| **DONOTDELETE** |
| (Lurker) |
| 2004-11-30 10:21 PM |
Take Ownership using XCACLS
|
I moved user home directories from one drive to another on a Windows 2000 file server. Administrator is now the owner.
I'd like to set the Ownership of each directory to its respective user.
Need to do:
1. Extract the subdirectory listing from F:\Home.
2. Match a username to each subdirectory (if exist).
3. Change the ownership.
Shell 'cmd.exe /c @scriptdir\xcacls $BaseHomeDir\$username /g $domain\$username $username:o'
Does anyone have a script that they are already using (and willing to share)? This seems to be a common problem when moving home directories with Microsoft Windows.
tjcarst
| Howard Bullock |
| (KiX Supporter) |
| 2004-11-30 11:18 PM |
|
|
Re: Take Ownership using XCACLS
|
I have written a SetOwner program that I will post to my site this evening sometime.
| tjcarst |
| (Hey THIS is FUN) |
| 2004-11-30 11:56 PM |
|
Re: Take Ownership using XCACLS
|
Thanks, Howard.
I need to step through what is happening and make some sense of each step in order to troubleshoot. I will stop scratching my head and wait to see if SetOwner will work for my environment.
This makes no sense to me that MS would not allow for the change of ownership when moving directories. If the systme was a clean install and users immediately created files it would work. And if you wanted to add space by bakcing up the data, installing add'l space, and restoring, this is is always going to be a problem for administrators. So frustrating.
Quote:
$domain='domainname'
$basehomefolder='f:\home'
$computer='servername
if not $computer $computer = "." endif
;GET FOLDERS
$colfolders=GetObject('winmgmts:{impersonationLevel=impersonate}!\\' + strComputer + '\root\cimv2').ExecQuery('ASSOCIATORS OF {Win32_Directory.Name=$basehomefolder}' + 'WHERE AssocClass = Win32_Subdirectory ' + 'ResultRole = PartComponent')
for each $objFolder in $colSubfolders
$homefolder = objFolder.Name
? "Home Folder " + $homefolder
? @serror ?
next
;GET USERS
$objOU = GetObject("LDAP://ou=Users,dc=domain,dc=local")
$objOU.Filter = Array("user")
for each $objUser In $objOU
$aduser = $objUser
? 'AD User ' +$aduser
? @serror ?
next
;MATCH USERS & FOLDERS
for each $homefolder
if $aduser = $homefolder
Shell 'cmd.exe /c @scriptdir\xcacls $homefolder /g $domain\$aduser:o'
endif
next
next
NTDOC
|
| (KiX Master) |
| 2004-12-01 12:04 AM |
|
|
Re: Take Ownership using XCACLS
|
Please take a look at the following post and see if it helps any.
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Number=57147
Also XCOPY supports keeping all that information.
/O Copies file ownership and ACL information
However, if you've already moved the files, then none of this is going to help much. XCacls can take ownership but don't think it can SET ownership to another account even though the OS supports it.
I know you can assign ownership as the program Security Explorer from Small Wonders (Now owned by ScriptLogic) is able to do it.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_SEconceptsUnOwn.asp
|
NTDOC
|
| (KiX Master) |
| 2004-12-01 12:39 AM |
|
|
|
Re: Take Ownership using XCACLS
|
I knew it was out there. Just had to find the link.
Please take a look at the following links which hopefully will provide the details you require to accomplish this task.
SubInACL update
Set the owner to any user/group
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB14&Number=121194
SetACL is a set of routines for managing Windows permissions (ACLs) from the command line
Set the owner to any user/group
http://setacl.sourceforge.net/
Quote:
Overview
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user's files. This gives the user access to the same files from the new domain.
SubInACL enables administrators to do the following:
Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
Change the owner of an object.
Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.
This update addresses the following issues:
Fixed bug where subinacl.exe failed to process command line arguments
Fixed bug where subinacl.exe failed to function correctly with cluster file shares
| Les |
| (KiX Master) |
| 2004-12-01 03:26 AM |
|
Re: Take Ownership using XCACLS
|
Isn't there some issue with XCACLS turning on inheritance? Might not be an issue with home folders but still. I believe CACLS (at least the newer, bug free one) does not have the same problem with inheritance.
