OVM3 Repository : Take Ownership problem on NFS
Hey,
Could you post the steps to do this on NFS?
I'm in that situation at the moment.
Cheers,
919402 wrote:
Could you post the steps to do this on NFS?
I'm in that situation at the moment.Just remove the NFS file server completely from your UI (you'll have to unpresent it first), then edit the .ovsrepo file in the root of the NFS exports that contain your repositories. Once you've replaced the old OVS_REPO_MGR_UUID value with the new one (which can be found in Help -> About in the Manager), add the NFS File Server back in the UI and rediscover the exports. The repositories will now be seen as owned by the new Manager UUID.
Similar Messages
-
Solved - How to take ownership and change permissions for blocked files and folders in Powershell
Hello,
I was trying to take ownership & fix permissions on Home Folder/My Documents structures, I ran into the common problem in PowerShell where Set-Acl & Get-Acl return access denied errors. The error occurs because the Administrators have been removed from
file permissions and do not have ownership of the files,folders/directories. (Assuming all other permissions like SeTakeOwnershipPrivilege have been enabled.
I was not able to find any information about someone successfully using native PS to resolve the issue. As I was able to solve the issues surrounding Get-Acl & Set-Acl, I wanted to share the result for those still looking for an answer.
Question: How do you use only Powershell take ownership and reset permissions for files or folders you do not have permissions or ownership of?
Problem:
Using the default function calls to the object fail for a folder that the administrative account does not have permissions or file ownership. You get the following error for Get-Acl:
PS C:\> Get-Acl -path F:\testpath\locked
Get-Acl : Attempted to perform an unauthorized operation.
+ get-acl <<<< -path F:\testpath\locked
+ CategoryInfo : NotSpecified: (:) [Get-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetAclCommand
If you create a new ACL and attempt to apply it using Set-Acl, you get:
PS C:\> Set-Acl -path F:\testpath\locked -AclObject $DirAcl
Set-Acl : Attempted to perform an unauthorized operation.
At line:1 char:8
+ Set-Acl <<<< -path "F:\testpath\locked" -AclObject $DirAcl
+ CategoryInfo : PermissionDenied: (F:\testpath\locked:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Use of other functions like .GetAccessControl will result in a similar error: "Attempted to perform an unauthorized operation."
How do you replace owner on all subcontainers and objects in Powershell with resorting to external applications like takeown, icacls, Windows Explorer GUI, etc.?
TonyHello,
Last, here is the script I used to reset permissions on the "My Documents" tree structure that admins did not have access to:
Example: Powershell script to parse a directory of User-owned "My Document" redirection folders and reset permissions.
#Script to Reset MyDocuments Folder permissions
$domainName = ([ADSI]'').name
Import-Module "PSCX" -ErrorAction Stop
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
#Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeSecurityPrivilege", $true) #Optional if you want to manage auditing (SACL) on the objects
Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
$Directorypath = "F:\Userpath" #locked user folders exist under here
$LockedDirs = Get-ChildItem $Directorypath -force #get all of the locked directories.
Foreach ($Locked in $LockedDirs) {
Write-Host "Resetting Permissions for "$Locked.Fullname
#######Take Ownership of the root directory
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
$Locked.SetAccessControl($blankdirAcl)
###################### Setup & apply correct folder permissions to the root user folder
#Using recommendation from Ned Pyle's Ask Directory Services blog:
#Automatic creation of user folders for home, roaming profile and redirected folders.
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$fullrights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$allowrights = [System.Security.AccessControl.AccessControlType]"Allow"
$DirACL = New-Object System.Security.AccessControl.DirectorySecurity
#Administrators: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",$fullrights, $inherit, $propagation, "Allow")))
#System: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",$fullrights, $inherit, $propagation, "Allow")))
#Creator Owner: Full Control
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER",$fullrights, $inherit, $propagation, "Allow")))
#Useraccount: Full Control (ideally I would error check the existance of the user account in AD)
#$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked.name",$fullrights, $inherit, $propagation, "Allow")))
$DirACL.AddAccessRule((new-object System.Security.AccessControl.FileSystemAccessRule("$domainName\$Locked",$fullrights, $inherit, $propagation, "Allow")))
#Remove Inheritance from the root user folder
$DirACL.SetAccessRuleProtection($True, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#Set permissions on User Directory
Set-Acl -aclObject $DirACL -path $Locked.Fullname
Write-Host "commencer" -NoNewLine
##############Restore admin access & then restore file/folder inheritance on all subitems
#create a template ACL with inheritance re-enabled; this will be stamped on each subitem to re-establish the file structure with inherited ACLs only.
