Advanced permission for files and folders
Advanced permission for files and folders
Hi,
Just wanted to raise a quick query on setting a unique NTFS Security permission.
My requirement
A shared folder with the below listed access for users
A group of users should be able to create, read, rename files and folders inside a shared folder.
The group of users should not have the right to delete any folder or file from the shared folder.
This is what I have tried.
Gave modify permission to the Security group.
On Advanced permissions, denied delete subfolders and file & delete permission.
The effective permission for a user who is member of the security group over a file inside the shared folder is as shown.
https://onedrive.live.com/redir?resid=835A81FDD1D9D9FC!109&authkey=!AGQFP11QTFaLHQM&v=3&ithint=photo%2cpng
But while trying to rename or modify the file, getting the below error message.
https://onedrive.live.com/redir?resid=835A81FDD1D9D9FC%21110
Any help to achieve my requirement would be really appreciated.
Thanks,
JD
Hi JD,
Removing delete permission from the user or group brings a limitation that the user will not be able to rename the folder. This is because of the reason that the "rename" operation is also included within the "Delete" permission.
Thus if you want to prevent user from deleting the shared file, it's also not allowed to rename.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Similar Messages
-
To extract the users permission on files and folders in sharepoint 2010 using client object model
To extract the users permission on files and folders in sharepoint 2010 using client object model
Hello,
This is sample code to get item level permisison: (Just written in notepad so it is not tested)
public void ItemLevelPermission()
SecurableObject curObj = null;
ListItem curItem = ctx.Web.Lists.GetByTitle("LibraryName").GetItemById(ItemId); -> Use Id of file or folder.
IEnumerable roles = null;
roles = ctx.LoadQuery(
curObj.RoleAssignments.Include(
roleAsg => roleAsg.Member,
roleAsg => roleAsg.RoleDefinitionBindings.Include(
roleDef => roleDef.Name, // for each role definition, include roleDef’s Name
roleDef => roleDef.Description)));
ctx.ExecuteQuery();
Hope it could help
Hemendra:Yesterday is just a memory,Tomorrow we may never see
Please remember to mark the replies as answers if they help and unmark them if they provide no help -
Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services
To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields. When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.Upon further research, I'll answer my own question for the benefit of some other potential future newbie. The answer to question number 1 above is "Not exactly.". The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists). I was treating them mentally like regular folders. That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists. That was the other problem with thinking of these lists as regular folders. So, ListItemAllFields works on
all files and folders in a list. However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above. For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments. -
How to set default permissions for files and folders
We have mac and windows computers on a network where we use Mac OSX Server 10.4 to share files. When files are created on windows computer, no problem, all users can read/write these files. However on our 2 macs (1 10.3 and 1 10.4), other users are blocked from using the files, only the owner has "read/write", group and others are "read only". As far as I can tell, file sharing is turned on ok in Workgroup Manager for the folders we share files from. How can we establish sharing for all users on our network?
Niel's suggestion is good. You might also try posting your question in the Tiger Server forums. I'm sure Tiger Server has several ways of dealing with this.
-
"Application can't be found" error for files and folders
This has become mind boggling for me.
Starting last week, files I've created (namely in either Adobe Photoshop CS5 or Illustrator CS5) have started giving me "Application can't be found" errors when trying to open them. They show up when I use spotlight to search for the file, but they don't show up in Finder and can't be found when trying to browse for them via the apps used to create them.
Now I can't open a particular folder either (same symptoms and errors as above), which should have nothing to do with any applications.
Have rebooted numerous times and am up to date on all firmware. I know these files exist and did work at one point because I uploaded them to be printed last week with no issues. But sometime between now and then (and I haven't touched them since) they decided to stop working. Please help!I am annoyed by, I think, the same problem. I would like to drag Pages files directly to the finder in the dock, but now with Mavericks I can not do this. It is bothersome to have to click on the finder to open it up when I did not have to do that with the old operating system. I hope someone can help us both out.
I also hope that in the next update Apple addresses the concerns many are having with the newest version of Pages. Until something is changed, I am sticking with old Pages because I find it to be a much better program to use. -
How do I set up my iPad for outlook files and folders
I want to see and use, on my iPad, the same files and folders I have in outlook on my PC. Also I want any changes I make on the PC or the iPad to sync with each other.
