Substituting a set of AD groups in NTFS permissions for another across multiple folders

Okay, here's a good one.
On a file server at one of our branch offices we have a set of folders that have permissions set for a particular set of groups in AD. For the purposes of this question the name of that office is "Sparta."
We are setting up another branch office that is going to have that same set of folders. We'll call that office "Athens." It has its own set of AD groups. So for example, if Sparta has a group called 'Sparta Admin,' then Athens has an analogous
group called 'Athens Admin.' The only difference in the name of the group is that it has the name of the branch office attached to it.
The permissions get rather complex, with multiple sets applied to the same group to get the desired effect. Whenever a new branch office goes up (which is often), they get a server with this same set of folders, with the same set of permissions applied to
groups that contain the branch office name as a prefix.
I hope that makes sense so far.
So my question is, since it takes quite a while to go through each permission one by one and change the name of the group, for example from 'Sparta Admin' to 'Athens Admin,' can anyone help me come up with a script or something similar I can run that would
simply ask for the name of the branch office and automatically change the names accordingly, or even create the needed groups with the Branch Office's name if they don't already exist?
Thanks in advance for any help, and please let me know if this is incredibly confusing and I need to be more clear.

Hi Stephen,
Based on your description, I am not sure that we can achieve what we want, but for script, in order to get better help, it's recommended that we ask advice in the following scripting forum.
The Official Scripting Guys Forum
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
Best regards,
Frank Shen

Similar Messages

  • How do I set up calendar events that will be for another time zone? My events shift once I travel

    How do I set up calendar events that will be for another time zone? My events shift once I travel. The same is true when I am traveling and in another time zone, how do I best set up my events so they are in the correct time slot upon my return?

    Basically, if your client does not have a Mac then don't use iWeb to create the site. iWeb is Mac only and if a client wishes to make alterations, then they need the domain file.
    If your client needs to update on a weekly basis, then why not consider using one of the online website creation packages where you can log in from any Mac or PC. This would be simpler and there are lots out there - Microsoft Office Live or Google or something like http://www.wix.com where you can create a site and use a domain name with it.
    Look at the alternatives before using iWeb.

  • HT204150 Can't set up a group contact that works for iCloud

    I'm so frustrated with trying to set up a group contact. I need to use more than one email address per contact, and it says that I have an error (of course not identified) in one of the addresses. I can't find any details on specifically how to add addresses to the contacts, and have spent an hour trying to figure out what should be a very simple process. I've tried using a comma, a semi colon, no punctuation, and nothing seems to work.
    Also, why can I not see a BCC field option anywhere in my email? These were all obvious functions on my PC. I feel like I'm wasting so much time on such a simple task!

    When i set this thing up, it created a whole bunch of "genre" smart playlists that I can't get rid of. Including things like "90's Music"
    Those are the default playlists created by iTunes.
    If you don't wna them, delete them.
    that immediately go to the top of the list.
    Playlists are sorted in alpha/numeric order.
    If I disable these, then I can't get the playlist I set up for my podcasts!
    Don't disable Playlists in Prefs.
    Just delet the playlists you don't want.

  • Defining NTFS Permissions for High Volume Security

    The default NTFS file permissions for the boot volume in Windows 8.1 appear to give Modify access to "Authenticated Users".   That is really permissive.   I have a lot of folders I do not want anyone not authenticated as Administrator
    to touch.   Of course I could change every folder manually and test for side effects, but I am hoping someone has already tested this and has published a document.   I am looking for a detailed description of how to secure the volume so that ordinary
    users cannot modify attributes, filenames, or data for most files on the volume.
    Will

    Ronald, thanks for your reply.  Now we are talking the right topic.    
    1) How did you modify the root permissions?  One way to do that might be to remove Modify and Create authority for the "Authenticated Users" entity and replace that with just Read & Execute.
    2) I understand that Microsoft tightened things to prevent normal users from having modify access inside subfolders.   This works fine for well behaved applications that use things like the "Program Files" subfolder.   Unfortunately, many
    applications are badly behaved and put themselves directly under the root of the boot volume.  AMD for example puts its video drivers in c:\amd by default.     Since that folder inherits from the root, and the root gives permissive access to
    users to create and modify files, now many sensitive DLLs in this install folder could be easily modified by any user.
    One of the worst viruses I ever had was a denial of service virus that acted simply by hiding every single file on your file system.   We had locked down NTFS permissions but had forgotten to lock down file attributes.   It took forever to recover
    from that.   
    So, bottom line, I like to run as tight a file security as possible, and I like to stay logged in as a normal user and greatly restrict what normal users can change.    
    Microsoft definitely tightened things up in Windows 8 and that's great.
    Will

  • NTFS Permissions for a scanner to only create files?

