007, 01:59 PM

I know your pain.

Have you looking into enabling the "Shadow Copies" feature on your server? it will take a snapshot of your folders and files at what ever interval you specify, allow you you to restore deleted or even an older version of a file that was over written by accident.

Wycke · 03-22-2007, 02:10 PM

We use a program called "Security Explorer" for managing permissions on our file servers. It corrects for a lot of the glaring flaws in Windows' native file share administration (like permissions not propagating properly).

However, as to the logic of what you actually want to do, IR confuzed as well. Basically, you want to prevent people from making "drag & drop" mistakes, which, unfortunately, isn't going to happen as long as they have the ability to drag & drop. Your best bet would be to "compartmentalize" your shares to minimize the number of hands in the pot and thereby minimize the likelihood of such errors. "Least Privilege" is what it's commonly called. Only give people the minimum amount of access that they need to do their jobs.

In your scenario, this would very likely mean creating a separate folder for each "project", a separate user group for that "project" and only putting those users involved in the project into that group. When the "project" is done and ready to be archived, simply remove that group's permission to it, burn the files to a CD (or DVD) for off-site storage (probably a good idea to make one copy for local storage and one for off-site), and then either move the folder to an "Archive" location on the server or delete it (AFTER verifying the quality of the backups!).

Yes, some people will be offended that you've taken things away from them. These will most likely be the people who have no valid purpose for having access to these things and also those who are most likely "accidentally" delete or move them.

DarkStar · 03-22-2007, 02:11 PM

Start at the top and work your way down.

First square away admin rights. Set admin to full controll of the Projects folder (Are there multiple projects folders? if so start above it). Open up advanced settings and highlight the admin line. Make sure in "Applies to" it says "This folder, subfolders, and files". Add the users group and give it read permission and apply to "This folder only". add the users group again and give it full-permission to "All subfolders and files" then click the checkbox at the bottom "Replace permission entries on all child entries shown here that apply to child objects."

Now go through all the folders and remove the entries that are not inherited.

This should leave you with only admin being able to touch the projects folder and users aboe to do what they want with the stuff below that.

Use inheritance as much as possible so you don't drive yourself crazy. That should at least give yourself a starting point.

Do a backup before you do this, and it would be wise to play in a Azzy directory and some fake user ID's until you sort out your exact methodology.

-MR

incynr8 · 03-22-2007, 02:31 PM

x2 to Darkstar's commentary.

so much easier with *nix and ADS..

Azzy · 03-22-2007, 02:54 PM

I thought i tried what Darkstar said... but it didn't seem to take when I played around on a user station. I'll give it a try again tomorrow.

Now when I do that, can i make a folder set that can be copied? We have a master folder on the network that gets copied and re-named when a new project comes through, but it is set up on a different network share. Or will I have to re-set the permissions each time?

Chad- Some of that splitup wont work with my boss... I may manage the network, but, well, you guys know the rest

Wycke · 03-22-2007, 03:17 PM

Quote:

Originally Posted by Azzy

Chad- Some of that splitup wont work with my boss... I may manage the network, but, well, you guys know the rest

I hear ya. I was always getting calls from the really high-ups demanding that I give so-and-so "full permission to everything". Management types really need to either learn & understand the ramifications of such demands or trust the judgement of their IT staff and let them do the jobs they're being paid to do. I'm preaching to the choir, I know...

Azzy · 03-22-2007, 03:23 PM

My boss told me one day to turn off al the systems anti-virus because there was a chance that it could scan during normal work hours, and slow a computer down. I told him "No, I wont do that, it goes against what my job is."

He was pissed at the time, but later said it was the right decision, i just needed to be less blunt with my words

Lrrpie-CT · 03-22-2007, 03:36 PM

Ditto Darkstar. Obviously, something ain't right but setting your permissions right should make this work!