PC is running Windows 7,
Outlook version 2007, not the exchange version although I think I can get that by re-installing outlook and choosing that option.(I don't understand what exchange is but don't bother to explain it unless the solution requires using it)
I currently use Gmail for my email accounts server. They are set up as POP accounts with Outlook using a .PST data file. However, IMAP is available for Gmail. My brief past experience with IMAP and .OST data files was kind of a disaster so it isn't my 1st choice for this.
As I understand it using Outlook 365 with Microsoft's cloud and mobile app would solve my problem but I don't like clouds, 365 or IMAP (I may have to concede on some of those). If there is a way to do it through the Gmail accounts without any other cloud that would be ideal since they already have all my email and I won't be spreading my personal info to other companies.
I do have a Drop Box account but I currently only use it for some well vetted specific files that I share with specific individuals.
I do not have any computer or network drive that is always on and might serve as a private cloud. That could be changed but then i'm relying there being no ISP or power interruptions which, of course do occasionally happen.
Obviously I'm being rather picky here knowing that I'll probably have to live with some things less than ideal.
I will consider 3rd party apps if they seem to be part of the solution.
Thank you in advance for any person/s that want to help me on this.
hsvtThanks. I can change the forwarding settings in Gmail to be either POP or IMAP. That is quite simple. I just looked at those settings on the Gmail server and, to my surprise, both are enabled. In order for outlook client on my computer to receive IMAP emails I have to change the email account settings in my current outlook from POP to IMAP. I don't need to be using the Exchange version of Outlook to receive IMAP. I guess I'll do a little research tomorrow on Exchange so i can figure out what, if anything, it might do for me.
I glanced at the link you sent me and it looks like it might be very helpful - another project for tomorrow.
BTW: I hit "This Solved my Question" by accident. I meant only to "like' your response so you would get some benefit from the help you've given me so far. I hope I haven't discouraged others from taking a shot at helping me. I suspect there is more than one way to approach this and, as you know, my problem isn't really solved until I have what I need all set up and running smoothly. -
Problem statement
When I mount a Windows NFS service file share using UUUA and set the Owner and Group, and set the SetGID bit on the parent folder in a hierarchy. New Files and folders inside and underneath the parent folder do not inherit the Owner and Group permissions
of the parent.
I am given to understand from this Microsoft KnowledgeBase article (http://support.microsoft.com/kb/951716/en-gb) the problem is due to the Windows implmentation of NFS Services not supporting the Solaris SystemV or BSD grpid "Semantics"
However the article says the same functionality can acheived by using ACE Inheritance in conjunction with changing the Registry setting for "KeepInheritance" to enable Inheritance propagation of the Permissions by the Windows NFS Services.
1. The Precise location of the "KeepInheritance" DWORD key appears to have "moved" in Windows Server 2012 from a Services path to a Software path, is this documented somewhere? And after enabling it, (or creating it in the previous
location) the feature seems non-functional. Is there a method to file a Bug with Microsoft for this Feature?
2. All of the references on demonstrating how to set an ACE to achieve the same result "currently" either lead to broken links on Microsoft technical websites, or are not explicit they are vague or circumreferential. There are no plain Examples.
Can an Example be provided?
3. Is UUUA compatible with the method of setting ACE to acheive this result, or must the Linux client mount be "Mapped" using an Authentication source. And could that be with the new Flat File passwd and group files in c:\windows\system32\drivers\etc
and is there an Example available.
Scenario:
Windows Server 2012 Standard
File Server (Role)
+- Server for NFS (Role) << -- installed
General --
Folder path: F:\Shares\raid-6-array
Remote path: fs4:/raid-6-array
Protocol: NFS
Authentication --
No server authentication
+- No server authentication (AUTH_SYS)
++- Enable unmapped user access
+++- Allow unmapped user access by UID/GID
Share Permissions --
Name: linux_nfs_client.host.edu
Permissions: Read/Write
Root Access: Allowed
Encoding: ANSI
NTFS Permissions --
Type: Allow
Principal: BUILTIN\Administrators
Access: Full Control
Applies to: This folder only
Type: Allow
Principal: NT AUTHORITY\SYSTEM
Access: Full Control
Applies to: This folder only
-- John Willis, Facebook: John-Willis, Skype: john.willis7416I'm making some "major" progress on this problem.
