Page 1 of 2 12>
Topic Options
#130379 - 2004-11-30 10:21 PM Take Ownership using XCACLS
Anonymous
Unregistered


I moved user home directories from one drive to another on a Windows 2000 file server. Administrator is now the owner.

I'd like to set the Ownership of each directory to its respective user.

Need to do:

1. Extract the subdirectory listing from F:\Home.
2. Match a username to each subdirectory (if exist).
3. Change the ownership.

Shell 'cmd.exe /c @scriptdir\xcacls $BaseHomeDir\$username /g $domain\$username $username:o'

Does anyone have a script that they are already using (and willing to share)? This seems to be a common problem when moving home directories with Microsoft Windows.

tjcarst

Top
#130380 - 2004-11-30 11:18 PM Re: Take Ownership using XCACLS
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
I have written a SetOwner program that I will post to my site this evening sometime.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#130381 - 2004-11-30 11:56 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
Thanks, Howard.

I need to step through what is happening and make some sense of each step in order to troubleshoot. I will stop scratching my head and wait to see if SetOwner will work for my environment.

This makes no sense to me that MS would not allow for the change of ownership when moving directories. If the systme was a clean install and users immediately created files it would work. And if you wanted to add space by bakcing up the data, installing add'l space, and restoring, this is is always going to be a problem for administrators. So frustrating.

Quote:


$domain='domainname'
$basehomefolder='f:\home'
$computer='servername
if not $computer $computer = "." endif

;GET FOLDERS
$colfolders=GetObject('winmgmts:{impersonationLevel=impersonate}!\\' + strComputer + '\root\cimv2').ExecQuery('ASSOCIATORS OF {Win32_Directory.Name=$basehomefolder}' + 'WHERE AssocClass = Win32_Subdirectory ' + 'ResultRole = PartComponent')

for each $objFolder in $colSubfolders
$homefolder = objFolder.Name
? "Home Folder " + $homefolder
? @serror ?
next

;GET USERS
$objOU = GetObject("LDAP://ou=Users,dc=domain,dc=local")
$objOU.Filter = Array("user")
for each $objUser In $objOU
$aduser = $objUser
? 'AD User ' +$aduser
? @serror ?
next

;MATCH USERS & FOLDERS
for each $homefolder
if $aduser = $homefolder
Shell 'cmd.exe /c @scriptdir\xcacls $homefolder /g $domain\$aduser:o'
endif
next

next





Top
#130382 - 2004-12-01 12:04 AM Re: Take Ownership using XCACLS
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA
Please take a look at the following post and see if it helps any.

http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Number=57147

Also XCOPY supports keeping all that information.

/O Copies file ownership and ACL information


However, if you've already moved the files, then none of this is going to help much. XCacls can take ownership but don't think it can SET ownership to another account even though the OS supports it.

I know you can assign ownership as the program Security Explorer from Small Wonders (Now owned by ScriptLogic) is able to do it.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_SEconceptsUnOwn.asp


Edited by NTDOC (2004-12-01 12:31 AM)

Top
#130383 - 2004-12-01 12:39 AM Re: Take Ownership using XCACLS
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA
I knew it was out there. Just had to find the link.

Please take a look at the following links which hopefully will provide the details you require to accomplish this task.


SubInACL update
Set the owner to any user/group
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB14&Number=121194


SetACL is a set of routines for managing Windows permissions (ACLs) from the command line
Set the owner to any user/group
http://setacl.sourceforge.net/


Quote:

Overview
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user's files. This gives the user access to the same files from the new domain.

SubInACL enables administrators to do the following:
Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
Change the owner of an object.
Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.

This update addresses the following issues:
Fixed bug where subinacl.exe failed to process command line arguments
Fixed bug where subinacl.exe failed to function correctly with cluster file shares




Edited by NTDOC (2004-12-01 12:43 AM)

Top
#130384 - 2004-12-01 03:26 AM Re: Take Ownership using XCACLS
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Isn't there some issue with XCACLS turning on inheritance? Might not be an issue with home folders but still. I believe CACLS (at least the newer, bug free one) does not have the same problem with inheritance.

When I moved all my users' home folders from NetWare to DFS, I used SubInACL. Since the UserID was the same as the folder name, it didn't take rocket science to knock off a quick script.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#130385 - 2004-12-01 03:30 AM Re: Take Ownership using XCACLS
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
SetOwner.exe is now on my web site.

http://home.comcast.net/~habullock/Perlutilities.htm
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#130386 - 2004-12-01 04:38 AM Re: Take Ownership using XCACLS
eyecantw8 Offline
Fresh Scripter

Registered: 2004-01-30
Posts: 8
Loc: Australia, Victoria
hmm, why not use ms resource kit 'robocopy' with the /SEC switch, but i spose that'll only take current ownership across not set new ownership? how have you got on anyway?
Top
#130387 - 2004-12-01 04:34 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
Thanks, everyone. I will review submitted links and try SetOwner.

tjcarst

Top
#130388 - 2004-12-01 04:44 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
SetOwner works for my purpose. I have 790 home folders to change, I'd better get busy.

