Advice for setting access permissions

Similar Messages

• API for setting Access points with PEAP programmatically

  Dear Godly developers,
  Would like to find out if there is any APIs for setting Access points with PEAP programmatically?
  Regards
  hAoZ

  Thanks for your response. We don't have the Wireless LAN Controller installed and have only configured directly through the AP's, which don't seem to have any configuration changes regarding Aironet IE's. Is there a config change that needs to be made just on the AP's? Or is the Wireless LAN Controller software necessary to make this change?
  Thanks again.

• Need insight for setting up permissions for sharing an external hd via OS X 10.6?

  Hello intelligent lifeforms,
  My supervisor and friend passed away a little over a year ago, and I am now trying to fill his shoes as the networking guru and could use some assistance.  I'm trying to share an external hard drive that is connected to my Mac Pro OS X 10.6 workstation with a Mac Pro OS X 10.4 workstation user.  I've tried setting up a Sharing Only account in my System Preferences-Accounts for the 10.4 user, and under System Preference-Sharing I turned File Sharing: On, added the Shared Folder, added the User and set priveleges as "Read Only."  My intentions are for the 10.4 user to only be able to copy files from the external hard drive so as to protect the archived files being stored there from being tampered with.  However, there is a User group listed as "Everyone" that I can't remove and believe it is taking precedence over the 10.4 account that I setup.  I do not know where this Everyone group originated from but believe it to be some kind of default group and a major obstacle.
  When the 10.4 user copies a folder from the external hd to his workstation and later copies it to a volume on our Xserve OS X 10.2 the folder shows that I do not have privileges to do anything to the folder (there is a red circle with a minus sign in it on the folder icon).  Eventually, I am to backup these files to the external hd where lies my dilemma.
  The volume on the Xserve being copied to is setup under Workgroup Manger-Sharing-Share Points-General:  "Share this item and its contents" IS checked, Owner: admin-Read & Write, Group: staff-Read & Write (where said user has been added to the staff group), Everyone: none (I do not think the Everyone group listed on the server has anything to do with the Everyone group on my machine?), Enable disk quotas on this volume is NOT checked.
  My tests show that the permissions are being carried over from the external hd Everyone group (Read Only) because even when the 10.4 user's permissions are set to Read & Write in System Preferences-Sharing-File Sharing-Users the folder still shows to be Read Only when it's copied.  I've even tried setting his Desktop privileges to Read & Write hoping that when he copies the folder the permissions would be overwritten.  Unfortunately, the only way to give me priveleges is for the 10.4 user to change them manually through Get Info from his workstation.  This is counterproductive to the workflow I'm trying to establish.  I've tried wrapping my brain around the flowchart of coordinating permissions/privileges between the different machines but to no success.
  Also, a note to add is I've observed a User: Firebird Database that is listed under System Preferences-Sharing on both of our workstations.  It cannot be removed either and I do not know where it is originating from.
  Is there anyone out there that has any insight to this situation?
  Perplexed,
  carl_prepress

  "Everyone" is not a Group.
  Every file has underlying Access settings for System, Owner, Group, and World.
  Access settings for Everyone mean everyone-else that is not explicitly mentioned in the other settings. It is the same as the Unix "World".
  If you set the Priviledges for a file to Everyone=Read, then any user with any credentials can read it.
  The User Categories Owner, Group, and Everyone
  You can assign standard POSIX access permissions separately to three categories of users:
  Owner—A user who creates a new item (file or folder) on the file server is its owner and automatically has Read & Write permissions for that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges (allow a group or everyone to use the item). The administrator can also transfer ownership of the shared item to another user.
  Note: When you copy an item to a drop box on an Apple file server, ownership of the item doesn’t change, but only the owner of the drop box or root has access to its contents.
  Group—You can put users who need the same access to files and folders into group accounts. Only one group can be assigned access permissions to a shared item. For more information on creating groups, see the user management guide.
  Everyone—Everyone is any user who can log in to the file server: registered users and guests. Hierarchy of Permissions
  If a user is included in more than one category of users, each of which has different permissions, these rules apply:
  • GrouppermissionsoverrideEveryonepermissions.
  • OwnerpermissionsoverrideGrouppermissions.
  For example, when a user is both the owner of a shared item and a member of the group assigned to it, the user has the permissions assigned to the owner.