    I'm having some trouble correctly configuring NTFS permissions. My file structure is as such:
    \Scanner\%username%\
    We want anyone to be able to walk up to the scanner, scan a document and drop it in a particular users folder. What we don't want is users being able to view files via the scanner interface.
    My permissions are configured as such:
    Root Folder \scanner\
    Allow
    This Folder & Subfolders
    Traverse, List folder, Read Attributes, Read Extended, Read Permissions
    Allow
    Subfolders & files only
    Create Files / write data
    What am i missing here? 
    This topic first appeared in the Spiceworks Community

    By Guest Blogger Brad Mathis, Senior Consultant, InformationSecurity It is mid-2015. By now, we have all seen incoming emails claiming we have been bequeathed a huge sum of money from a Nigerian Prince, or we have won a foreign lottery we never entered. Most employees have seen these scam emails long enough to know they are not real. However, What about the seemingly benign email coming in from a recognizable sender? What if this legitimate looking email has an attached PDF or Word document? What if it contains a seemingly real link to a web site? How many of your employees would open the attachment or click on the link? How many employees will assume it is safe since it made it unscathed through all of your layers of security, including email and web content filters? Do your users understand the ramifications of...

  • Is it possible to set up a Playlist of suggested tracks for another person to buy?

    I am interested in sharing a list of songs with my students as suggested songs to purchase.  I typically have to go to each album and send a link to that album.  Is it possible to put a list together and somehow suggest that as a group of songs at one time?  I am think something like a public Playlist where they could go to one page and have all the suggestions there?  (an Amazon WishList type thing)

    Certainly you can setup an expert session. Please go through the link below to setup a session with Adobe experts.
    https://helpx.adobe.com/creative-cloud/team/creative-cloud-teams.html#
    Hope this helps.
    Thanks,
    Ashish

  • Best workaround for querying across multiple Data Sets?!

    Hi folks
    Today I was migrating my older OEID 3.0 applications to 3.1, and I noticed some of my older version views are not working anymore in new version.
    We used to have multiple Bulk Add/Replace (without specifying Collection Keys) and we could use any attributes from any of these, in a certain View for example.
    My views were like SELECT SUM("an attribute/metric from Bulk Add_1") / SUM("an attribute/metric from Bulk Add_2")
    Now that you have to specify a FROM clause in your views, and it has to be from a certain Data Set, whats the best way to achieve above line goal?
    Bests,

    Patrick
    What I meant by Cross Join is Cartesian Product in situation that you have many-to-many relations between 2 Data Sets
    Lets say, I have to different data, coming from 2 totally different source, one from Sales Dept and the other one from Purchase Dept:
    Sales Table:
    Part Number
    Sales QTY
    Sales Date
    Part Type
    Manufacturer
    Country
    0001
    70
    10/5/2012
    TYPE1
    Manuf1
    US
    0001
    120
    10/6/2012
    TYPE1
    Manuf1
    US
    0001
    350
    10/7/2012
    TYPE1
    Manuf1
    US
    0002
    100
    10/8/2012
    TYPE2
    Manuf2
    US
    0002
    80
    10/9/2012
    TYPE2
    Manuf2
    CA
    0003
    2500
    10/10/2012
    TYPE3
    Manuf3
    CA
    0004
    180
    10/11/2012
    TYPE4
    Manuf4
    US
    Purchase Table:
    Part Number
    Purchase QTY
    Purchase Date
    Part Type
    Manufacturer
    Country
    0001
    50
    10/5/2012
    TYPE1
    Manuf1
    US
    0001
    60
    10/6/2012
    TYPE1
    Manuf1
    US
    0001
    100
    10/7/2012
    TYPE1
    Manuf1
    US
    0001
    200
    10/8/2012
    TYPE1
    Manuf1
    US
    0002
    1100
    10/9/2012
    TYPE2
    Manuf2
    US
    0003
    20
    10/10/2012
    TYPE3
    Manuf3
    US
    What is the preferred approach to ingest this data?

  • Coldfusion ignoring NTFS permissions

    I have seen a few older posts that have presented this same issue, but there was no resolution in the thread.  I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
    CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages.  Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents.  Tested with an html page and html page is blocked properly.  It is my understanding that IIS passes the control to cf, cf diplays the cfm page. 
    Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings.  I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server.  I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
    I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
    Thanks!
    Tanya

    Tanya,
    This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+.  Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions.  I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders.  So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not.  Some use the <cflogin> features of ColdFusion; others roll their own.
    I could be completely off about this, though.  Do you use Application.cfc in your apps, or Application.cfm?  That may have a bearing as well.
    -Carl V.

  • Default Group Ownership and Permissions

    All new files created by a standard user (User1) have group assigned as "staff" and group permissions set to "Read only."  How do I change the default group and ownership permissions for newly created files?
    Said another way: I want new files created by User1 to have group = "Accounting Group" and group permisions = "Read & Write".