#$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked.name") #ideally I would error check this.
$NewOwner = New-Object System.Security.Principal.NTAccount("$domainName","$Locked") #ideally I would error check this.
$subFileACL = New-Object System.Security.AccessControl.FileSecurity
$subDirACL = New-Object System.Security.AccessControl.DirectorySecurity
$subFileACL.SetOwner($NewOwner)
$subDirACL.SetOwner($NewOwner)
######## Enable inheritance ($False) and not copy of parent ACLs ($False)
$subFileACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
$subDirACL.SetAccessRuleProtection($False, $False) #SetAccessRuleProtection(block inheritance?, copy parent ACLs?)
#####loop through subitems
$subdirs = Get-ChildItem -path $Locked.Fullname -force -recurse #force is necessary to get hidden files/folders
foreach ($subitem in $subdirs) {
#take ownership to insure ability to change permissions
#Then set desired ACL
if ($subitem.Attributes -match "Directory") {
# New, blank Directory ACL with only Owner set
$blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
$blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankdirAcl)
#At this point, Administrators have the ability to change the directory permissions
Set-Acl -aclObject $subDirACL -path $subitem.Fullname -ErrorAction Stop
} Else {
# New, blank File ACL with only Owner set
$blankfileAcl = New-Object System.Security.AccessControl.FileSecurity
$blankfileAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')
#Use SetAccessControl to reset Owner; Set-Acl will not work.
$subitem.SetAccessControl($blankfileAcl)
#At this point, Administrators have the ability to change the file permissions
Set-Acl -aclObject $subFileACL -path $subitem.Fullname -ErrorAction Stop
Write-Host "." -NoNewline
Write-Host "fin."
Write-Host "Script Complete."
I hope you find this useful.
Thank you,
Tony
Final Thought: There are great non-PS tools like
Set-Acl and takeown which are external to PS & can also do the job wonderfully. It may be much simpler to call those tools than recreate the wheel in pure
code. Feel free to use whatever best suits your time, scope & cost. -
How do I take ownership of a hard drive build in windows but installed as an additional disk in my new Mac Pro?
I bought a Mac and have various HDDs, some Portable some SATA, I can right to them and dont seem to be able to take ownership of them, is this to do with the format or Security seting I can't find?
Any help would be great; thanks.
StephenThanks Kaz-K, this was what I assumed it to be. I have started to move the stuf over to a 4GB internal drive, once done and verified, I will reformat the drive and move it back, blooming nusience.
Cheers.
Stephen -
NFS4: Problem mounting NFS mount onto a Solaris 10 Client
Hi,
I am having problems mounting NFS mount point from a Linux-Server onto a Solaris 10 Client.