1. Apparently the "semantics" issue to honor SGID or grpid in NFS on the server side or the client side has been debated for some time. It also existed as of 2009 between Solaris nfs server and Linux nfs clients. The Linux community defaulted to declaring
it a "Server" side issue to avoid "Race" conditions between simultaneous access users and the local file system daemons. The client would have to "check" for the SGID and reformulate its CREATE request to specify the Secondary group it would have to "notice"
by which time it could have changed on the server. SUN declined to fix it.. even though there were reports it did not behave the same between nfs3 vs nfs4 daemons.. which might be because nfs4 servers have local ACL or ACE entries to process.. and a new local/nfs
"inheritance" scheme to worry about honoring.. that could place it in conflict with remote access.. and push the responsibility "outwards" to the nfs client.. introducing a race condition, necessitating "locking" semantics.
This article covers that discovery and no resolution - http://thr3ads.net/zfs-discuss/2009/10/569334-CR6894234-improved-sgid-directory-compatibility-with-non-Solaris-NFS-clients
2. A much Older Microsoft Knowledge Based article had explicit examples of using Windows ACEs and Inheritance to "mitigate" the issue.. basically the nfs client "cannot" update an ACE to make it "Inheritable" [-but-] a Windows side Admin or Windows User
[-can-] update or promote an existing ACE to "Inheritable"
Here are the pertinent statements -
"In Windows Services for UNIX 2.3, you can use the KeepInheritance registry value to set inheritable ACEs and to make sure that these ACEs apply to newly created files and folders on NFS shares."
"Note About the Permissions That Are Set by NFS Clients
The KeepInheritance option only applies ACEs that have inheritance enabled. Any permissions that are set by an NFS client will
only apply to that file or folder, so the resulting ACEs created by an NFS client will
not have inheritance set."
"So
If you want a folder's permissions to be inherited to new subfolders and files, you must set its permissions from the Windows NFS server because the permissions that are set by NFS clients only apply to the folder itself."
http://support.microsoft.com/default.aspx?scid=kb;en-us;321049
3. I have set up a Windows 2008r2 NFS server and mounted it with a Redhat Enteprise Linux 5 release 10 x86_64 server [Oct 31, 2013] and so far this does appear to be the case.
4. In order to mount and then switch user to a non-root user to create subdirectories and files, I had to mount the NFS share (after enabling Anonymous AUTH_SYS mapping) this is not a good thing, but it was because I have been using UUUA - Unmapped Unix
User Access Mapping, which makes no attempt to "map" a Unix UID/GID set by the NFS client to a Windows User account.
To verify the Inheritance of additional ACEs on new subdirectories and files created by a non-root Unix user, on the Windows NFS server I used the right click properties, security tab context menu, then Advanced to list all the ACEs and looked at the far
Column reflecting if it applied to [This folder only, or This folder and Subdirectories, or This folder and subdirectories and files]
5. All new Subdirectories and files createdby the non-root user had a [Non-Inheritance] ACE created for them.
6. I turned a [Non-Inheritance] ACE into an [Inheritance] ACE by selecting it then clicking [Edit] and using the Drop down to select [This folder, subdirs and files] then I went back to the NFS client and created more subdirs and files. Then back to the
Windows NFS server and checked the new subdirs and folders and they did Inherit the Windows NFS server ACE! - However the UID/GID of the subdirs and folders remained unchanged, they did not reflect the new "Effective" ownership or group membership.
7. I "believe" because I was using UUUA and working "behind" the UID/GID presentation layer for the NFS client, it did not update that presentation layer. It might do that "if" I were using a Mapping mechanism and mapped UID/GID to Windows User SIDs and
Group SIDs. Windows 2008r2 no longer has a "simple" Mapping server, it does not accept flat text files and requires a Schema extension to Active Directory just to MAP a windows account to a UID/GID.. a lot of overhead. Windows Server 2012 accepts flat text
files like /etc/passwd and /etc/group to perform this function and is next on my list of things to see if that will update the UID/GID based on the Windows ACE entries. Since the Local ACE take precedence "over" Inherited ACEs there could be a problem. The
Inheritance appears to be intended [only] to retain Administrative rights over user created subdirs and files by adding an additional ACE at the time of creation.
8. I did verify from the NFS client side in Linux that "Even though" the UID/GID seem to reflect the local non-root user should not have the ability to traverse or create new files, the "phantom" NFS Server ACEs are in place and do permit the function..
reconciling the "view" with "reality" appears problematic, unless the User Mapping will update "effective" rights and ownership in the "view"
-- John Willis, Facebook: John-Willis, Skype: john.willis7416 -
I found a script that adds rights to files and folders.
