Px4-300r - using NTFS permissions

Similar Messages

• Unable to set NTFS permissions on share using PowerShell. The user shows up with no rights checked off.

  I am having a little problem here with setting NTFS permissions via PowerShell. 
  Basically I am able to make a new directory on the share, and assign a user NTFS permissions however it just assigns the select user without any permissions set.
  $username = "test.user"
  $directory = "\\testlab-sv01\Share\newfolder"
  New-Item -Path $directory -ItemType Directory
  $colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
  $objType =[System.Security.AccessControl.AccessControlType]::Allow
  $objUser = New-Object System.Security.Principal.NTAccount("$username")
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
  $objACL = Get-ACL $directory
  $objACL.AddAccessRule($objACE)
  Set-ACL $directory $objACL
  A side question, why isn't this native in Powershell? Is it for security reasons? I expected there to be a cmdlet for it. 
  Thanks. 
  Kyle

  When you say there are no permissions, do mean that the ACL Editor is showing 'Special permissions' and none of the other boxes are checked?
  Try changing the inheritance and propagation flags to this:
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags] "ContainerInherit, ObjectInherit"
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  That sets the ACE to apply to the folder (InheritOnly propagation flag isn't set) , subfolders (ContainerInherit inheritance flag is set), and files (ObjectInherit inheritance flag is set), which is necessary for the ACE to not be considered 'special' in
  the ACL Editor.
  Awesome. Thanks. That did work. 
  And yes I did mean that it was showing special permissions with nothing checked. 
  Kyle

• Can't rename a single file to autorun.inf even all ntfs permissions are correct

  I have this odd problem:
  Logged in as Domin Administrator I couldn't  rename or open for editing an existing file "autorun.inf" even though all the ntfs permissions were correct. Every other files in the same directory (mainly .swf, .docx, .js and .htm files)
  are both editable and can be renamed.
  When I deleted the file "autorun.inf" from the folder and tried to create a new one with the same name, OS (Windows Server 2008 R2) notifies me that I "need permission to perform this action". Furthermore OS notifies me that "You
  require special permission from Administrators to make changes to this file". Neither can I copy a file named "autorun.inf" from another location to this folder. This is in spite of being logged in as Domain Admin.
  In short: I can't create a file called autorun.inf in a folder!
  Could  there be some kind of extra locking concerning files named autorun.inf i.e. some protective mechanism in this particular folder's permissions or SRV2008R2 itself that I've missed. All the other folders allow me to create whatever files i like
  into them.
  I would very much appreciate if anybody can help me with this.

  Yes, by default that will block any access to autorun.ini files. We use the same, so the issue sounded familiar, and of that I asked specificly to that :)
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

• Unexpected NTFS permissions behavior

  I am administering a home server running Windows 2008 R2 (accessed by several Windows 8.1 clients) and have run into an NTFS permissions issue I do not understand.
  On this server there is a S drive that contains all the online storage for our network.
  The structure of the S drive looks like this:
  Files
    Public
      VariousPublicFolders
    Private
      Person1
        Person1sStuff
      Person2
        Person1sStuff
  Temp
  Before any security modifications were made, the root of the S drive had the following permissions:
  SYSTEM : Full Control
  Administrators : Full Control
  Users : Read and Execute
  Also, all the above folders on this drive are owned by the Administrators group.
  Then I started changing permissions in order to satisfy my security requirements.
  For example, I disinherited permissions on Temp and allowed "Everyone" Full Control there.
  That works fine.
  What doesn't work fine is the permissions I am trying to set on the personal folders under the Private tree.
  I want to make sure no one else (other than administrators) has access to anyone's personal data  (the data in the Person1, Person2, etc folders).
  So I disinherted permissions on each of those folders and then explicity set the following:
  SYSTEM : Full Control
  Administrators : Full Control
  PersonX : Full Control
  This, I thought should work beautifully.
  I thought it should give each person full control of what happens in their personal folder, and also allow administrators and the system to get in there.
  But it is giving people in the Administrators group problems.
  I have a user called Custodian which is part of the Administrators group, and I use this user to do administrative tasks.
  As Custodian, when I try to access someone's personal folder in Explorer I am greeted with a message that says "You don't currently have permission to access this folder."
  Whaaaaat?
  I am offered "Click continue to permanently get access to this folder."
  If I say YES then Custodian is explicitly added to the folder ACL, and I can proceed to access the files there.
  But I don't want this.
  Custodian is already an Administrator, and Administrators already have full control of the folder.  Why should I even be prompted, and even worse, have my user unnecessarily added to the ACL?
  This is bad bad bad.
  I think what is going on is that UAC is coming into play.  I read somewhere that Administrators normally do not use their administrative token until they hit something that requires it, then UAC kicks in and asks to elevate them.  This would be
  fine if it happened.  I guess I wouldn't mind having to click OK to enter a folder that requires admin access.  But this is not what is happening.  I am just blanket denied until I explicitly add the Custodian account to the ACL.
  Can someone explain why an admin user is denied access to a folder having full control given to admins?  What is going on here?
  Can someone suggest a way to rig permissions so that my admin user doesn't have to be added explicity?
  I just want to be able to browse and alter the entire drive with ANY administrative user without being bothered to alter permissions.  I don't even mind being prompted for elevation, although honestly I'd prefer not to have that happen either.