In the following
=My server IP ..*.120
=Client IP ..*.100
Commands run on Client:
==================
# mount -o vers=3 -F nfs 172.25.30.120:/scratch/pvfs2 /scratch/pvfs2
nfs mount: 172.25.30.120: : RPC: Rpcbind failure - RPC: Unable to receive
nfs mount: retrying: /scratch/pvfs2
nfs mount: 172.25.30.120: : RPC: Rpcbind failure - RPC: Unable to receive
nfs mount: 172.25.30.120: : RPC: Rpcbind failure - RPC: Unable to receive
# mount -o vers=4 -F nfs 172.25.30.120:/scratch/pvfs2 /scratch/pvfs2
nfs mount: 172.25.30.120:/scratch/pvfs2: No such file or directory
# rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
1073741824 1 tcp 36084
100024 1 udp 42835 status
100024 1 tcp 36086 status
100133 1 udp 42835
100133 1 tcp 36086
100001 2 udp 42836 rstatd
100001 3 udp 42836 rstatd
100001 4 udp 42836 rstatd
100002 2 tcp 36087 rusersd
100002 3 tcp 36087 rusersd
100002 2 udp 42838 rusersd
100002 3 udp 42838 rusersd
100011 1 udp 42840 rquotad
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
# showmount -e 172.25.30.120 (Server)
showmount: 172.25.30.120: RPC: Rpcbind failure - RPC: Unable to receive
Commands OnServer:
================
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100021 1 tcp 49927 nlockmgr
100021 3 tcp 49927 nlockmgr
100021 4 tcp 49927 nlockmgr
100021 1 udp 32772 nlockmgr
100021 3 udp 32772 nlockmgr
100021 4 udp 32772 nlockmgr
100011 1 udp 796 rquotad
100011 2 udp 796 rquotad
100011 1 tcp 799 rquotad
100011 2 tcp 799 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 809 mountd
100005 1 tcp 812 mountd
100005 2 udp 809 mountd
100005 2 tcp 812 mountd
100005 3 udp 809 mountd
100005 3 tcp 812 mountd
100024 1 udp 854 status
100024 1 tcp 857 status
# showmount -e 172.25.30.120
Export list for 172.25.30.120:
/scratch/nfs 172.25.30.100,172.25.24.0/4
/scratch/pvfs2 172.25.30.100,172.25.24.0/4
Thank you, ~alI also tried to run Snoop on the client and wireshark on Server and following is what I see:
One Server: Upon issuing mount command on client:
# tshark -i eth1
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
0.000000 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
0.205570 172.25.30.100 -> 172.25.30.120 Portmap V2 GETPORT Call MOUNT(100005) V:3 UDP
0.205586 172.25.30.120 -> 172.25.30.100 ICMP Destination unreachable (Port unreachable)
0.207863 172.25.30.100 -> 172.25.30.120 Portmap V2 GETPORT Call MOUNT(100005) V:3 UDP
0.207869 172.25.30.120 -> 172.25.30.100 ICMP Destination unreachable (Port unreachable)
2.005314 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
4.011005 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
5.206109 Dell_70:ad:29 -> SunMicro_70:ff:17 ARP Who has 172.25.30.100? Tell 172.25.30.120
5.206277 SunMicro_70:ff:17 -> Dell_70:ad:29 ARP 172.25.30.100 is at 00:14:4f:70:ff:17
5.216157 172.25.30.100 -> 172.25.30.120 Portmap V2 GETPORT Call MOUNT(100005) V:3 UDP
5.216170 172.25.30.120 -> 172.25.30.100 ICMP Destination unreachable (Port unreachable)
On Clinet Upon issuing mount command on client:
# snoop -d bge1
Using device /dev/bge1 (promiscuous mode)
? -> * ETHER Type=9000 (Loopback), size = 60 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
atlas-pvfs2 -> pvfs2-io-0-3 PORTMAP C GETPORT prog=100005 (MOUNT) vers=3 proto=UDP
pvfs2-io-0-3 -> atlas-pvfs2 ICMP Destination unreachable (UDP port 111 unreachable)
atlas-pvfs2 -> pvfs2-io-0-3 PORTMAP C GETPORT prog=100005 (MOUNT) vers=3 proto=UDP
pvfs2-io-0-3 -> atlas-pvfs2 ICMP Destination unreachable (UDP port 111 unreachable)
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> * ETHER Type=9000 (Loopback), size = 60 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
pvfs2-io-0-3 -> * ARP C Who is 172.25.30.100, atlas-pvfs2 ?
atlas-pvfs2 -> pvfs2-io-0-3 ARP R 172.25.30.100, atlas-pvfs2 is 0:14:4f:70:ff:17
atlas-pvfs2 -> pvfs2-io-0-3 PORTMAP C GETPORT prog=100005 (MOUNT) vers=3 proto=UDP
pvfs2-io-0-3 -> atlas-pvfs2 ICMP Destination unreachable (UDP port 111 unreachable)
Also I see the following on Client:
# rpcinfo -p pvfs2-io-0-3
rpcinfo: can't contact portmapper: RPC: Rpcbind failure - RPC: Failed (unspecified error)
When I try the above rpcinfo command on Client and Server Snoop And wireshark(ethereal) outputs are as follows:
Client # snoop -d bge1
Using device /dev/bge1 (promiscuous mode)
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
atlas-pvfs2 -> pvfs2-io-0-3 TCP D=111 S=872 Syn Seq=2065245538 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
pvfs2-io-0-3 -> atlas-pvfs2 ICMP Destination unreachable (TCP port 111 unreachable)
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=2004 (Unknown), size = 48 bytes
? -> (multicast) ETHER Type=0003 (LLC/802.3), size = 90 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> * ETHER Type=9000 (Loopback), size = 60 bytes
pvfs2-io-0-3 -> * ARP C Who is 172.25.30.100, atlas-pvfs2 ?