Kindred · 03-22-2007, 04:03 PM

You've already gotten all the good advice above.

a) Off the top of my head, it sounds like your inheritence is slightly off somewhere.

b) Chad mentioned Security Explorer. We've used it large domain migration projects and it's a life saver. It's from "Script Logic". Licensing is per-server, sounds like you're in a relatively small shop, so it should be a very reasonable purchase. You give it a group/user, point it at a share or volulme, it tells you EXACTLY which user can do what. I don't remember exactly what it cost, but I do recall getting several licenses over the phone on a credit card....couldn't have been that much.

c) FOR CREATING NEW PROJECTS GOING FORWARD:
Once you get your permissions squared away, I'd suggest using a simple batch script to create a standard set of new folders, and xcacls to set the permissions. (Pass in the project name as a variable and you can replicate the structure and permissions in a millisecond)

03-22-2007, 01:16 PM	#1 (permalink)
Azzy Mod-O-Rator Join Date: Mar 2006 Location: Finleyville, PA	Calling network managers Ive been tasiked with changing the user permissions on the network like so Code: %Projects -> %Folder1-> @Files-> %Folder2-> @Folder3-> @Files-> @ = Able to read, edit contents, and delete contents % = Not able to delete folder or subfolders Ive tried setting this up in our windows SBS2003 environment. I can effectively set it to be able to delete Folder1 or Folder2, or set it so when you delete either of those folders, it wont let you but removes all of the subfolders Or, I can set it so they cant me moved, deleted or worked on, but you can see them. This is setting these via the basic "Users" groups on our domain. IR Confused The basic problem is this. We've lost project folders before (folders1&2 above) because they get dragged and moved.. or someone just accidentally deletes them without knowing. Moving is fine, I can move them back, but we only keep projects for so long (a few years on the server, and further in archives) so when they get deleted, and like today, dont find out until 4 months later, then I run into trying to recover this stuff. Keeping more backups off site is what we do, but I have to wait for my boss to go home this evening to get them, and use up both of our time trying to recover them. Add to it that he doesn't want to keep records going back to far ("just a couple months is fine..." ) im stuck trying to prevent the issue in the first place. Any help? Should I be trying to do this all form a command line since I have a lot of folders to change attributes to? __________________ Bryan "Azzy" Spiegel Riverside Renegade Paintball / C.C. S.V.S. Plankowner - LPPC#6 "It is my right to be uncommon—if I can. I seek opportunity—not security. I do not wish to be a kept citizen, humbled and dulled by having the state look after me. I want to take the calculated risk; to dream and to build, to fail and to succeed. I refuse to barter incentive for a dole. I prefer the challenges of life to the guaranteed existence; the thrill of fulfillment to the stale calm of utopia. I will not trade freedom for beneficence nor my dignity for a handout. I will never cower before any master nor bend to any threat. It is my heritage to stand erect, proud and unafraid; to think and act for myself, enjoy the benefit of my creations and to face the world boldly and say, “This I have done.” - Dean Alfange

03-22-2007, 01:59 PM	#2 (permalink)
Rayodder MCB Member Join Date: Apr 2006 Location: Richmond, British Columbia	I know your pain. Have you looking into enabling the "Shadow Copies" feature on your server? it will take a snapshot of your folders and files at what ever interval you specify, allow you you to restore deleted or even an older version of a file that was over written by accident. __________________ $$$ trumps dibs every single time!!! MCB Feedback

03-22-2007, 02:10 PM	#3 (permalink)
Wycke Supernatural Anaesthetist Join Date: Apr 2006 Location: The Plaines of Celestia	We use a program called "Security Explorer" for managing permissions on our file servers. It corrects for a lot of the glaring flaws in Windows' native file share administration (like permissions not propagating properly). However, as to the logic of what you actually want to do, IR confuzed as well. Basically, you want to prevent people from making "drag & drop" mistakes, which, unfortunately, isn't going to happen as long as they have the ability to drag & drop. Your best bet would be to "compartmentalize" your shares to minimize the number of hands in the pot and thereby minimize the likelihood of such errors. "Least Privilege" is what it's commonly called. Only give people the minimum amount of access that they need to do their jobs. In your scenario, this would very likely mean creating a separate folder for each "project", a separate user group for that "project" and only putting those users involved in the project into that group. When the "project" is done and ready to be archived, simply remove that group's permission to it, burn the files to a CD (or DVD) for off-site storage (probably a good idea to make one copy for local storage and one for off-site), and then either move the folder to an "Archive" location on the server or delete it (AFTER verifying the quality of the backups!). Yes, some people will be offended that you've taken things away from them. These will most likely be the people who have no valid purpose for having access to these things and also those who are most likely "accidentally" delete or move them. __________________ Porch Monkey 4 Life! s'ok...I'm takin' it back... My Feedback Thread

03-22-2007, 02:31 PM	#5 (permalink)
incynr8 .:\|Purification Admin\|:. Join Date: Apr 2006 Location: PA	x2 to Darkstar's commentary. so much easier with *nix and ADS.. __________________ Advertise on MCB That's two-ing thirteen while she's eleven-ing your five........ PPS4LIFE "If a man neglects to enforce his rights, he cannot complain if, after a while, the law follows his example."