• Advice for setting up a mail server.

  Over the past few months I have been slowly merging away from websites that don't regard my privacy.
  I've changed search engines to duck duck go,  deleted my facebook, and now I would like to get away from gmail too!
  The only problem being I know nothing about hosting my own email.  I have an arch box that is on 24/7 running a diaspora pod.
  What email server would work best with this (If any)?
  Last edited by Si1v3r (2011-08-01 23:40:30)

  This was by far the best tutorial I found for setting up my own personal mail server:
  http://workaround.org/ispmail/squeeze
  I couldn't recommend it enough. There are a few quirks in places with the version differences but some reading around will sort you out.
  It's written in a very Archlinux style and explains the concept fantastically.
  Last edited by jack.mitchell (2011-08-12 21:23:40)

• Advice for setting up new iPad mini, for our 13 yr old, needed.

  We are buying an iPad mini for our daughter's 13th birthday present, and naturally, are full of fear & hesitations for all the obvious security reasons. But, she has ADHD & some learning disabililities, and we know that the iPad Mini with app's could help her overcome several academic & organizational challenges when she enters highschool next year.
  She, and we, have some questions though, about the WISEST (ie: most responsible) way to set it up for her use.
  Should we set up the iPad mini as completely free from our family mac desktop (which still runs OS X 10.6.8, not Lion)?
  Should she get her own Apple ID? This would allow her own Cloud storage, & foster future responsibility, but then would she still be able to access app's stored on our family computer & other iPads.?
  Should we start her own iTunes account? So that she can buy her own tunes & app's. But once again, could she manually sync already purchased stuff from our family computer?
  Backing up: should she back up her iPad mini with iCloud (her own apple ID) or with iTunes?
  If we did set her up with her own Apple ID (that we would know the password to), could we still set parental controls - which she actually wants(!)?
  She would like limits on the time she can spend on the internet, AND time limits on playing with certain games - as she fears getting "addicted" to the games.
  How would we set time limits on app use?
  Thanks very much for your suggestions and advice. If you have any other practical parenting / iPad experience, I welcome your suggestions. We'd rather not learn the hard way..

  There would be no issue syncing it with your computer and putting content on it. It can back itself up to iCloud, but another backup of the content on a computer is always a good idea.
  If you already have an Apple ID with purchased apps, it would be fine to let her use it. You can use a shared Apple ID (for iTunes, iBooks, App Store), and have a seperate iCloud account (To sync critical info and back-up).
  The parental controls in iOS are independent from an Apple ID, you can set-up the restrictions when you get the iPad and adjust them to what you are most comfortable with.
  Parental Controls: http://support.apple.com/kb/HT4213

• DAW - advice for setting up my new DAW?