  Thank you, Milos, for taking the time to look at this.
  RE: Making the post shorter, I'm not sure I could.  It's not an easy problem to state, and I tried to do so in as few words as possible, any less and I would be leaving out critical info.
  Here are your questions, answered.
  (2) Yes, I am using a workgroup.
  (3) An example calcs output
  S:\Files\Private\Scott DATABANK\Scott:(OI)(CI)F
                         BUILTIN\Administrators:(OI)(CI)F
                         NT AUTHORITY\SYSTEM:(OI)(CI)F
  (4) The share permissions are full, yes, but this is immaterial.  I suffer the problem accessing the files locally/directly on the server.  I probably shouldn't have mentioned anything about the share.  It's just that the problem came to light
  while I WAS accessing the files through the share, but then I tried locally and still had the problem.
  I am unsure of what you mean in (5) (6) (7).  Could you elaborate?

• NTFS permissions - Only access to folders created by the user himself

  Hi,
  I once came by an TechNet article explaining how to set up the NTFS permission on a shared folder, so the users would have rights to create a subfolder, and then only have access to this folder, and none of the co-existing folders on the same level, created
  by similiar users.
  So in details, I have shared a folder called backup$, where the users needs access to create their own subfolder (will be done automatically by a script). And in case they would need to browse their way to the full path, I need to make sure, they won't be
  able to access folders created by other users.
  Any help is much appreciated.
  Martin Bengtsson | www.imab.dk

  Hi,
  I am not clear what are the rights you will set through the script for each sub-folder. You can verify, your settings using
  Effective Permission tool.
  You can more about Effective Permissions from the below URLs.
  http://technet.microsoft.com/en-us/library/cc772184.aspx
  http://technet.microsoft.com/en-us/magazine/2006.01.howitworksntfs.aspx
  <hr/>
  <br/>
  Regards,<br/>
  Jack<br/>
  <a href=http://www.jijitechnologies.com>JiJi Technologies</a>
  I'm sorry if my question is not clear. I'm looking for the correct NTFS permissions to set on the shared folder. No permissions are being set in the script.
  Martin Bengtsson | www.imab.dk

• Defining NTFS Permissions for High Volume Security

  The default NTFS file permissions for the boot volume in Windows 8.1 appear to give Modify access to "Authenticated Users".   That is really permissive.   I have a lot of folders I do not want anyone not authenticated as Administrator
  to touch.   Of course I could change every folder manually and test for side effects, but I am hoping someone has already tested this and has published a document.   I am looking for a detailed description of how to secure the volume so that ordinary
  users cannot modify attributes, filenames, or data for most files on the volume.
  Will