When I moved all my users' home folders from NetWare to DFS, I used SubInACL. Since the UserID was the same as the folder name, it didn't take rocket science to knock off a quick script.
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-01 03:30 AM |
|
|
|
Re: Take Ownership using XCACLS
|
SetOwner.exe is now on my web site.
http://home.comcast.net/~habullock/Perlutilities.htm
| eyecantw8 |
| (Fresh Scripter) |
| 2004-12-01 04:38 AM |
|
Re: Take Ownership using XCACLS
|
hmm, why not use ms resource kit 'robocopy' with the /SEC switch, but i spose that'll only take current ownership across not set new ownership? how have you got on anyway?
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-01 04:34 PM |
|
Re: Take Ownership using XCACLS
|
Thanks, everyone. I will review submitted links and try SetOwner.
tjcarst
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-01 04:44 PM |
|
Re: Take Ownership using XCACLS
|
SetOwner works for my purpose. I have 790 home folders to change, I'd better get busy.
Thanks!
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-01 05:13 PM |
|
|
|
Re: Take Ownership using XCACLS
|
a little looping program should make short work of those...
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-01 05:44 PM |
|
Re: Take Ownership using XCACLS
|
Unfortunately, it would take me longer to figure out the looping program than to type each manually. I am cleaning up the user folders for employees who are no longer here while I am at it. If I could get it to log errors for the folders that could not find a matching username, it would be worth the time. I am not a programmer and it takes me forever to get a script that works. Finding SetOwner was a godsend. Thanks!
tjcarst
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-01 06:03 PM |
|
|
|
Re: Take Ownership using XCACLS
|
What is your perception of the performance of SetOwner?
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-01 06:17 PM |
|
Re: Take Ownership using XCACLS
|
Fairly quick. I set ownership of a 2gb (4,351 files) home direcory in 2 minutes. I could time it for you if you wish. It is running on a quad processor file server. It would be nice if it returned an error indicating no such username found instead of the current error for EACH file. It fills up the screen. If it could check for the existence of a matching username first before trying to take ownership, it would be prettier and quicker. Directory existence checking too, for those of us with fat fingers. But, this is still a great utility for me. I've been bothered for over a year with Administrator owning files on the server when we migrated from Novell. I ran out of disk space yesterday and needed to move the files to a new disk on the server. Had I remembered and used xcopy, I would have been safe. But, had I had this utility a year ago, I would have been a much happier network admin. I am happy I found it now
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-01 06:33 PM |
|
|
|
Re: Take Ownership using XCACLS
|
Working on those common sense enhancements for you...stay tuned.
I had upgraded my Perl and modules used for this program. It does not seem to function properly once compiled.... Still working on it...
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-01 07:47 PM |
|
Re: Take Ownership using XCACLS
|
It will be nice to use as a method of determining when an employee no longer has an AD account. I am just getting to the letter L (372 done) and I have found over 60 home folders with no matching user account. I will run the SetOwner on the home folders monthly to find out what home folders need to be removed. Thanks, Howard!
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-01 11:05 PM |
|
|
|
Re: Take Ownership using XCACLS
|
There should be much better ways to tell when an employee is no longer there and cleanup the user directories.
A suggestion would be to use EnumObject.exe to output the accounts with properties. Run it once a month and compare the outputs remove the directories that are no shown in the new report.
|
NTDOC
|
| (KiX Master) |
| 2004-12-02 12:16 AM |
|
|
|
Re: Take Ownership using XCACLS
|
LES: Yes, XCACLS did have an issue but not when you did a complete replacement of permissions, only when you edited them. However Tj appears to have already moved the files so the only real option here is SubInACL, SetACL, or Howard's SetOwner which apparently is the method Tj chose.
eyecantw8: Yes, one "could" have used RobCopy (GREAT UTILITY) to move or copy the files, but looks like Tj has already moved them and now just wants to reset the Owner attribute. Once could also use new versions of XCOPY which support maintaining the owner attribute.