    You can accomplish what you want to do by using ACLs. First go to System Preferences -> Users & Groups, and make a new group called "accountinggroup". Add the users you want to the group.
    You will then need to make a folder in which to store all the files to be shared with this group. Put it in some easily accessible place like in /Users/Shared.
    Then log in to an admin account and open Terminal. Paste in all of this and the press return:
    sudo chmod -R +a "accountinggroup allow delete,chown,list,search,add_file,\
    add_subdirectory,delete_child,file_inherit,directory_inherit" \
    Then drag the folder into the Terminal window and press return again.
    From then on, any file that is newly created in or copied to any location within that folder hierarchy will have read and write privileges for all users in accountinggroup.
    You sir are a genius.
    I have been trying to utilise a users iMac a "central file storage" for a small business client (all new Lion Machines). I was having so many issues with Lion's POSIXs permissions and also Lion's new versions feature.
    Every time users saves files to the shared folder they would inherit permission from the computer that created the file. Thus is another user logged on and opened the file it would be 'Locked' and have to be duplicated or the users would have to manually edit permission using 'Get Info'
    I have applied the ACL via terminal and now it works like a dream! All files have that are put into the shared folder have a group with 'custom' permissions and any one can use and modify the files, provided they have log in credentials.
    The only trap i would warn people of is do not use typical group names like "Staff", "workgroup" etc. I found that using those was problematic. I opted for employees.
    Thanks again Király

  • How to set NTFS and share permissions for Users share for home directories in Server 2012

    I have a new Server 2012 server, and I want to set up a Users share, that will contain subfolders of each user's username and contain their home directory.  But what do I set the share and NTFS permissions as on the root level, lets call the folder
    Users? Is the following older article the correct permissions I need?
    https://support.microsoft.com/kb/274443

    Hi RJO22,
    You can choose configure the Folder Redirection, Folder Redirection enables you to redirect the location of specific folders within user profiles to a new location, such as
    a shared network location. Folder redirection is used in the process of administering user profiles and roaming user profiles. You can configure Folder Redirection using the Group Policy Management Console to redirect specific user profile folders, as well
    as edit Folder Redirection policy settings.
    The related KB:
    Folder Redirection Overview
    http://technet.microsoft.com/en-us/library/cc732275.aspx
    Specify the Location of Folders in a User Profile
    http://technet.microsoft.com/en-us/library/cc771969.aspx
    I’m glad to be of help to you!
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Most efficient/quickest way to set NTFS permissions in PowerShell

    Hello all,
    Trying to figure out what the most efficient/quickest way to set NTFS permissions via PowerShell is. I am currently using ICACLS but it is taking FOREVER as I can't figure out how to make inheritance work with this command.
    This has prompted me to begin looking at other options for setting NTFS permissions in PowerShell, and I wondered what everyone here likes to use for this task in PowerShell?

    Ah ok. Unfortunately, my ICACLS is taking FOREVER. Here is the code I'm using:
    ICACLS "C:\users\[user]\Desktop\test" /grant:r ("[user]" + ':r') /T /C /Q
    However:
    1.  I can't figure out how to make the inheritance parameter work with ICACLS
    2. If I do make the inheritance parameter work with ICACLS, I still need a way to add the permission to child objects that aren't inheriting.
    Any tips on how to improve performance of ICACLS?
    1. icacls folder /grant GROUPNAME:(OI)(CI)(F)  (i will post corrected code later, this works in CMD but not powershell couse of bracers)
    2.  get-childitem -recurse -force |?{$_.psiscontainer} |%{icacls ....}  (or u can list only folders where inheritance is disabled and apply icacls just on them)
    I think jrv and Mekac answered the first question about inheritance flags. I would just add that you probably don't want to use the /T switch with icacls.exe because that appears to set an explicit entry on all child items (that's probably why it's taking
    so long).
    For your second question, I'd suggest using the Get-Acl cmdlet. It throws terminating errors, so I usually wrap it in a try/catch block. Something like this might work if you just wanted the paths to files/folders that aren't inheriting permissions:
    dir $Path -Recurse | ForEach-Object {
    try {
    Get-Acl $_.FullName | where { $_.AreAccessRulesProtected } | ForEach-Object { Convert-Path $_.Path }
    catch {
    Write-Error ("Get-Acl error: {0}" -f $_.Exception.Message)
    return
    If you're looking for speed/performance, you don't want to just use the PowerShell Access Control (PAC) module that Mike linked to above by itself. It's implemented entirely in PowerShell, so it's incredibly slow right now (unless you use it along with Get-Acl
    / see below for an example). I'm slowly working on creating a compiled version that is much faster, and I think I'm pretty close to having something that I can put in the gallery.
    Since I wasn't sure which command would give you the best results, I used Measure-Command to test a few different ones. Each of the following four commands should do the exact same thing. Here are my results (note that I just ran the commands a few times
    and averaged the results on a test system; this wasn't very rigorous testing):
    # Make sure that this folder and user/group exist:
    $Path = "D:\TestFolder"
    $Principal = "TestUser"
    # Native PowerShell/.NET -- Took about 15 ms
    $Acl = Get-Acl $Path
    $Acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
    $Principal,
    "Read", # [System.Security.AccessControl.FileSystemRights]
    "ContainerInherit, ObjectInherit", # [System.Security.AccessControl.InheritanceFlags]
    "None", # [System.Security.AccessControl.PropagationFlags]
    "Allow" # [System.Security.AccessControl.AccessControlType]
    (Get-Item $Path).SetAccessControl($Acl)
    # PAC Module 3.0 w/ PowerShell/.NET commands -- Took about 35 ms
    $Acl = Get-Acl $Path | Add-AccessControlEntry -Principal $Principal -FolderRights Read -PassThru
    (Get-Item $Path).SetAccessControl($Acl)
    # icacls.exe -- Took about 40ms
    icacls.exe $Path /grant "${Principal}:(OI)(CI)(R)"
    # PAC Module 3.0 w/o Get-Acl -- Took about 350 ms
    Add-AccessControlEntry -Path $Path -Principal $Principal -FolderRights Read -Force
    Unless I messed something up, it looks like the native PowerShell/.NET commands are faster than icacls.exe, at least for modifying a single folder's DACL.