We need to grant administrators rights to a set of folders for a specific project.
ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write
$StartingDir=
"C:\Users"
$Principal="Administrators"
$Permission="F"
$Verify=Read-Host `n "You are about to change permissions
on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"
if ($Verify -eq "Y") {
foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName
#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
When the project is over, we need to undo the changes and remove administrators permissions from the same group of folders.
How do we change the script to remove administrators group members instead of adding?I'm not sure I understand how to use that example script to undo the changes in the script I posted..
Is there a way to just change a few lines in the first script so that it removes instead of adding the administrators group?
This line appears to be the line that adds permissions:
#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
What would be the syntax to remove the permissions
$Principal="Administrators"
$Permission="F"
from files and folders in $StartingDir= "C:\Users"
and everything below it? -
My new LaCie external hard drive is 'seen' by my iMac and I can go into the Finder and open files and folders. I am using the hard drive for Time Machine back up. However Time Machine says it can't find the drive.
The same thing happened recently between Final Cut Express and my other LaCie external hard drive used as the Scratch disk. It fixed itself.
I've run out of ideas. Help would be very much appreciated. Thanks.have you done some searches on FCPx and time machine? Is there a known issue with using a TM drive with FCPx? dunno but ...wait...I'll take 60 sec for you cause I'm just that kind of guy.... google...." fcpx time machine problem" Frist page link
http://www.premiumbeat.com/blog/fcpx-bug-best-practices-for-using-external-hard- drives-and-final-cut-pro-x/
You cannot have time machine backups on your hard drive if you intend to use it in FCPX.
booya! -
My desktop files and folders no longer appear on the screen. I think this is a result of an iPhoto updating. It appears (from getting info) that now Desktop is being treated like a normal file for which an application to open it must be supplied. Can anything be done? Incila
You are not going to be able to run your old system from the backup on this old computer as the hardware is incompatible.
You need to get a new computer or a refurbished one. -
Can't change permission on Time Capsule files and folders
I am using my Time Capsule as a storage device that everyone on my network can access, and I also have a fairly small (~5000 songs) iTunes Library as well. This was all working fine, until I decided to try to get a second computer, beside my MacBook Pro (8,1) to connect to the iTunes Library. Suddenly strange things started happening, like the network dropping at seemingly completely random times, certain people being kicked of the network, etc. So then I thought "well maybe its because of the iTunes Library." So I did a 'Get Info' to the Library folder, named iTunes Library, and it showed this:
This didn't seem too strange, except for the (unknown) name. I then learned (http://pondini.org/TM/E10.html) that this may actually be causing the problem, so I hit the minus button while hovering over it, only to see this:
Now, as far as I can tell, this shouldn't be happening. So I tried it on many different computers (10.8.4, 10.6.8, 10.7.5, among others), and they all said this. Then, back on 10.8.4, I decided to try to add my name, even though it said that everyone can read and write, and it said this:
Now I knew this was strange, since it has never, ever happened to me since OS 7. What was also strange, instead of showing the usual selection window, it asked me to type in my username, like so:
This happened on every computer, and in every directory and every file (or at least the couple dozen I tried, including ones outside the Library folder that I had already changed permissions on before normally), so I knew something was definetly up. So of course, I turned to my friend, the Terminal. I tried doing sudo chmod 555, 755, 775, 777, and a+x, and none of them worked, again, on multiple different files and folders. Also, since I have connected the second conmputer to the Library, it seems as though the file iTunes Library.itl is no longer executable, because it looks like this:
Also, no one but me can connect to it anymore, even though they can all see it. Any help would be greatly appreciated.
EDIT: Sorry for the low-res images, Apple seems to have done something to themVerify volume failed with error Could not unmount disk (-10000)
That could happen if there is another process that is presently accessing the volume. I don't think it related to the volume having data corruption. The fact that is it a "server" may be relevant.
In the time that you have had this problem, has it been shut down and restarted?
You can also try restarting it with the Shift key held down. That should do a Safe Mode startup, if an Xserve acts like a regular Mac.
http://support.apple.com/kb/HT1564
http://support.apple.com/kb/HT1455
The Safe Boot will do some maintenance and tests during startup, and start up with only essential proceses running. Try accessing that folder now. If you can access it, you should probably save it off on another volume, such as an external drive, so that you have a current backup.