  Hi,
  I intend to get my own DAW/general purpose computer in the next few months and was hoping to run my plan by y'all for advice. I intend to use it half for music recording, and also as a normal computer.
  I plan to have a high end graphics card (dual dvi) for games etc, will run a 23" widescreen lcd (pref apple on pc) or bigger maybe upgrading to dual monitors later. I am running a HD tv card which needs some good headroom when recording. I only play far cry and need for speed when it comes to games etc so won't have a million games installed.
  I have a about 50 gig of music mp3's and wmas and general stuff, so need lots of storage space. I have about 10gig of AA session files and that will grow so im thinking 30-40 gig min.
  For recording/mixing, i have usually 10 trax minimum with lots of real time, sometimes locked fx, i do a lot of processing/wave editing and can have up to 10minute tracks up to 24 etc so i need some juice to power it all. running xp pro sp2.
  Can someone explain raid vs ide, im told i can raid 2 similiar drives, but how much better is it, and are there draw backs? can i raid 2 x 15000rpm drives together(2 x 20 or 2 x 40 gig) as my dedicated AA session files space or is that just overkill, i plan to have maybe 2 x 250 gig 7200 or 10 000 drives raided as a dedicated digital vcr for HD tv recording, a small system drive 20-40gig just for installed stuff, another 80-250 gig for normal storage. Any ideas for best way to configure this stuff? minimum im thinking is sep small sys drive, sep AA drive/raided or not, sep bigass drive for TV recording, and sep general storage drive so thats minimum 4 or more.
  Wireless keyboard (ultra flat touch keys like on bank atm's sort super silent DO THESE EXIST YET IF SO PLEASE TELL ME WHERE AND WHAT CALLED?)
  and wireless optical mouse with extra side buttons and fully functional
  Can y'all fill me in on scsi, im told the 14k rpm drives need a scsi
  controller or osmething? tell me about this stuff please
  Also, 64bit cpus? what the hell does that mean
  I'm thinking the fastest intel cpu wht is it 3 gig these days with cache, or does anyone know how much dual cpu will cost (and what needs to go with it) motherboard with 800fsb and 8x agp that can take like 1-2 gig of ram (what sort is fastest?), 8 x agp graphics card that is very high end for 1080i output for high definition tv, and games.
  Obviously dvd+rw/cd+rw drive.
  Need advise on DAW case, ultra sound and heat proof as i might sleep in the same room and im sick of noisy computers, and i might need a big load of space with all the hdd's depending on what i get, will have a usb2. pci card no doubt and tv card etc
  Wondering bout the new audigy 2 zn platinum pro thing Is this any good compared to the normal audigy 2? it says with firewire i can have 7 stereo inputs, is that really true at once, do i need extra external hardware like a mixer to do that, and does AA support that at all?
  I have a decent pair of phones i will use for a while until i get studio monitors so don't worry about them for now, thats later.
  I hope to spend only about 3-6 grand Australian pref no more, so any suggestions of other things to add or not to bother with etc, revisions?