  Ronald, thanks for your reply.  Now we are talking the right topic.    
  1) How did you modify the root permissions?  One way to do that might be to remove Modify and Create authority for the "Authenticated Users" entity and replace that with just Read & Execute.
  2) I understand that Microsoft tightened things to prevent normal users from having modify access inside subfolders.   This works fine for well behaved applications that use things like the "Program Files" subfolder.   Unfortunately, many
  applications are badly behaved and put themselves directly under the root of the boot volume.  AMD for example puts its video drivers in c:\amd by default.     Since that folder inherits from the root, and the root gives permissive access to
  users to create and modify files, now many sensitive DLLs in this install folder could be easily modified by any user.
  One of the worst viruses I ever had was a denial of service virus that acted simply by hiding every single file on your file system.   We had locked down NTFS permissions but had forgotten to lock down file attributes.   It took forever to recover
  from that.   
  So, bottom line, I like to run as tight a file security as possible, and I like to stay logged in as a normal user and greatly restrict what normal users can change.    
  Microsoft definitely tightened things up in Windows 8 and that's great.
  Will

• Most efficient/quickest way to set NTFS permissions in PowerShell

  Hello all,
  Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
  This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

  Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
  ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
  However:
  1.  I can't figure out how to make the inheritance parameter work with ICACLS
  2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
  Any tips on how to improve performance of ICACLS?
  1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
  2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
  I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
  so long).
  For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
  dir $Path -Recurse | ForEach-Object {
  try {
  Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
  catch {
  Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
  return
  If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
  / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
  Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
  and averaged the results on a test system; this wasn't very rigorous testing):
  # Make sure that this folder and user/group exist:
  $Path = "D:\TestFolder"
  $Principal = "TestUser"
  # Native PowerShell/.NET -- Took about 15 ms
  $Acl = Get-Acl $Path
  $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
  $Principal,
  "Read", # [System.Security.AccessControl.FileSystemRights]
  "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
  "None", # [System.Security.AccessControl.PropagationFlags]
  "Allow" # [System.Security.AccessControl.AccessControlType]
  (Get-Item $Path).SetAccessControl($Acl)
  # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
  $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
  (Get-Item $Path).SetAccessControl($Acl)
  # icacls.exe -- Took about 40ms
  icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
  # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
  Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
  Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

• Renaming folder resets NTFS permissions

  Hi
  I have installed a new file server, running Server 2012 R2. I have created a shared folder and set the NTFS permissions. I then renamed the folder and noticed that the NTFS permissions had ben removed and reset.
  I have never seen this behavior before, and I find it a bit worrying???
  Lasse
  /Lasse

  Hi Amy
  The steps I initially did:
  1. Create folder in the root of D:
  2. Disabled inheritance
  3. Added the necessary permissions (The user I use is a domain admin, and is also added)
  4. Shared the folder to Everyone with full control
  5. Right click on the shared folder and selected rename and gave the folder a different name
  6. Vupti dupti, the permissions has changed to the following:
  SYSTEM
  MY USERNAME
  Administrators (LocalServer\Administrators)
  I have just done the same thing on a different server, and it's the exact same behavior, both servers running Server 2012 R2.
  I have also tested it on a Server 2008 R2, and it gives me the same warning as you and if I press continue the folder is renamed and the permissions has NOT been changed.
  So it seems to be a Server 2012 R2 "issue".
  /Lasse

• [Lenovo px4-300r] Not loading Admin Webpage

  Hi everyone,
  Until today i was using my Lenovo px4-300r without any problem. Static IP added, shared folders running OK and everything perfectly running.
  Today we finally add an owned SSL certifcate on Security Section, to avoid the annoying SSL problem. My surprise is that when we restarted the NAS we cann't reach to the admin web.
  I can access perfectly to the shared folders but cann't access to the admin web. Anyone knows who is it possible? Any solution?

  Please, please, PLEASE tell me that the cert you supplied is NOT a wildcard certificate. The automation that rebuilds the Apache config at every boot will build an incorrect config that will prevent Apache from loading when a wildcard certificate is used.
  Prior to upgrading to 4.x, I'd been using a wildcard, which worked fine. I upgraded and had the same symptoms. Luckily, I'd also permanently enabled support mode, so I could SSH into the system to see if I could fix it. AFTER ZERO USEFUL SUPPORT FROM THIS FORUM, I was able to figure out what was going on and ultimately fix it by deleting the wilcard cert from the system.
  You probably don't have SSH access to do anything with it, so you're probably looking at a factory reset/reflash to get back up.