Appears there are now at least 3 good FREE methods of restoring or setting the file ownership.
Microsoft's utility SubInACL
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en
SourceForge utiliity SetACL
http://setacl.sourceforge.net/
Howard Bullock's Perl solution SetOwner
http://home.comcast.net/~habullock/Perlutilities.htm
http://home.comcast.net/~habullock/Library/setowner.exe
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-02 08:34 PM |
|
Re: Take Ownership using XCACLS
|
Thanks, everyone. The information is appreciated.
Howard - yes there should be a better way. The problem I have is that ITS is notified to disable accounts for employees that leave, but to retain their home directory and mailbox until someone can review them. Often this is forgotten and the home directory is never deleted. So enumerating the accounts probably won't help me. The account is gone, but the home directory remains. I thought that by having a script run that looked at each home directory and found a matching user would be helpful IF the script generated a log for the directories without a matching account.
tjcarst
|
NTDOC
|
| (KiX Master) |
| 2004-12-02 08:55 PM |
|
|
|
Re: Take Ownership using XCACLS
|
We name the user's home folder the same as their logon name. Then when a user leaves we place there entire home folder in an OBSOLETE folder with the date it was moved. That way it can easily be reviewed for deletion.
Example:
OBSOLETE
JMSMITH_10-15-2004
BLWARNE_09-12-2004
Then if you need disk space or if your ready to remove you can easily see by the date which ones need attention first.
There are ways or methods to automate this, but our management has opted not to automate. They prefer to review all data before deletion regardless.
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-02 09:45 PM |
|
Re: Take Ownership using XCACLS
|
Thanks, NTDOC. Actually, I do this myself, but am not normally the one who works with setting up or disabling the accounts. Getting others to follow this example is the trick. I'll work on it, though.
tjcarst
|
NTDOC
|
| (KiX Master) |
| 2004-12-02 10:55 PM |
|
|
|
Re: Take Ownership using XCACLS
|
A slightly better method would be to use the date format like most of the World outside the US uses.
OBSOLETE
04-09-12_BLWARNE
04-10-15_JMSMITH
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-03 12:48 AM |
|
|
|
Re: Take Ownership using XCACLS
|
If you routine use EnumObject.exe or other method to dump the accounts. You could easily compare last months dump with the current one and know right away what accounts are no longer in the domain. The dump from last month would contain the home directory property data for the account. You would sinmply determine the account in the old dump that are not in the new dump and process the home directories.
| **DONOTDELETE** |
| (Lurker) |
| 2004-12-03 03:57 AM |
|
Re: Take Ownership using XCACLS
|
Thanks, everyone.
I also use AutoShare Manager to share all user's home directories in a subfolder called Users and assign the user and Administrator full control. I wish ScriptLogic would add the ability to Take Ownership for the user assigned..... Wishfull thinking.
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-03 04:01 AM |
Re: Take Ownership using XCACLS
|
Oops. Forgot to sign on for that last post.
Howard - I know it is a simple task, but somehow I never have enough time for routine maintenance. Something new always needs added or something old always needs fixed. It nearly drives me crazy to think of all the things behind the scenes that need done that noone sees but me. I will give EnumObject a whirl and try to add it to my monthly To Do list. Thanks for the suggestion.
tjcarst
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-03 05:33 AM |
|
|
|
Re: Take Ownership using XCACLS
|
It is only one potential method to get to your desired end result. The basics will have to maintain a list of accounts in a data file, then periodically add new and report ones that are no longer there. If you need to have a click and go solution, I may be able to find some time to code something up.
| Howard Bullock |
| (KiX Supporter) |
| 2004-12-03 06:00 AM |
|
|
|
Re: Take Ownership using XCACLS
|
SetOwner.exe has been updated to provide input parameter checking and will exit with the proper error code if the parameters are invalid. I will try to get the size reduced some by finding a different methodology to validate the user account.
This version is 1.0.2.0.
| tjcarst |
| (Hey THIS is FUN) |
| 2004-12-03 10:04 PM |
|
Re: Take Ownership using XCACLS
|
Thanks, Howard. SetOwner works great! It sure was getting a workout for a few hours there!