  Billy Corgan wrote:
  > I intend to get my own DAW/general purpose computer
  > in the next few months and was hoping to run my plan
  > by y'all for advice.
  Don't clutter a daw with too much GP stuff, office software
  installations and antivirus software should generally not be installed
  on a daw, and a gp computer can generally not be without either.
  Generally, mind you, generally is generally a lot less general with the
  more capable hardware, but a lean daw is a happy daw. Fortunately a
  p2-300 with 192 megs of ram and a modern harddisk is still a lot of GP
  officing computer, and such machines are not costly on the second hand
  market.
  > I intend to use it half for music recording, and also as
  > a normal computer.
  There may be valid reasons for doing that, if so then you could be well
  off having multiple OS installations on it, one for GP use and one for
  Audio use and making it a multibooter. It however my experience that a
  multibooter always ends up being booted in the wrong OS ..... O;-)
  > I plan to have a high end graphics card (dual dvi) for games etc,
  A dual head card is strongly recommended. Matrox has nice cards that do
  not need to have a fan on them and that do not require the utmost
  hardware speed. You do not WANT to have the ultra fastest graphics card
  on a daw because you need to avoid that the graphics cards bus bandwidth
  requirements obstruct other, more vital chores. Less fast cards that do
  not require a fan allows for a more quiet system.
  > will run a 23" widescreen lcd (pref apple on pc) or bigger
  > maybe upgrading to dual monitors later.
  It may be that you can get dual smaller lcd's for the same budget as one
  23", and it may be of more use, everybody is on some kind of a budget,
  and you also need to have money over for audio hardware. Good mics and
  good mic pre's do more for the quality of your sound than a larger
  screen.
  > I am running a HD tv card which needs some good headroom when
  > recording.
  Hmmm ...... select the recording options wisely, you come across as
  chasing specs rather than as being aware of just what specs you actually
  need.
  > I only play far cry and need for speed when it comes to games etc
  > so won't have a million games installed.
  One never knows what the future holds, but it should be possible to
  avoid having too many games installed at any one time.
  > I have a about 50 gig of music mp3's and wmas and general stuff,
  > so need lots of storage space. I have about 10gig of AA session
  > files and that will grow so im thinking 30-40 gig min.
  It is too costly pr. gigabyte to buy anything smaller than 120 GB, and
  the 120 GB drives of today are all comfortably fast. You should at least
  have two physical drives for Audition so as to be able to avoid
  simultaneous reads and writes on the same drive, three physical drives
  are imo preferable.
  > For recording/mixing, i have usually 10 trax minimum with lots
  > of real time, sometimes locked fx, i do a lot of processing/wave
  > editing and can have up to 10minute tracks up to 24 etc so i need
  > some juice to power it all. running xp pro sp2.
  I think that your setup is one that would benefit of having three
  physical drives to prevent having temp files on the drive that contains
  the "static" audio files.
  > can someone explain raid vs ide, im told i can raid
  > 2 similiar drives, but how much better is it,
  Depends, it is not faster than a single drive where it is fastest, but
  raid 0 (simple stripe set) is less likely to show performance reduction
  due to file fragmentation. A stripe set still counts as "one physical
  drive", and if you want to have only two drives in it you are better off
  not having them striped.
  > and are there draw backs?
  You can not remove just one harddisk and move it to another machine. If
  one harddisk fails, then all is lost, at least if you run a simple
  stripe set. The probability math is tolerable with only two disks in a
  stripe set, but it takes less of an error to loose all. All things
  considered you need to have a problem to solve by striping prior to
  doing it, and distributing multitrack files over several physcial drives
  is also a way to increase playback performance if there is a problem to
  solve.
  > can i raid 2 x 15000 rpm drives together(2 x 20 or 2 x 40 gig)
  > as my dedicated AA session files space or is that just overkill,
  That would be a silly set up, three 5400 or 7200 rpm 120 GB drives is a
  possibly less costly way to get same or better performance, assuming
  wise deployment. You will always end up having some copying of files
  from one physical drive to another, and consequently it is very wise to
  have identical drives so that the faster need not wait for the slower.
  > I plan to have maybe 2 x 250 gig 7200 or 10 000 drives raided
  > as a dedicated digital vcr for HD tv recording,
  I wouldn't raid them, but tv recording is a very fast way of making
  large drives appear small and I don't really know what the bandwidth
  requirement is for recordign hdtv.
  > a small system drive 20-40gig just for installed stuff,
  No, you will be wasting a valuable drive bay on a drive that will be a
  bottleneck, three drives is a good idea, but preferably identical or at
  least similar. Put that old drive in a USB 2.0 box and use it for
  project backup instead.
  > another 80-250 gig for normal storage.
  Yes, you may need storage space when you want to do TV recording, so 750
  GB unformatted is not unreasonable.
  > Any ideas for best way to configure this stuff? minimum I'm
  > thinking is sep small sys drive, sep AA drive/raided or not,
  > sep bigass drive for TV recording, and sep general storage
  > drive so thats minimum 4 or more.
  Three 200 GB drives will probably be the optimally cost efficient setup.
  > wireless keyboard (ultra flat touch keys like on bank atm's
  > sort super silent DO THESE EXIST YET IF SO PLEASE TELL ME
  > WHERE AND WHAT CALLED?)
  A wireless keyboard is called too slow and too sloppy ...
  > and wireless optical mouse with extra side buttons
  But a wireless mouse can be an ergonomic advantage, agreed.
  > can y'all fill me in on scsi,
  Too costly.
  > im told the 14k rpm drives need a scsi
  > controller or osmething?
  Yes, and thus it gets to be about a very different and very costly mobo.
  You do not want a disk controller on the PCI bus on a DAW.
  > also, 64bit cpus? what the hell does that mean
  Currently nothing of relevance considering the current software. What it
  means is that the memory allocation space can be 64 terabytes rather
  than 4 GB, and that is rapidly getting to be of importance for database
  servers and terminal servers.
  > im thinking the fastest intel cpu wht is it 3 gig these
  > days with cache, or does anyone know how much dual cpu
  > will cost (and what needs to go with it)
  It is unknown to me whether Audition actually will benefit from multiple
  CPU's, generally the required CPU versions (XEON) and mobo's are too
  costly to make sense.
  > motherboard with 800fsb
  Asus P5P800 is modestly priced. I think your specs are extreme and that
  your quests are of the "it would be nice to be able to" type. Life is
  not about using as much money on chasing specs as possible, but rather
  about getting good results. To do that, you also need to have resources
  to get some reasonable audio equipment. Leave all the video concerns out
  of it, I have understood them to be about leasure, and live with
  recording the number of pixels that is possible with a good DAW.
  I suggest this also because it may be problematic to try to make a
  multitrack audio recording simultanously on the machine that records the
  video in case "both combined" is the productivity quest. Just one reason
  for not thinking that hdtv is very important on the machine is that it
  is not very likely that you actually record hdtv with a camera.
  > wondering bout the new audigy 2 zn platinum pro thing
  In the audio context that is relevant here something Midiman is "more
  like it" - example product, not the only possible choice. See also
  http://www.pcavtech.com, Arny Krügers very interesting web site and a
  good place to start learning more about sound cards. A budget card that
  it appears will meet your demands is the Midiman 1010LT or similar model
  from other manufacturer.
  Kind regards
  Peter Larsen
  * My site is at: http://www.muyiovatki.dk *

