#130379 - 2004-11-30 10:21 PM
Take Ownership using XCACLS
|
Anonymous
Anonymous
Unregistered
|
I moved user home directories from one drive to another on a Windows 2000 file server. Administrator is now the owner.
I'd like to set the Ownership of each directory to its respective user.
Need to do:
1. Extract the subdirectory listing from F:\Home. 2. Match a username to each subdirectory (if exist). 3. Change the ownership.
Shell 'cmd.exe /c @scriptdir\xcacls $BaseHomeDir\$username /g $domain\$username $username:o'
Does anyone have a script that they are already using (and willing to share)? This seems to be a common problem when moving home directories with Microsoft Windows.
tjcarst
|
Top
|
|
|
|
#130380 - 2004-11-30 11:18 PM
Re: Take Ownership using XCACLS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
I have written a SetOwner program that I will post to my site this evening sometime.
|
Top
|
|
|
|
#130381 - 2004-11-30 11:56 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
Thanks, Howard.
I need to step through what is happening and make some sense of each step in order to troubleshoot. I will stop scratching my head and wait to see if SetOwner will work for my environment.
This makes no sense to me that MS would not allow for the change of ownership when moving directories. If the systme was a clean install and users immediately created files it would work. And if you wanted to add space by bakcing up the data, installing add'l space, and restoring, this is is always going to be a problem for administrators. So frustrating.
Quote:
$domain='domainname'
$basehomefolder='f:\home'
$computer='servername
if not $computer $computer = "." endif
;GET FOLDERS
$colfolders=GetObject('winmgmts:{impersonationLevel=impersonate}!\\' + strComputer + '\root\cimv2').ExecQuery('ASSOCIATORS OF {Win32_Directory.Name=$basehomefolder}' + 'WHERE AssocClass = Win32_Subdirectory ' + 'ResultRole = PartComponent')
for each $objFolder in $colSubfolders
$homefolder = objFolder.Name
? "Home Folder " + $homefolder
? @serror ?
next
;GET USERS
$objOU = GetObject("LDAP://ou=Users,dc=domain,dc=local")
$objOU.Filter = Array("user")
for each $objUser In $objOU
$aduser = $objUser
? 'AD User ' +$aduser
? @serror ?
next
;MATCH USERS & FOLDERS
for each $homefolder
if $aduser = $homefolder
Shell 'cmd.exe /c @scriptdir\xcacls $homefolder /g $domain\$aduser:o'
endif
next
next
|
Top
|
|
|
|
#130383 - 2004-12-01 12:39 AM
Re: Take Ownership using XCACLS
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
I knew it was out there. Just had to find the link.
Please take a look at the following links which hopefully will provide the details you require to accomplish this task.
SubInACL update
Set the owner to any user/group
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB14&Number=121194
SetACL is a set of routines for managing Windows permissions (ACLs) from the command line
Set the owner to any user/group
http://setacl.sourceforge.net/
Quote:
Overview
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user's files. This gives the user access to the same files from the new domain.
SubInACL enables administrators to do the following:
Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
Change the owner of an object.
Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.
This update addresses the following issues:
Fixed bug where subinacl.exe failed to process command line arguments
Fixed bug where subinacl.exe failed to function correctly with cluster file shares
Edited by NTDOC (2004-12-01 12:43 AM)
|
Top
|
|
|
|
#130385 - 2004-12-01 03:30 AM
Re: Take Ownership using XCACLS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
|
Top
|
|
|
|
#130386 - 2004-12-01 04:38 AM
Re: Take Ownership using XCACLS
|
eyecantw8
Fresh Scripter
Registered: 2004-01-30
Posts: 8
Loc: Australia, Victoria
|
hmm, why not use ms resource kit 'robocopy' with the /SEC switch, but i spose that'll only take current ownership across not set new ownership? how have you got on anyway?
|
Top
|
|
|
|
#130387 - 2004-12-01 04:34 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
Thanks, everyone. I will review submitted links and try SetOwner.
tjcarst
|
Top
|
|
|
|
#130388 - 2004-12-01 04:44 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
SetOwner works for my purpose. I have 790 home folders to change, I'd better get busy.
Thanks!
|
Top
|
|
|
|
#130389 - 2004-12-01 05:13 PM
Re: Take Ownership using XCACLS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
a little looping program should make short work of those...
|
Top
|
|
|
|
#130390 - 2004-12-01 05:44 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
Unfortunately, it would take me longer to figure out the looping program than to type each manually. I am cleaning up the user folders for employees who are no longer here while I am at it. If I could get it to log errors for the folders that could not find a matching username, it would be worth the time. I am not a programmer and it takes me forever to get a script that works. Finding SetOwner was a godsend. Thanks!
tjcarst
|
Top
|
|
|
|
#130391 - 2004-12-01 06:03 PM
Re: Take Ownership using XCACLS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
What is your perception of the performance of SetOwner?
|
Top
|
|
|
|
#130392 - 2004-12-01 06:17 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
Fairly quick. I set ownership of a 2gb (4,351 files) home direcory in 2 minutes. I could time it for you if you wish. It is running on a quad processor file server. It would be nice if it returned an error indicating no such username found instead of the current error for EACH file. It fills up the screen. If it could check for the existence of a matching username first before trying to take ownership, it would be prettier and quicker. Directory existence checking too, for those of us with fat fingers. But, this is still a great utility for me. I've been bothered for over a year with Administrator owning files on the server when we migrated from Novell. I ran out of disk space yesterday and needed to move the files to a new disk on the server. Had I remembered and used xcopy, I would have been safe. But, had I had this utility a year ago, I would have been a much happier network admin. I am happy I found it now
Edited by tjcarst (2004-12-01 06:23 PM)
|
Top
|
|
|
|
#130393 - 2004-12-01 06:33 PM
Re: Take Ownership using XCACLS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Working on those common sense enhancements for you...stay tuned.
I had upgraded my Perl and modules used for this program. It does not seem to function properly once compiled.... Still working on it...
Edited by Howard Bullock (2004-12-01 07:15 PM)
|
Top
|
|
|
|
#130394 - 2004-12-01 07:47 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
It will be nice to use as a method of determining when an employee no longer has an AD account. I am just getting to the letter L (372 done) and I have found over 60 home folders with no matching user account. I will run the SetOwner on the home folders monthly to find out what home folders need to be removed. Thanks, Howard!
|
Top
|
|
|
|
#130395 - 2004-12-01 11:05 PM
Re: Take Ownership using XCACLS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
There should be much better ways to tell when an employee is no longer there and cleanup the user directories.
A suggestion would be to use EnumObject.exe to output the accounts with properties. Run it once a month and compare the outputs remove the directories that are no shown in the new report.
|
Top
|
|
|
|
#130397 - 2004-12-02 08:34 PM
Re: Take Ownership using XCACLS
|
tjcarst
Hey THIS is FUN
Registered: 2003-09-08
Posts: 243
Loc: USA
|
Thanks, everyone. The information is appreciated.
Howard - yes there should be a better way. The problem I have is that ITS is notified to disable accounts for employees that leave, but to retain their home directory and mailbox until someone can review them. Often this is forgotten and the home directory is never deleted. So enumerating the accounts probably won't help me. The account is gone, but the home directory remains. I thought that by having a script run that looked at each home directory and found a matching user would be helpful IF the script generated a log for the directories without a matching account.
tjcarst
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 351 anonymous users online.
|
|
|