atlas-pvfs2 -> pvfs2-io-0-3 ARP R 172.25.30.100, atlas-pvfs2 is 0:14:4f:70:ff:17
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
atlas-pvfs2 -> pvfs2-io-0-3 TCP D=111 S=874 Syn Seq=2068043912 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
pvfs2-io-0-3 -> atlas-pvfs2 ICMP Destination unreachable (TCP port 111 unreachable)
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes
? -> * ETHER Type=9000 (Loopback), size = 60 bytes
Server # tshark -i eth1
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
0.000000 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
0.313739 Cisco_3d:68:10 -> CDP/VTP/DTP/PAgP/UDLD CDP Device ID: MILEVA Port ID: GigabitEthernet1/0/16
2.006422 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
3.483733 172.25.30.100 -> 172.25.30.120 TCP 865 > sunrpc [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
3.483752 172.25.30.120 -> 172.25.30.100 ICMP Destination unreachable (Port unreachable)
4.009741 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
6.014524 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
6.551356 Cisco_3d:68:10 -> Cisco_3d:68:10 LOOP Reply
8.019386 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
8.484344 Dell_70:ad:29 -> SunMicro_70:ff:17 ARP Who has 172.25.30.100? Tell 172.25.30.120
8.484569 SunMicro_70:ff:17 -> Dell_70:ad:29 ARP 172.25.30.100 is at 00:14:4f:70:ff:17
10.024411 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
12.030956 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
12.901333 Cisco_3d:68:10 -> CDP/VTP/DTP/PAgP/UDLD DTP Dynamic Trunking Protocol
12.901421 Cisco_3d:68:10 -> CDP/VTP/DTP/PAgP/UDLD DTP Dynamic Trunking Protocol
^[[A 14.034193 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
15.691119 172.25.30.100 -> 172.25.30.120 TCP 866 > sunrpc [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
15.691138 172.25.30.120 -> 172.25.30.100 ICMP Destination unreachable (Port unreachable)
16.038944 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
16.550760 Cisco_3d:68:10 -> Cisco_3d:68:10 LOOP Reply
18.043886 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
20.050243 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
21.487689 172.25.30.100 -> 172.25.30.120 TCP 867 > sunrpc [SYN] Seq=0 Win=49640 Len=0 MSS=1460 WS=0
21.487700 172.25.30.120 -> 172.25.30.100 ICMP Destination unreachable (Port unreachable)
22.053784 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
24.058680 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
26.063406 Cisco_3d:68:10 -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 32770/00:0a:b8:3d:68:00 Cost = 0 Port = 0x8010
26.558307 Cisco_3d:68:10 -> Cisco_3d:68:10 LOOP Reply
~thank you for any help you can provide!!! -
Hi,
I like iPhoto for its features and ease of use; however, I'm unclear on its privacy policy.
When using iPhoto to buy photo books, is Apple going to take ownership of my photographic material?
Can Apple use my pictures to advertise Apple products or services?
I've asked these questions twice to the apple privacy postmaster, but they only reply with a boiler plate of links to get further support or they simply ignore my email. Should I assume the worse?
I like iPhoto, but I'm not going to use it if I don't know that my privacy is satisfactorily safeguarded.
Thank you for any insight
GabrieleNo and No. You retain all rights.
-
Take Ownership of this item link
Hi
In catalog manager, in item properties, there is a link "Take Ownership of this item" which changes the owner of an object as the current user. However, eventhough I limit it only to Presentation Server Administrators group through privileges setup, each user still sees this link and be able to use it. What can I do to prevent users seeing this link, except the setting in privileges.
Thanks a lot.Catalog Manager is a powerful tool - it should only be made available to report developers / administrators that need to use it. Most users should not have access to the tool - in fact the only access for most people should be through their web browser into Dashboards/Answers etc.