• Setting access permissions on a shared drive

  I am in a classroom setting with 12 Mac Pro's, running 10.5.8. I have added a second internal drive, and would like to create seperate folders for each student's data. We are on a network, and the students log on to the domain on these Mac's.
  I am trying to figure out a way to give "Suzy" access to "Suzy's Folder" and "Billy" access to "Billy's Folder", but keep them from accessing each others folders. I also need for the teacher "Frank" to have access to "Suzy's Folder" and "Billy's Folder" for grading purposes, as well as the local and domain administrator.
  Is there a way to do this?

  First make a new group, called "teachers" or something similar. Put Frank and the admin group in this new group.
  Then set up Suzy's folder like this:
  Owner: Suzy - can read and write
  Group: teachers - can read only (or can read and write if you wish)
  Others: no access
  Set up the other students' folders the same way.

• Design advice for setting users default time

  I have an application that in a number of different places requires that records when being updated or created are shown to default to the user's current date. Depending on the location of the user, this could be a different day than where the server is.
  All of the relevant fields in the database tables are using a datatype of "TIMESTAMP WITH TIMEZONE". When a users account is initially created, the timezone that the user is in is saved. When the user logs on, an "alter session set time_zone" command runs on the database to change the time zone of the current session.
  When a user updates or creates a record and one of the field(s) requires to display the current date of the user, I call a ViewObject which runs a query to "select current_timestamp from dual" to return the current date from the database and populate the field with this.
  I've realised that I'm creating a considerable overhead as this view object may be queried dozens of times during a users session and was thinking of running it once when the user logs on and storing the "USER_DATE" as a session variable - then I can simply refer to this each time, instead of many round-trips off to the database. Obviously there is a risk if the user logs on just before midnight and stays on until after that the date will be incorrect but this is extremely unlikely as the application is only used during normal business hours up to 9pm as an exception
  Am I heading down the right track here or doing something daft (and missing something far more simple that I should be doing !)
  Cheers,
  Brent

  Hi Frank,
  Thanks for that - after 8 years of working with Oracle Forms and afterwards the same again with ADF, I still find it hard sometimes when using ADF to understand the best approach to a particular problem - there is so many different ways of doing things/where to put the code/how to call it etc... ! Things seemed so much simplier back in the Forms days !
  Chandra - thanks for the information but this doesn't suit my requirements - I originally went down that path thinking/expecting it to be the holy grail but ran into all sorts of problems as it means that the dates are always being converted into users timezone regardless of whether or not they are creating the transaction or viewing an earlier one. I need the correct "date" to be stored in the database when a user creates/updates a record (for example in California) and this needs to be preserved for other users in different timezones. For example, when a management user in London views that record, the date has got to remain the date that the user entered, and not what the date was in London at the time (eg user entered 14th Feb (23:00) - when London user views it, it must still say 14th Feb even though it was the 15th in London at the time). Global settings like you are using in the adf-config file made this difficult. This is why I went back to stripping all timezone settings back out of the ADF application and relied on database session timezones instead - and when displaying a default date to the user, use the timestamp from the database to ensure the users "date" is displayed.
  Cheers,
  Brent

• Access Permissions for instances of a subform

  Is there any way to set access permissions for an instance of a subform rather than the subform as a whole? Especially for a template that has a certain number of instances saved, where only instances which have been previously saved should be access="nonInteractive" but new instances should be editable.