• Coldfusion ignoring NTFS permissions

  I have seen a few older posts that have presented this same issue, but there was no resolution in the thread.  I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
  CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages.  Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents.  Tested with an html page and html page is blocked properly.  It is my understanding that IIS passes the control to cf, cf diplays the cfm page. 
  Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings.  I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server.  I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
  I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
  Thanks!
  Tanya

  Tanya,
  This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+.  Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions.  I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders.  So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not.  Some use the <cflogin> features of ColdFusion; others roll their own.
  I could be completely off about this, though.  Do you use Application.cfc in your apps, or Application.cfm?  That may have a bearing as well.
  -Carl V.

• Px4-300r stuck at "Preparing..."

  I just applied update 4.1.102.29716 to two px4-300r units.  One unit is about a year older than the other.  THe odler unit boots up to simply "Preparing..." on the on-board LCD screen, and the web UI shows only the restart.html page:
  Software Update In Progress
  The device is configuring storage...
  with a progress bar that never moves.
  Entering any other known valid URL of the web UI simply redirects back to restart.html.
  I have used the reset button at least three times, each time there is no change in behavior other than initiating a reboot.
  Anyone have any tips on getting this thing back on its feet?  The iSCSI volumes were still accessible before I reset it and its IP address changed.  I may use a DHCP reservation just to see if I can get the iSCSI to reconnect and keep running backups until I get it sorted.
  Thanks.
  EDIT:  The DHCP reservation works to get the device back to its original IP, and the iSCSI volumes are online and accessible.  My servers are able to connect to their backup volumes OK.
  At this point all control and configuration features are not functional.  Hope somebody can help me figure this out.  Based on what Ive read on a few other threads here, it sounds like this update corrupted a LOT of these PX units.  I think Lenovo owes the "out of warranty" users some serious help on this one.  My entire company is equipped with x-series servers, Thinkpads, and Thinkstations.  Time for Lenovo to get it together and fix this ASAP.

  Hello technicrat
  The personal cloud issues that have been happening recently have nothing to do with the issue on this thread.  Thank you though. 
  LenovoEMC Contact Information is region specific. Please select the correct link then access the Contact Us at the top right:
  US and Canada: https://lenovo-na-en.custhelp.com/
  Latin America and Mexico: https://lenovo-la-es.custhelp.com/
  EU: https://lenovo-eu-en.custhelp.com/
  India/Asia Pacific: https://lenovo-ap-en.custhelp.com/
  http://support.lenovoemc.com/

• Search and Replace NTFS permissions by SID

  About to pick up a file server out of an SBS domain and drop it into a new domain.
  When I drop the server into the new domain it will break all the permissions and they will just be SIDs
  Are there any tools or scripts (paid or not) that let me do something like a SID based search and replace within NTFS permissions? 
  Cheers
  Andrew
  This topic first appeared in the Spiceworks Community

  Try this:
  Turn on Show Invisibles in the View menu.
  Select (highlight) the double para breaks.
  Use Command-E  (Find using selected text).
  Open the Find dialogue box (Command-F) and select Find & Replace.The selected para breaks will be in the Find text entry box, but will not be visible!
  Click in the Replace text entry box.
  Select (highlight) a single para break.
  Go to the Edit menu / Find and select 'Use selection for replace' (it will not show in the Replace entry box).
  In the Find & Replace dialogue box, click on the Forward or Back arrows to highlight the selected items (e.g. double para break) where you wish to start replacing in the document.
  Use the Replace All / Replace & Find / Replace buttons as per usual.
  Not a nice solution, but I hope it gets you going until Apple restores the previous functionality!

• Making NTFS permissions read/write without ability to create/delete folders

  Out at one of our job sites we have a server running Windows Server 2012 R2 that's got a file share accessible to our onsite people. Our project managers have devised a very strict folder structure for this file share, and for auditing purposes they want
  to stick as close to this structure as possible.
  Therefore, although people onsite must have read/write access to create, modify and delete files, they do not want them to be able to create or delete folders. They want them to use the existing folders and not tuck stuff away into folders that no one knows
  exists except the person who created them.
  The closest way I've found to do this is to deselect the advanced permissions 'Create folders / append data' and 'Delete subfolders and files.' This has a few side effects however, the most noticeable being that due to not being able to append data to files,
  certain files (such as CAD drawings) can't be edited by anyone except the person who created them.
  Is there a way using just NTFS permissions to accomplish what the project managers want? And if not, are there any useful third-party utilities that will help us do this?
  Thanks in advance for any assistance.