If used in 'offline mode' then you have access to any item in the catalog, 'on-line' access should restrict to you to the items that you have permission on.
I suggest that you review the catalog manager section of the Presentation Services Administration guide and particularly note the need to take backups before you make changes as there is no 'undo' available! -
File permission and ownership problem
I am trying to resolve some file permission and ownership problems that are left over from using Migration Assistant to set up my iMac from an older iMac. In a terminal session when I use the ls -l command I'm getting a file/directory owner of 504. Sometimes the group is admin and sometimes the group is also 504. I think this is because the owner of the file on the old computer is not present in the new one but I want to be sure before I just change the owner and group.
The following should give you an indication->
id -un 504
or you could try->
dscl . list /Users UniqueID | grep 504 && echo "User exists" || echo "User does not exist" -
I need to take ownership of an external drive with NTFS file system from my previous laptop?
I have an external drive that was previously associated with my PC laptop that was stolen.
I wish to take ownership of folders.
Can anyone help me with this.Use a third party tool to allow your computer to use ntfs formatted drives.
Or, just copy the folder/files to your computer then use them. OSx can read ntfs drives so copy will work. After you copy the files to your computer, format the drive for OSx then use the drive with your computer with read/write functionality. -
How do I NOT take ownership of comments made by others?
In shared, online reviews that I initiate (Send for Shared Review), I sometimes unknowingly take ownership of others' comments- this is not desired for me (as initiator, or for any participants making their own comments). Sometimes I take over everyone's comments, other times I don't, even with the Adobe settings are the same (see #1). I DO need to add my own comments during the review, but want to prevent taking ownership of others in the online review.
Should I UNcheck the Review Preference box for: Show "On Behalf Of" text...when user takes ownership of comments"? I've always had it checked (seems to be a default), but I don't always take ownership- perhaps related to the sequence of steps (#2)?
Is there a proper Save/Publish or Publish/Save sequence that governs when you do/don't take ownership? Does saving a draft and publishing later make me (or anyone else) take ownership of comments?
Does it make any difference with 'taking ownership' when I "Send for Shared Review" if I place my name in the "To" versus "cc" list?
Our team has really liked the shared online Adobe reviews and use it a fair amount, but this question has yet to be solved- please help!Jay del Rosario wrote:
>
> How do I troubleshoot installation/distribution of a LabVIEW .exe
> which processes data using Matlab when it works on some computers but
> not others?
Poke around zone.ni.com and
http://digital.natinst.com/public.nsf/$$Search/ .
Good luck, Mark -
Problems enabling nfs client and server
I just re-build a solaris 11.1x86 on a x4640 SunFire
Have problems enabling nfs
First i typed the following command:
# svcs network/nfs/server
disable
Second I typed the following command:
#svcadm enable network/nfs/server
# svcs network/nfs/server
offline
did this 3 or 4 times without success...
any ideas?
I holding production here! Please help!!Let's rule out the easier stuff first...
Do you have something shared?
I think you need to have something shared before you can enable the nfs server service.
Or, if you share something, the service is started automatically. See below.
Thanks, Cindy
# svcs -a | grep nfs
disabled Feb_26 svc:/network/nfs/client:default
disabled Feb_26 svc:/network/nfs/server:default
disabled Feb_26 svc:/network/nfs/rquota:default
# svcadm enable svc:/network/nfs/server:default
# svcs | grep nfs
disabled 13:51:52 svc:/network/nfs/server:default
# zfs set share.nfs=on rpool/cindy
# share
rpool_cindy /rpool/cindy nfs sec=sys,rw
# svcs | grep nfs
online Feb_26 svc:/network/nfs/fedfs-client:default
online Feb_27 svc:/network/nfs/status:default
online Feb_27 svc:/network/nfs/cbd:default
online Feb_27 svc:/network/nfs/mapid:default
online Feb_27 svc:/network/nfs/nlockmgr:default
online 13:52:35 svc:/network/nfs/rquota:default
online 13:52:35 svc:/network/nfs/server:default -
Take ownership of a registry key, and change permissions
Hello,
I am writing a powershell script to configure a W2008-R2 Server. In one of the steps, I need to take ownership of an existing registry key, and then give full control permissions to the administrators.