  Like PeeJay says, a custom window controller seems the way to go. Try creating a subclass of NSWindowController, with header something like this:
  #import <Cocoa/Cocoa.h>
  @interface MyWindowController : NSWindowController
  IBOutlet NSTextField *infoField;
  -(void)setInfoText:(NSString *)str;
  @end
  The implementation of the setInfoText would be something like:
  -(void)setInfoText:(NSString *)str{
  [infoField setStringValue:str];
  Create a nib file with your window in interface builder. Drop the header file for your custom window controller into the interface builder window. Set the custom class of the nib's File's Owner to MyWindowController. You can then hook up the window and infoField outlets from File's Owner to your window.
  In the body of your code where you open a new info window, add something like:
  MyWindowController *windowController=[[MyWindowController alloc] initWithWindowNibName:@"nameOfWindowNibFile"];
  [windowController setInfoText:@"Whatever"];
  [windowController showWindow:self];
  If you are going to have an undetermined amount of these custom window, it might be a good idea to store the window controller instances in a mutable array, rather than retaining instance variables for each one.
  Jim

• Most efficient/quickest way to set NTFS permissions in PowerShell

  Hello all,
  Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
  This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

  Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
  ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
  However:
  1.  I can't figure out how to make the inheritance parameter work with ICACLS
  2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
  Any tips on how to improve performance of ICACLS?
  1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
  2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
  I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
  so long).
  For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
  dir $Path -Recurse | ForEach-Object {
  try {
  Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
  catch {
  Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
  return
  If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
  / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
  Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
  and averaged the results on a test system; this wasn't very rigorous testing):
  # Make sure that this folder and user/group exist:
  $Path = "D:\TestFolder"
  $Principal = "TestUser"
  # Native PowerShell/.NET -- Took about 15 ms
  $Acl = Get-Acl $Path
  $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
  $Principal,
  "Read", # [System.Security.AccessControl.FileSystemRights]
  "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
  "None", # [System.Security.AccessControl.PropagationFlags]
  "Allow" # [System.Security.AccessControl.AccessControlType]
  (Get-Item $Path).SetAccessControl($Acl)
  # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
  $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
  (Get-Item $Path).SetAccessControl($Acl)
  # icacls.exe -- Took about 40ms
  icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
  # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
  Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
  Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

• Access permissions on HDD connected to Airport

  I have a new Airport Extreme wirelessly connected to my network. I have two HDD connected to the Airport, one for Time Machine, the other for my iTunes library. No problem with the HDD used for Time Machine, but on the other HDD the access permissions keep resetting to 'Everyone' being given no access. When I go in and change the permissions, close the information box and open it up again it has reverted back to no access. If I reboot the laptop it will normally fix this, be fine for a bit and then happen again.
  Any ideas why the access permissions keep changing and what I can do to stop it happening?

  Unfortunately, Apple did not leave much room for setting user permissions for AirPort Disks. As you know, you can choose from one of three methods, but regardless of which method you choose, you cannot set permissions individually for folders/files on a drive, nor set them differently on either a different partition on the same drive or across multiple drives attached to a USB hub.
  What you are experiencing is possibly a shortcoming with the AirPort's file sharing feature. Even with the "With Accounts" option, there is inconsistency between partition vs. accounts. With multiple partitions, formatted with HFS+, you do not have any control on where the user permissions account folder ends up. Also, the location of this folder seems to change arbitrarily so that even something as simply restarting the base station will change which partition has this folder and subsequent permissions ... with the other drive getting the "Everyone" permissions ... like you are experiencing.

• Code for restoring default permissions to etc/hosts?