Thanks!

Top
#130389 - 2004-12-01 05:13 PM Re: Take Ownership using XCACLS
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
a little looping program should make short work of those...
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#130390 - 2004-12-01 05:44 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
Unfortunately, it would take me longer to figure out the looping program than to type each manually. I am cleaning up the user folders for employees who are no longer here while I am at it. If I could get it to log errors for the folders that could not find a matching username, it would be worth the time. I am not a programmer and it takes me forever to get a script that works. Finding SetOwner was a godsend. Thanks!

tjcarst

Top
#130391 - 2004-12-01 06:03 PM Re: Take Ownership using XCACLS
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
What is your perception of the performance of SetOwner?
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#130392 - 2004-12-01 06:17 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
Fairly quick. I set ownership of a 2gb (4,351 files) home direcory in 2 minutes. I could time it for you if you wish. It is running on a quad processor file server. It would be nice if it returned an error indicating no such username found instead of the current error for EACH file. It fills up the screen. If it could check for the existence of a matching username first before trying to take ownership, it would be prettier and quicker. Directory existence checking too, for those of us with fat fingers. But, this is still a great utility for me. I've been bothered for over a year with Administrator owning files on the server when we migrated from Novell. I ran out of disk space yesterday and needed to move the files to a new disk on the server. Had I remembered and used xcopy, I would have been safe. But, had I had this utility a year ago, I would have been a much happier network admin. I am happy I found it now

Edited by tjcarst (2004-12-01 06:23 PM)

Top
#130393 - 2004-12-01 06:33 PM Re: Take Ownership using XCACLS
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Working on those common sense enhancements for you...stay tuned.

I had upgraded my Perl and modules used for this program. It does not seem to function properly once compiled.... Still working on it...


Edited by Howard Bullock (2004-12-01 07:15 PM)
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#130394 - 2004-12-01 07:47 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
It will be nice to use as a method of determining when an employee no longer has an AD account. I am just getting to the letter L (372 done) and I have found over 60 home folders with no matching user account. I will run the SetOwner on the home folders monthly to find out what home folders need to be removed. Thanks, Howard!
Top
#130395 - 2004-12-01 11:05 PM Re: Take Ownership using XCACLS
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
There should be much better ways to tell when an employee is no longer there and cleanup the user directories.

A suggestion would be to use EnumObject.exe to output the accounts with properties. Run it once a month and compare the outputs remove the directories that are no shown in the new report.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#130396 - 2004-12-02 12:16 AM Re: Take Ownership using XCACLS
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA
LES: Yes, XCACLS did have an issue but not when you did a complete replacement of permissions, only when you edited them. However Tj appears to have already moved the files so the only real option here is SubInACL, SetACL, or Howard's SetOwner which apparently is the method Tj chose.

eyecantw8: Yes, one "could" have used RobCopy (GREAT UTILITY) to move or copy the files, but looks like Tj has already moved them and now just wants to reset the Owner attribute. Once could also use new versions of XCOPY which support maintaining the owner attribute.

Appears there are now at least 3 good FREE methods of restoring or setting the file ownership.

Microsoft's utility SubInACL
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

SourceForge utiliity SetACL
http://setacl.sourceforge.net/

Howard Bullock's Perl solution SetOwner
http://home.comcast.net/~habullock/Perlutilities.htm
http://home.comcast.net/~habullock/Library/setowner.exe

Top
#130397 - 2004-12-02 08:34 PM Re: Take Ownership using XCACLS
tjcarst Offline
Hey THIS is FUN

Registered: 2003-09-08
Posts: 243
Loc: USA
Thanks, everyone. The information is appreciated.

Howard - yes there should be a better way. The problem I have is that ITS is notified to disable accounts for employees that leave, but to retain their home directory and mailbox until someone can review them. Often this is forgotten and the home directory is never deleted. So enumerating the accounts probably won't help me. The account is gone, but the home directory remains. I thought that by having a script run that looked at each home directory and found a matching user would be helpful IF the script generated a log for the directories without a matching account.

tjcarst

Top
#130398 - 2004-12-02 08:55 PM Re: Take Ownership using XCACLS
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA
We name the user's home folder the same as their logon name. Then when a user leaves we place there entire home folder in an OBSOLETE folder with the date it was moved. That way it can easily be reviewed for deletion.

Example:

OBSOLETE
JMSMITH_10-15-2004
BLWARNE_09-12-2004

Then if you need disk space or if your ready to remove you can easily see by the date which ones need attention first.

There are ways or methods to automate this, but our management has opted not to automate. They prefer to review all data before deletion regardless.

Top
Page 1 of 2 12>


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 369 anonymous users online.
Newest Members
rrosell, PatrickPinto, Raoul, Timothy, Jojo67
17877 Registered Users

Generated in 0.084 seconds in which 0.025 seconds were spent on a total of 14 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org