03-22-2007, 02:54 PM	#6 (permalink)
Azzy Mod-O-Rator Join Date: Mar 2006 Location: Finleyville, PA	I thought i tried what Darkstar said... but it didn't seem to take when I played around on a user station. I'll give it a try again tomorrow. Now when I do that, can i make a folder set that can be copied? We have a master folder on the network that gets copied and re-named when a new project comes through, but it is set up on a different network share. Or will I have to re-set the permissions each time? Chad- Some of that splitup wont work with my boss... I may manage the network, but, well, you guys know the rest __________________ Bryan "Azzy" Spiegel Riverside Renegade Paintball / C.C. S.V.S. Plankowner - LPPC#6 "It is my right to be uncommon—if I can. I seek opportunity—not security. I do not wish to be a kept citizen, humbled and dulled by having the state look after me. I want to take the calculated risk; to dream and to build, to fail and to succeed. I refuse to barter incentive for a dole. I prefer the challenges of life to the guaranteed existence; the thrill of fulfillment to the stale calm of utopia. I will not trade freedom for beneficence nor my dignity for a handout. I will never cower before any master nor bend to any threat. It is my heritage to stand erect, proud and unafraid; to think and act for myself, enjoy the benefit of my creations and to face the world boldly and say, “This I have done.” - Dean Alfange

03-22-2007, 03:23 PM	#8 (permalink)
Azzy Mod-O-Rator Join Date: Mar 2006 Location: Finleyville, PA	My boss told me one day to turn off al the systems anti-virus because there was a chance that it could scan during normal work hours, and slow a computer down. I told him "No, I wont do that, it goes against what my job is." He was pissed at the time, but later said it was the right decision, i just needed to be less blunt with my words __________________ Bryan "Azzy" Spiegel Riverside Renegade Paintball / C.C. S.V.S. Plankowner - LPPC#6 "It is my right to be uncommon—if I can. I seek opportunity—not security. I do not wish to be a kept citizen, humbled and dulled by having the state look after me. I want to take the calculated risk; to dream and to build, to fail and to succeed. I refuse to barter incentive for a dole. I prefer the challenges of life to the guaranteed existence; the thrill of fulfillment to the stale calm of utopia. I will not trade freedom for beneficence nor my dignity for a handout. I will never cower before any master nor bend to any threat. It is my heritage to stand erect, proud and unafraid; to think and act for myself, enjoy the benefit of my creations and to face the world boldly and say, “This I have done.” - Dean Alfange

03-22-2007, 03:36 PM	#9 (permalink)
Lrrpie-CT See Matt Mod. Join Date: Mar 2006 Location: Bethlehem CT	Ditto Darkstar. Obviously, something ain't right but setting your permissions right should make this work!

03-22-2007, 04:03 PM	#10 (permalink)
Kindred Mod & Underwear Model Join Date: Mar 2006 Location: Neshanic Station, NJ	You've already gotten all the good advice above. a) Off the top of my head, it sounds like your inheritence is slightly off somewhere. b) Chad mentioned Security Explorer. We've used it large domain migration projects and it's a life saver. It's from "Script Logic". Licensing is per-server, sounds like you're in a relatively small shop, so it should be a very reasonable purchase. You give it a group/user, point it at a share or volulme, it tells you EXACTLY which user can do what. I don't remember exactly what it cost, but I do recall getting several licenses over the phone on a credit card....couldn't have been that much. c) FOR CREATING NEW PROJECTS GOING FORWARD: Once you get your permissions squared away, I'd suggest using a simple batch script to create a standard set of new folders, and xcacls to set the permissions. (Pass in the project name as a variable and you can replicate the structure and permissions in a millisecond) __________________ Strive for that moment when you're only a slice of pizza and a hooker away from paradise.