  Could someone help me with the proper code for setting the permissions on etc/hosts to their proper default setting?

  sudo chmod 644 /etc/hosts
  sudo chown root:wheel /etc/hosts
  Those are the settings on my iMac.
  If you use an editor such as
  sudo nano /etc/hosts
  you will most likely not have these problems.
  If you are a more experienced Unix user, then vim or emacs are good choices as well, but both of those editors have steep learning curves.
  Message was edited by: BobHarris

• Access denied for folder when permissions set with WMI

  Hi,
  When I add/modify access rights based on the Win32_ACE class, there seems to be a difference in the result, then when setting it with the GUI in Windows.
  The situation is as follow:
  I want to set Modify access on a remote folder, but also want to avoid deletion of the folder itself. This can easily be done by setting "deny delete on this folder only" in addition to "allow modify to this folder, files and subfolders".
  So far no issue.
  Now I notice that, although the GUI shows exactly the same result in advanced settings of the security property, the folder set with WMI script gives a deny when opening it with the user account. The same folder, set with the same security and result in
  the advanced tab, but set in the GUI, works fine.
  Note: The reason that I use WMI is because the remote system is a standalone machine, not sharing the same domain or trust.
  I compared the ACEFlags, AceType and AccessMask for both the GUI set and script set permissions, and they are exactly the same.
  GUI => AccessMask:1179817 AceType:0 iAceFlags:3
  Script => AccessMask:1179817 AceType:0 iAceFlags:3
  What a strange world we live in... :-)
  Any idea?

  What Operating System Interface are you referring?  What program?
  You are being obtuse. What is it that you are trying to compare. THe settings in WMI cannot be directly compared to anything in the Security Wizard.
  ¯\_(ツ)_/¯
  Just the properties of the folder in Windows on the security tab. The result is the same for both the permissions set with the interface as well as the one set with the WMI script. The two references you see are just taken with WMI:
  Set by Windows interface => AccessMask:1179817 AceType:0 iAceFlags:3 
  Set by WMI script => AccessMask:1179817 AceType:0 iAceFlags:3
  This are the values "AceFlags", "AceType" and "AccessMask" from management class WIN32_ACE:
  http://msdn.microsoft.com/en-us/library/aa394063(v=vs.85).aspx
  I just want to show that the actual ACE object returns the same values for both methods, but the effect appear to be that the script set permission are denied. And I am looking for the reason why.
  Can you provide the script that you're using to create the ACE(s) and add them? If I'm understanding what you're trying to do, there should be two ACEs created: one to allow the modify access and one to deny the folder deletion. The ACE you're showing is just
  an allow ACE (AceType 0).
  That is correct there are (or should be) two ACEs. I cannot get hold on my source right now (will be later today), but my code is based on this source:
  http://www.minasi.com/forum/topic.asp?TOPIC_ID=7501
  What I basically do is getting the DACL properties, loop through it to check that the user exists that I want to update. If it does I check that the current AceType is of the same type (allow or deny) that I am updating/adding. If that type is a match, I
  replace the ACE object with the new Flag, Type and Mask using a Win32_ACE object. If type type doesn't match, then I add both the current ACE with the new ACE at the same time. I noticed that if I don't do it at the same time, only the last remains. If the
  user doesn't match I check that the AceFlags is not equal to 16 (inherit) and then add the original ACE object in the ACE array. At the end I add the new ACE if the user was not found at all (new). The array of individual ACE objects is added to List of managementobjects
  and then again linked to the DACL value.

• Read-only access permissions for new files/folders?

  System:
  Clean Install on new intel Xserve
  10.4.8 Server w/ Open Directory
  Windows clients can read/write completely fine...
  Clients connecting using AFP (whether Standard or Kerberos authentication) can access files, but when new files/folders are created on the server, they register as full permissions for the user who created them, but not for the rest of the group.
  The share(s) in question are set using POSIX from WGM: Full access for owner/group/everyone (changed it to this thinking it would help, but it does not). Of course, no one can make changes to a newly-created/deposited files/folders, which is just plain silly.
  I can chmod the permissions recursively from a script (which fixes the problem, of course) on a regular basis so that its not (as much of) an issue, but there is still a 5-minute lag for the script to kick in, since we don't want to bombard the server with chmod requests every minute....which is unnecessary in the first place!
  I have plenty of other setups which are identical but have no such issue...
  Any reason why POSIX permissions on the share are being ignored from every user account?
  Thanks,
  k