I have done this:
$acl = Get-Acl $key
$me = [System.Security.Principal.NTAccount]"$env:userdomain\$env:username"
$acl.SetOwner($me)
$person = [System.Security.Principal.NTAccount]"Administrators"
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)
$acl.AddAccessRule($rule)
Set-Acl $key $acl
But it fails in "set-acl" command, with the message "Set-Acl : Requested registry access is not allowed."
Any ideas of how to do this? or if it is even possible?
Thank you!Here is the code to take ownership of a registry key. You first need to set the SeTakeOwnership permission on your process
The enable-privilege function is taken from a posting by Lee Holmes (http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/), but
I've been meaning to get around to tidy it up a bit for my purposes. Perhaps this thread is the motivation I need to do this. I should also note that the PowerShell Community Extensions has cmdlets to work with tokens already.
I also never tested whether you can do the PowerShell native methods of get-acl set-acl if you set the token. I don't have time to play with that now, but if you want to try it and let us know if it works that would be great. The opensubkey method
I'm using I've documented here for changing permissions when you don't have permissions: http://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
public int Count;
public long Luid;
public int Attr;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
tp.Attr = SE_PRIVILEGE_DISABLED;
else
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
enable-privilege SeTakeOwnershipPrivilege
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\powertoe",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$me = [System.Security.Principal.NTAccount]"t-alien\tome"
$acl.SetOwner($me)
$key.SetAccessControl($acl)
http://twitter.com/toenuff
write-host ((0..56)|%{if (($_+1)%3 -eq 0){[char][int]("116111101110117102102064103109097105108046099111109"[($_-2)..$_] -join "")}}) -separator "" -
AGPM group policy ownership problem
Im trying to move uncontrolled policies to controlled but I get [GPMC Error] Could not take ownership of the production GPO. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) on all of them. Per the docs, my service account
is a member of the "GPO Creator Owners" group and "Backup Operators" group. I have also given full control of the container the policies are in to the service account. I am able to create new controlled policies and deploy them, I just cant
seem to take control of production GPOs even though it looks like the rights are there.
Anyone have any ides?Hi Dave,
you also need to get the service account full controller over the existing GPOs:
Full Access to existing GPOs
http://blogs.technet.com/askds/archive/2008/12/16/agpm-least-privilege-scenario.aspx
AGPM ensures that it has proper ownership and permissions to all controlled GPOs. However, GPOs created before implementing AGPM will not provided adequate permissions to the AGPM Service. For this reason, you'll want give the AGPM Service
Full Control to all GPOs that exists prior to implementing AGPM.
That should fix it.
Gunter -
"Floating ownership" problem on eSATA DS4600
I have a Promise DS4600 unit that is hooked up with eSATA. Previously, I used System Preferences to move some user account home directories to this unit since some of them are just gigantic. It's worked great... until...
...somehow, this volume has acquired the "floating ownership" problem. The floating ownership problem is where the system shows the currently-logged on user as the owner of every file and directory inside the volume even though "ignore ownership on this volume" has been disabled for quite some time.
Does anyone have any idea how this happened or how to fix it? I'm trying to avoid a data move/permissions rework because the amount of data is huge (3 terabytes or so) and it would be difficult. I have a feeling there is a setting stuck, but I cannot find any data on it. I know there is a post about this issue on the SuperDuper! blog, but there is no information on how to fix it. They just talk about how they worked around the issue on their application.I have a Promise DS4600 unit that is hooked up with eSATA. Previously, I used System Preferences to move some user account home directories to this unit since some of them are just gigantic. It's worked great... until...
...somehow, this volume has acquired the "floating ownership" problem. The floating ownership problem is where the system shows the currently-logged on user as the owner of every file and directory inside the volume even though "ignore ownership on this volume" has been disabled for quite some time.
Does anyone have any idea how this happened or how to fix it? I'm trying to avoid a data move/permissions rework because the amount of data is huge (3 terabytes or so) and it would be difficult. I have a feeling there is a setting stuck, but I cannot find any data on it. I know there is a post about this issue on the SuperDuper! blog, but there is no information on how to fix it. They just talk about how they worked around the issue on their application. -
Temporarily Take Ownership of folders to set permissions
So I am attempting to run a script when a server builds that sets permissions on certain folders. However, the administrator group does not have access to these files. Is there a way to temporarily take ownership of these folders so I can make the permission
changes and revert the ownership back after. Any thoughts?