Try running Repair Disk Permissions and Verify Disk again in Disk Utility. Repair Disk Permissions will probably give you a lot of messages; they are usually just "informational" so don't be concerned. However, if Verify Disk reports an error, that is a serious problem that needs to be addressed.
Edit: If the volume being tested is NOT the startup disk, then Repair Disk Permissions will be disabled. It only applies when there is a system installed on that volume. -
This article contains the only thing that worked for me. I also had to sign out of iCloud and uninstall it. Then I had to delete all files and folders from all of those applications that were under Program Files, Program Files x86, Program Data and Users. My iPhone 4 will now sync with iTunes both in its USB-connected mini dock and over Wi-Fi. It's unfortunate (negligent programming on the part of Apple?) that the upgrade to iTunes 11 did not remove all of those files as part of the upgrade process.
I am having the same issue....Same address for years - same as USPS - I tried 5 times (3 macs and 2 iPhones) and now i have 5 CHARGES for 1.00 each on my credit card. I took the credit card info off so they don't charge me anymore. How can they charge me yet still not allow me to download free updates and say I have an invalid address? I'm sure I will spend weeks or months trying to get a credit out of these incompetent idiots.
-
Solved - How to take ownership and change permissions for blocked files and folders in Powershell
Hello,
I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
I was not able to find any information about someone successfully using native PS to resolve the issue. As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
Problem:
Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
PS C:\> Get-Acl -path F:\testpath\locked
Get-Acl : Attempted to perform an unauthorized operation.
+ get-acl <<<< -path F:\testpath\locked
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
If you create a new ACL and attempt to apply it using Set-Acl, you get:
PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:8
+ Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
+ CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
TonyHello,
Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
Example: Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
#Script to Reset MyDocuments Folder permissions
$domainName = ([ADSI]'').name
Import-Module "PSCX" -ErrorAction Stop
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
#Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$Directorypath = "F:\Userpath" #locked user folders exist under here
$LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
Foreach ($Locked in $LockedDirs) {
Write-Host "Resetting Permissions for "$Locked.Fullname
#######Take Ownership of the root directory
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
$Locked.SetAccessControl($blankdirAcl)
###################### Setup & apply correct folder permissions to the root user folder
#Using recommendation from Ned Pyle's Ask Directory Services blog:
#Automatic creation of user folders for home, roaming profile and redirected folders.
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
$DirACL = New-Object System.Security.AccessControl.DirectorySecurity
#Administrators: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
#System: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
#Creator Owner: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
#Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
#$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
#Remove Inheritance from the root user folder
$DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#Set permissions on User Directory
Set-Acl -aclObject $DirACL -path $Locked.Fullname
Write-Host "commencer" -NoNewLine
##############Restore admin access & then restore file/folder inheritance on all subitems
#create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
#$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
$subFileACL = New-Object System.Security.AccessControl.FileSecurity
$subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
$subFileACL.SetOwner($NewOwner)
$subDirACL.SetOwner($NewOwner)
######## Enable inheritance ($False) and not copy of parent ACLs ($False)
$subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
$subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#####loop through subitems
$subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
foreach ($subitem in $subdirs) {
#take ownership to insure ability to change permissions
#Then set desired ACL
if ($subitem.Attributes -match "Directory") {
# New, blank Directory ACL with only Owner set
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankdirAcl)
#At this point, Administrators have the ability to change the directory permissions
Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
} Else {
# New, blank File ACL with only Owner set
$blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
$blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankfileAcl)
#At this point, Administrators have the ability to change the file permissions
Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
Write-Host "." -NoNewline
Write-Host "fin."
Write-Host "Script Complete."
I hope you find this useful.
Thank you,
Tony
Final Thought: There are great non-PS tools like
Set-Acl and takeown which are external to PS & can also do the job wonderfully. It may be much simpler to call those tools than recreate the wheel in pure
code. Feel free to use whatever best suits your time, scope & cost. -
AppleScript : modify labels for multiple selection of files and folders in Finder ?
As an experienced programmer in Pascal, Excel VBA, ... I am trying to find my way in AppleScript (first steps).
I am trying to build a small script that will run on a keyboard shortcut, and that will toggle the label of selected files and folders (multiple selection ?) in Finder between "purple" and "no label".