  Hi,
  I'm not much familiar with AutoCAD- what's the exact behavior which is stopped by the restricted folder permission?
  For example, if AutoCAD will create a folder in editing, we will not have a solution as users needed to create folders so that AutoCAD could run properly. 
  And if AutoCAD works like Office files, that create a temp file for editing, this will be the solution:
  1. Give Domain Admins - Full Control - This folder, subfolders and files.
  This is to allow all admin could access and edit all data.
  2. Give SpecificUsers group (a group contain all normal users) - Full Control without "Change permissions" and "Take Ownership" -
  Files Only.
  This is to give that group most permissions to create, edit and delete files but not Folders.
  3. Give SpecificUsers group another permission:
  Traverse folder
  List FOlder
  Read Attributes
  Read extended attributes
  Create files - this is important. Without this permission you will not able to save Office files. 
  Read permissions.
  Give above permissions to "This Folder, subfolders and files".
  This is to allow users to access all subfolders. 
  If you have any feedback on our support, please send to [email protected]

• Px4-300r: how to get HDD SMART data

  Hi all!
  I have px4-300r (firmware version 4.0.4.14600)
  Please advise, how i can get a SMART info for my hard disk drives?
  Regards,
  Genn
  Solved!
  Go to Solution.

  There is an option to get a "dump" file from the device which contains SMART data. It may be difficult to read but you can try this method by following the instructions below:
  1.  For NAS device running firmware 2.6.23 and below:
        a.  Log in to the NAS user interface with an administrator account
        b.  Change the URL to https://<devicename or IP address>/support.html.
        c.  From here you can click on "Support Files".
        d.  Then click the "Dump" button at the bottom of the page.
  Or
      For a NAS device running firmware 3.1.10 or higher:
         a. Log in to the NAS user interface with an administrator account.
         b. For firmware 3.1.10 to 3.2.6, Change the URL to https://<devicename or IP address>/diagnostics.html.
             For firmware 3.3.4 and up, Change the URL to https://<devicename or IP address>/manage/diagnostics.html.
        c.  From here you can click on "Support Files".
        d.  Then click the "Create a dump file" link.
  2.  Allow the log file dump to complete. A new file name will appear in the list.
  3.  Click on the file to download it to your computer.
  4.  Send the dump report file using one of the following methods:
        a.  If the file is small, 10MB or less, and your email system can handle the size and file type,
             you can attach the log file as an attachment to your email reply and send it to me.
        b.  If the file is 25MB or less, you can attach (upload) it directly to this incident ($incidents.ref_no)
             by logging into your Iomega 'My Support' web page at https://iomega-na-en.custhelp.com/
             and opening the incident.
  5. If the log file dump report is greater than 25MB please reply and I will provide you with instructions to FTP the log file report to our FTP service.
  You can always call in to technical support if you need assistance reading the dump file. Please let me know if you have any questions.
  Have questions and need answers?
  Search the database for answers to FAQ's, software/driver downloads, tutorials, news, features and more!
  LenovoEMC Support & Downloads
  LenovoEMC North America Support Contact Page

• PX4-300R not start

  Hello we have a PX4-300r that is not booting, the screen keeps showing the Iomega logo and the 4 blue leds keep turning on. Does anyone know if it´s possible to take off the HD´s and put them in another storage for example in a px4-300D or does it have to be in the same model they where in before.
  All our servers are in that appliance using xenserver
  Thanks in advance

  Hi rreyes,
  You can put the disks in another device, but putting the disks in another storage unit will result in the device asking to erase the previous data from the disks. Have you contacted technical support to create an incident with them?
  Have questions and need answers?
  Search the database for answers to FAQ's, software/driver downloads, tutorials, news, features and more!
  LenovoEMC Support & Downloads
  LenovoEMC North America Support Contact Page