Thanks.Mekac is right; if you don't have at least 'ReadPermissions' access to the file/folder, you usually can't get the current owner. If you have the SeBackupPrivilege granted, though, you can take a look at it under the right conditions. If you want to do that
manually, let me know, otherwise you can try the 4.0 preview version of the
PowerShell Access Control module:
$CurrentPath = "c:\FileOrFolderPath"
$AddAceParams = @{
Principal = "Administrators"
FolderRights = "FullControl"
<#
Method 1 (technically a one-liner)
#>
Get-SecurityDescriptor $CurrentPath -PacSDOption (New-PacCommandOption -BypassAclCheck) | ForEach-Object {
$OriginalOwner = $_.Owner
$_ | Set-Owner -PassThru -Apply | # -Force here would suppress prompt
Add-AccessControlEntry @AddAceParams -PassThru |
Set-Owner -Principal $OriginalOwner -Apply # -Force here would suppress prompt
<#
Method 2 (Multiple lines)
#>
$OriginalOwner = Get-SecurityDescriptor $CurrentPath -PacSDOption (New-PacCommandOption -BypassAclCheck) | select -ExpandProperty Owner
Set-Owner $CurrentPath #-Force
Add-AccessControlEntry $CurrentPath @AddAceParams -PassThru |
Set-Owner -Principal $OriginalOwner -Apply #-Force
Both examples should do the exact same thing. The important part is the '-PacSDOption (New-PacCommandOption -BypassAclCheck)', which enables the backup privilege and opens the file/folder in a special way to allow you to look at the security descriptor even
if you don't have permission to. You need to do that to guarantee the ability to save the current owner. If you have any questions about what's going on, please let me know.
It's actually possible to make the permission changes using the SeRestorePrivilege without taking ownership first, but there are a lot of "gotchas". I'm still trying to figure out if I'm going to include that capability in the final version
of the module.
By the way, version 4.0 currently still a preview build, so some of the syntax will be different before it's finalized. One area where the previous examples will definitely fail later is with the 'New-PacCommandOption' cmdlet (it's been renamed
to 'New-PacSdOption' in the latest unreleased build). -
Workfow Process Management - Take Ownership issue
Hi All,
We are on Hyperion planning 11.1.2 and just started using Workflow process mgmt of type "Bottom Up". It is happened that one of the planning unit owners went on vacation and when the top level user (budget administrator) takes ownership of these planning units, write access is not getting transferred. All web forms cells are grayed out. Budget administrator has write access at all levels (Confirmed when looked at other scenario where it is not enabled for PM). Not sure what we are doing wrong. Can you guys throw some light...
Thanks for your help in advance.
Regards,
PraveenYes budget administrator is one of the reviewers.
How to handle this situation. I tried with one of the planner (who is not part of the Process Mgmt and who have write access at all levels) to take ownership from initial owner but it is not allowed to take. Is there any way to take ownership of the planning units and submit data. Please let me know.
Thanks,
Praveen
Maybe you are looking for
-
Well, my utterly horrible Abit AV8 finally locked up the PCI/AGP buses (or so I thought) two nights ago, so I started doing some decent overclocking. I upped the FSB to 250MHz with a 4x HT multi and a 9.5 CPU multi. Ram was running well at 1:1 at 2.5
-
MY iPad has suddenly lost my camera and FaceTime apps. Yes I've tried to modify in the restrictions however it is asking for a passcode that I never set up. I've also tried to go and reset my iPad but it to is asking for a passcode. Yes I've tried a
-
Remote Desktop & Screen Sharing not working??
Hello all, I am trying to connect to a friends computer via the Finder's Screen Sharing, I enabled the screen sharing preferences under the System Preferences, put the password, etc and had him do the same and I am not able to connect to his system.
-
I have a mac book retina (13-late 2013) and I can´t see the pictures with photoshop cs6 or neither with digital professional of Canon. I use EXTREME PRO SAND DISK and I have other macs older than this and I never have any problem like this. Could you
-
How do i transfer a movie from my ipad to a pc
how do i transfer a movie from my ipad to my pc