Based on a recorded action, I was trying something along the lines of
tell application "Finder"
Activate
repeat with oneItem in selection
set label index of oneItem to 3
end repeat
end tell
I am not clear on how to make the script understand that in a multiple selection I want to apply the requested command to each item. In addition, when testing it on one single item, it appears that I can't set the label index property of "selection" ...
Can someone please advise what the correct way is of (a) setting the property of a selected item in the Finder and (b) looping through a multiple selection ?
Thanks in advance.
Philip
P.S. Running Mac OSX 10.8.2 on MacBook Air, MacBook Pro and MacMiniThanks alot, Softwater. In fact, I have been playing around with that and found that the "get" statement in your script suggestion is not even necessary. The script I saved as a Finder Service is now :
tell application "Finder"
repeat with oneItem in selection as list
if label index of oneItem = 0 then
set label index of oneItem to 5
else
set label index of oneItem to 0
end if
end repeat
end tell
By assigning a shortcut key to this one, I can now toggle labels.
Additional trick I did is to restrict the applicability of the script to only movie-files (I am using this to change the labels of movies / TV shows on my computer which I still want to see versus the ones that I don't want to see anymore). I noticed during testing that the script would also color folders and drives selected in other finder windows than the one I was working in, so now it only works on movie files which is more what I want.
Great tool, the AppleScript Editor and the Automator. Only a little bit a pitty that finding out about object structure and properties is not very straightforward in the AppleScript Editor (comparing to e.g. the VBA in MS Excel, which has an almost perfect help system and built-in reference). I am not a Microsoft fan in general, but when it comes to MS Excel VBA, I have not seen any built-in help system yet that approaches its usefulness ...
I guess I will be "seeing" you again on this forum ... I am getting the taste of scripting again :-D -
The specified file or folder name is too long,the url path for all files and folders
The specified file or folder name is too long,the url path for all files and folders must be 260 character or less
can we increase this limit?
MCTS,ITILHi,
As I understand, you want to increase the length of URL path in SharePoint 2010.
Per my knowledge, this limit cannot be increased. SharePoint limits URL length because all relative URL links are stored in the clear forms on the SharePoint content DB and often this links are used as primary keys to link one table with another. Fields
which are used to store these links (for instance tp_DirName from the AllUserData table) allow storing only 256 characters.
There are several ways that you can resolve or mitigate URL length problems in the SharePoint Server 2010 environment. The following list provides suggestions:
1. Upgrade all the end-user browsers to Internet Explorer 8, which has a longer URL length limit.
2. Use shorter names for sites, folders, and documents and control the depth of the site and folder structures to reduce the lengths of URLs.
3. If possible or allowed, use ASCII names for sites, folders, and documents. This will avoid situations where the URL will be lengthened by being encoded.
4. To reduce the risk that the SharePoint Server 2010 end-users will encounter problems because of URL length limitations, we recommend that you apply the following effective limits in the deployment:
256 Unicode (UTF-16) Code units - the effective file path length limitation, including a domain/server name
128 Unicode (UTF-16) Code units - the path component length limitation
More reference:
http://technet.microsoft.com/en-us/library/ff919564(v=office.14).aspx
http://sharepointknowledgebase.blogspot.in/2013/04/url-path-length-restrictions-in.html#.VKJN53BJA
Best regards,
Sara Fan
Maybe you are looking for
-
Solution Manager Installation Fails at step Run ABAP Reports
I'm trying to install Solution Manager 4.0 on Windows 2003 using SQL 2005. The installation fails at the Run ABAP Reports step: Executing ABAP report RADDBDIF I have logged in manually and run the RADDBDIF job in SE38 but I receive the same error me
-
When I choose to open a new tab from a website, such as facebook, it always opens it in a new window. How do I change this to just opening a new tab. I tried changing the tab settings but it did not work. I did not have the problem until I started us
-
L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates
I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect. I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with
-
Regarding Insert Emprty string to the datetime column
I am updating date in one of the column of type datetime in a table , when i get the updated data on the screen , i see that i am getting 1/1/1900 bcoz i am updating as empty datetime i can i get rid of this. my requirement is if i insert empty strin
-
Icloud mail fails after update to firefox 8 on windows 7 pc
I have upgraded to firefox 8.0 and when I try to go to the www.icloud.com site a dialog box pops saying that "Mail unexpectedly stopped" The error is b.push is not a function. I have forwarded the error box to Apple. I can see mail using safari or