  • Setting up Contacts "groups" or "distribution lists" on Treo Pro??

    Is there any way to set up a "group" or "distribution list" on Treo Pro w/ Windows Mobile so that I can send a text message to a group rather than have to put in each phone number individually???
    Post relates to: Treo Pro T850U (Unlocked)

    Hello!
    Windows Mobile devices doe not have this function at least out straight foward of the box, will require the use of a 3rd-party SMS application.  PalmOS smartphones have an upping here with its templates folder but in your case you could try making SMS drafts and use those as a "group template."
    Post relates to: Treo 650 (Unlocked GSM)

  • I have set up all my contacts in my iphone 4. How do i set up a group as i often send out the same email to 42 contacts?

    I have set up all my email contacts in my iphone 4. Am i able to set up a group as i often sent an email to 42 contacts?

    YOu will need to create that group contact on the server side, I don't think you can do it on the iphone itself.

  • Please Help, After Kernel panic restart failed- apple swirl(6 hrs), SafeMode-failed, SUMode-sucess. Could not unmount disk to erase. Repair permissions-multiple fail errors:unable to set permissions on... unable to set owner and group...

    Please Help, I deleted an account that was the same name as the administrator but was not the administrator. Also a samsung galaxy s phone was charging through the usb port.
    I closed out a program and got a message that the temp file could not be stored/saved.
    Then a Kernel panic message occurred and restart was necessary.
    The restart resulted in the screen with the apple logo and a continous swirl for 6+hrs,
    Attempted Safe Mode start up, unsuccessful,
    Single User Mode-sucess.
    Ran $ fsck_hfs -rfd /dev/disk0s2 Ran several times repairs made with one which remained. something about a node.
    No change in start up attempts
    Started with install CD matching current OS 10.6
    Ran Disk Utility Repair Permissions resulting in multiple errors:
    One line/error
    Warning: SUID file /////Ardagent has been modified and will not be repaired
    144 lines/errors of this type of series of lines
    Group permissions differ on...should be drwxr-xr-x, they are -rw-r--r-- .
    permissions differ on...should be drwxr-xr-x, they are -rw-r--r-- .
    unable to set owner and group...error 22: Invalid Argument
    unable to set permissions on...error 22: Invalid Argument
    Ran Repair Disk, result:
    Error: Could not unmount disk (in red)
    Ran Verify Disk, result:
    The volume HD appears to be ok (in green)
    Next I attempted to erase the dist to start from scratch since I have data backed up on time machine.
    Error message box
    Volume Erase failed
    Volume Erase failed with error:
    Could not unmount disk
    I am looking to solve without buying DiskWarrior unless only resort.

    So it looks like  solved it for now I will update later. What I did was after starting from the install cd for the 10.6 system I ran from terminal ran:
    diskutil disablejournaling /dev/disk0s2
    diskutil disableownership /dev/disk0s2
    diskutil repairPermissions /dev/disk0s2
    then i closed terminal and then when to disk utility and chose to repair disk with results all was fine. Then ran repair permissions and got similar results from terminal function next I erased disk and then chose to restore from time machine and it is now restoring! yea!

  • How do I set up a group e-mail?

    How do I set up a group e-mail on the Ipad?

    The native mail app does not do groups. In the app store there are a handful of apps that do. Mail shot as an example.

Maybe you are looking for