I would appreciate a simpler point and click solution, but don't spend a lot of time on it unless you see it to be useful for many lan admins. I've taken enough of your time.
tjcarst
|
NTDOC
|
| (KiX Master) |
| 2004-12-03 11:11 PM |
|
|
|
Re: Take Ownership using XCACLS
|
Quote:
point and click solution
Sorry, this is a KiXtart Scripting board. If you want point and click then you'll need to run on over to http://www.scriptlogic.com for some of their point and click solution software.
Or you could go over to http://www.kixforms.com and get some of the CODE-POINT & CLICK software.
| LudvigX |
| (Just in Town) |
| 2009-05-26 02:14 PM |
|
Re: Take Ownership using XCACLS
|
Did you ever get this to work ??
Originally Posted By: tjcarst
Thanks, Howard.
I need to step through what is happening and make some sense of each step in order to troubleshoot. I will stop scratching my head and wait to see if SetOwner will work for my environment.
This makes no sense to me that MS would not allow for the change of ownership when moving directories. If the systme was a clean install and users immediately created files it would work. And if you wanted to add space by bakcing up the data, installing add'l space, and restoring, this is is always going to be a problem for administrators. So frustrating.
$domain='domainname'
$basehomefolder='f:\home'
$computer='servername
if not $computer $computer = "." endif
;GET FOLDERS
$colfolders=GetObject('winmgmts:{impersonationLevel=impersonate}!\\' + strComputer + '\root\cimv2').ExecQuery('ASSOCIATORS OF {Win32_Directory.Name=$basehomefolder}' + 'WHERE AssocClass = Win32_Subdirectory ' + 'ResultRole = PartComponent')
for each $objFolder in $colSubfolders
$homefolder = objFolder.Name
? "Home Folder " + $homefolder
? @serror ?
next
;GET USERS
$objOU = GetObject("LDAP://ou=Users,dc=domain,dc=local")
$objOU.Filter = Array("user")
for each $objUser In $objOU
$aduser = $objUser
? 'AD User ' +$aduser
? @serror ?
next
;MATCH USERS & FOLDERS
for each $homefolder
if $aduser = $homefolder
Shell 'cmd.exe /c @scriptdir\xcacls $homefolder /g $domain\$aduser:o'
endif
next
next
I need to step through what is happening and make some sense of each step in order to troubleshoot. I will stop scratching my head and wait to see if SetOwner will work for my environment.
This makes no sense to me that MS would not allow for the change of ownership when moving directories. If the systme was a clean install and users immediately created files it would work. And if you wanted to add space by bakcing up the data, installing add'l space, and restoring, this is is always going to be a problem for administrators. So frustrating.
Quote:
$domain='domainname'
$basehomefolder='f:\home'
$computer='servername
if not $computer $computer = "." endif
;GET FOLDERS
$colfolders=GetObject('winmgmts:{impersonationLevel=impersonate}!\\' + strComputer + '\root\cimv2').ExecQuery('ASSOCIATORS OF {Win32_Directory.Name=$basehomefolder}' + 'WHERE AssocClass = Win32_Subdirectory ' + 'ResultRole = PartComponent')
for each $objFolder in $colSubfolders
$homefolder = objFolder.Name
? "Home Folder " + $homefolder
? @serror ?
next
;GET USERS
$objOU = GetObject("LDAP://ou=Users,dc=domain,dc=local")
$objOU.Filter = Array("user")
for each $objUser In $objOU
$aduser = $objUser
? 'AD User ' +$aduser
? @serror ?
next
;MATCH USERS & FOLDERS
for each $homefolder
if $aduser = $homefolder
Shell 'cmd.exe /c @scriptdir\xcacls $homefolder /g $domain\$aduser:o'
endif
next
next
| tjcarst |
| (Hey THIS is FUN) |
| 2015-05-29 10:08 PM |
|
Re: Take Ownership using XCACLS
|
I just noticed I did not ever answer. It's been so long I don't remember if it worked.
I am currently migrating a 2003 file server to a netapp array and find myself faced with the same problem. Ironic I stumble upon my own post again. :-|