  "That's default posix behaviour no matter what access permissions you set on the sharepoint."
  I'm afraid this is dead wrong. What matters most is how you set permissions on the share, not if you've chosen to inherit vs. using POSIX. POSIX is still used in inherit functions, though you can use ACL's to override them. In this case, ACL's are not being used on those shares (though we tried it).
  After all, why would Apple (let alone anyone else) even offer the ability to change POSIX permissions on a share if it didn't have any effect? That would be somewhat contradictory in nature.
  Like I said before, I have several other installations which are identically setup that have no such issues.
  As for Windows, it is also not set to inherit permissions; we're setting those explicitly. And they work fine.
  Any other ideas?
  Thanks,
  k

• Setting up access points for public access

  Okay, here's the situation. I have a PowerMac G4/1.25GHz dual processor running Server X 10.3.9 with four Mac clients (a small law office). Up until recently, everyone had also been running (client) 10.3.9, but I started upgrading some of them to 10.4 (currently 10.4.5). When I did this, they started running into problems with Word sometimes giving a "network or file permission error" when attempting to save documents to the server. After weeks of posting questions to Word support and trying everything in the book that I could think of, I found Apple recently posted what appears to be the answer to this (article 302979, "Microsoft Office applications fail to save to a server volume." The problem? I have all four users logging into the same account on the server, and when one of them logs out, it zaps everything in a Microsoft-created temp folder on the server, including temp files created by open documents created by other clients. Sheesh.
  I had everyone set to use the same account because they have no need of document security -- everyone should be able to get into everyone else's files on the server, period. So, because of this snafu, I've created separate accounts for each of the users. My problem now is that, if user "X" creates a file or folder on the server, user "Y" cannot modify it because it is created as read-only. Strangely, if someone modifies an existing file, it doesn't change the user rights at all -- not sure why.
  I'll admit to being a bit of a novice with Server X but am familiar with parent/child folder permissions -- I think I've got everything set right, but I must obviously be missing something. Here's what I've got setup, and what I've tried. If anyone can point out how I've got this setup improperly, I really need to get this fixed... thanks.
  I have a single sharepoint ("workfiles"). I used the "public" folder as an example, and set the owner to "root" and the group to "staff". Further, I set the owner, group and everyone privileges to "read & write". I've also tried setting the group to "admin". All the individual user accounts I've set are also setup as admin users. I've tried setting each users's primary group as "staff (20)" or "admin (80)". I've copied all these privileges to all enclosed items, which does reset everything to public access, but as soon as someone creates a new folder or file, that folder/file becomes private to that user (it shows up with the creator's username as "owner" (r&w), group as "admin (read-only), and others as "read-only" as well.
  PS: If upgrading the server to Server X 10.4 would help, I'm sure I can arrange that.

  In our law firm, the server (10.4.4), we have set access to read/write access so staff can open client files/folders, edit then and close, etc. That seems to be working okay. Before the tech worked on permissions, if someone created a letter another staff member could open it, but it was read-only.
  The problem we are having is that if a file that is clicked on stationery pad and we want to edit it, it will not allow us to. For example, if we need to edit our letterhead that normally comes up as an untitled document, if I unclick the stationery pad box, it unclicks, but it still comes up as an untitled document. I even tried to unclick a stationery pad on a document that I created before the server upgrade and it wouldn't let me.
  If I create a brand new document and put it on stationery pad, it comes up untitled as it should. If another user on another desktop wants to make changes, they unclick the stationery pad box, but when they open it, it comes up untitled and in checking get info, the stationery pad is selected.
  The tech set it up as follows:
  Share Points and All tabs:
  General tab: box to share this item and its contents is clicked
  Access tab: owner, group and everyone have read/write privileges
  If select dial at bottom to propagate permissions, all boxes are checked, except for access control list, which is shaded.
  I cannot drag/add anything to the control list and the pencil and the minus sign is shaded
  Protocol tab: Both boxes, share item using AFP and Allow AFP guest users are clicked. But for better security in reading the article, this should be unchecked.
  Also under the protocol tab: the inherit permission from parent radio dial is clicked, not the use standard POSIX behavior.
  What are we missing?
  Thanks, Cheryl