|
|
| Next: Are you suffering from psoriasis? |
| Author |
Message |
David White
External
Since: Oct 27, 2009
Posts: 3
|
 Posted: Tue Oct 27, 2009 12:50 pm Post subject: File System Permissions Question
Archived from groups: microsoft>public>windowsxp>security_admin, others (more info?) |
|
|
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.
The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.
At first glance, it appears that there are at least 2 general approaches
I can take to accomplish the access control portion of the process:
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.
(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.
Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.
Thanks |
|
| Back to top |
|
 |
Old Rookie
External
Since: Aug 20, 2009
Posts: 6
|
Posted: Tue Oct 27, 2009 4:44 pm Post subject: Re: File System Permissions Question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
I have never done anything that complex myself but there is another utility
called fileacl that you may also look into for your project. I have not
tried the latest versions but it is much more powerful than CACLS or XCACLS.
It is availalbe free at the link below.
http://www.gbordier.com/gbtools/fileacl.asp
Steve
"David White" <whitedavidp.TakeThisOut@fastmail.us> wrote in message
news:BI6dnc3JVJp003rXnZ2dnUVZ_tSdnZ2d@whidbeytel.com...
> Hello and pardon the cross-post but I am not really sure where the best
> place is to ask about this... I am a programmer not an admin but I am
> being asked to write a little routine that has admin implications.
>
> The routine will create a complex directory tree (to support new
> consulting projects) on a mapped drive located on a Windows File Server
> (not sure exactly which OS as yet). Once created, the routine then needs
> to control access at various levels in the directory tree to various
> groups of users.
>
> At first glance, it appears that there are at least 2 general approaches I
> can take to accomplish the access control portion of the process:
>
> (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time,
> but which I assume exists) to set the NTFS file system permissions.
>
> (b) Use the Group Policy Editor (or some similar API, unknown to me at
> this time, but which I assume exists) to accomplish the same - or
> similar - results.
>
> Perhaps both are really just two different interfaces the same thing, it
> is not clear to me. If they are indeed different, is there some best
> practice which relates to a case like this? Any pointers to API's,
> Powershell cmdlets, or scriptable objects for this sort of thing is
> appreciated.
>
> Thanks |
|
| Back to top |
|
|
David White
External
Since: Oct 27, 2009
Posts: 3
|
Posted: Tue Oct 27, 2009 4:44 pm Post subject: Re: File System Permissions Question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Thanks Steve. Interesting indeed!
Old Rookie wrote:
> I have never done anything that complex myself but there is another utility
> called fileacl that you may also look into for your project. I have not
> tried the latest versions but it is much more powerful than CACLS or XCACLS.
> It is availalbe free at the link below.
>
> http://www.gbordier.com/gbtools/fileacl.asp
>
> Steve
>
> "David White" <whitedavidp.DeleteThis@fastmail.us> wrote in message
> news:BI6dnc3JVJp003rXnZ2dnUVZ_tSdnZ2d@whidbeytel.com...
>> Hello and pardon the cross-post but I am not really sure where the best
>> place is to ask about this... I am a programmer not an admin but I am
>> being asked to write a little routine that has admin implications.
>>
>> The routine will create a complex directory tree (to support new
>> consulting projects) on a mapped drive located on a Windows File Server
>> (not sure exactly which OS as yet). Once created, the routine then needs
>> to control access at various levels in the directory tree to various
>> groups of users.
>>
>> At first glance, it appears that there are at least 2 general approaches I
>> can take to accomplish the access control portion of the process:
>>
>> (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time,
>> but which I assume exists) to set the NTFS file system permissions.
>>
>> (b) Use the Group Policy Editor (or some similar API, unknown to me at
>> this time, but which I assume exists) to accomplish the same - or
>> similar - results.
>>
>> Perhaps both are really just two different interfaces the same thing, it
>> is not clear to me. If they are indeed different, is there some best
>> practice which relates to a case like this? Any pointers to API's,
>> Powershell cmdlets, or scriptable objects for this sort of thing is
>> appreciated.
>>
>> Thanks
>
> |
|
| Back to top |
|
|
Florian Frommherz [MVP]
External
Since: Oct 27, 2009
Posts: 1
|
Posted: Tue Oct 27, 2009 7:10 pm Post subject: Re: File System Permissions Question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
David,
David White schrieb:
> (a) Use CACLS or XCACLS (or some similar API, unknown to me at this
> time, but which I assume exists) to set the NTFS file system permissions.
>
> (b) Use the Group Policy Editor (or some similar API, unknown to me at
> this time, but which I assume exists) to accomplish the same - or
> similar - results.
From my limited programming knowledge, I'd probably go with option (a)
- having a local GPO configured programmatically is afaik pretty painful
compared to the effort you'd have to put into one of the pre-definded
tools in (a).
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste |
|
| Back to top |
|
|
David White
External
Since: Oct 27, 2009
Posts: 3
|
Posted: Tue Oct 27, 2009 7:10 pm Post subject: Re: File System Permissions Question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Thanks. As someone not well versed in Group Policies, I am in complete
agreement. But I do want to conform to best practices, if any exist.
Florian Frommherz [MVP] wrote:
> David,
>
> David White schrieb:
>> (a) Use CACLS or XCACLS (or some similar API, unknown to me at this
>> time, but which I assume exists) to set the NTFS file system permissions.
>>
>> (b) Use the Group Policy Editor (or some similar API, unknown to me at
>> this time, but which I assume exists) to accomplish the same - or
>> similar - results.
>
> From my limited programming knowledge, I'd probably go with option (a)
> - having a local GPO configured programmatically is afaik pretty painful
> compared to the effort you'd have to put into one of the pre-definded
> tools in (a).
>
> Cheers,
> Florian |
|
| Back to top |
|
|
Gerry Hickman
External
Since: Nov 02, 2009
Posts: 1
|
Posted: Mon Nov 02, 2009 7:10 pm Post subject: Re: File System Permissions Question [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?) |
|
|
Hi,
You may want to check out my thread here (beware word wrap).
http://groups.google.com/group/microsoft.public.platformsdk.security/b...se_thre
It has a lot of information about shortcomings of the various Tools and
APIs and differences between Microsoft o/s and local vs remote. You
won't find this info in the official docs. There's a new twist with
Windows 7 too.
Creating a folder structure programmatically is not that difficult once
you understand all the issues above. I don't think GP will help you. The
APIs you choose will really depend on the rest of your app. Beware the
clowns who try to work with FileSystem permissions over SMB.
David White wrote:
> Hello and pardon the cross-post but I am not really sure where the best
> place is to ask about this... I am a programmer not an admin but I am
> being asked to write a little routine that has admin implications.
>
> The routine will create a complex directory tree (to support new
> consulting projects) on a mapped drive located on a Windows File Server
> (not sure exactly which OS as yet). Once created, the routine then needs
> to control access at various levels in the directory tree to various
> groups of users.
>
> At first glance, it appears that there are at least 2 general approaches
> I can take to accomplish the access control portion of the process:
>
> (a) Use CACLS or XCACLS (or some similar API, unknown to me at this
> time, but which I assume exists) to set the NTFS file system permissions.
>
> (b) Use the Group Policy Editor (or some similar API, unknown to me at
> this time, but which I assume exists) to accomplish the same - or
> similar - results.
>
> Perhaps both are really just two different interfaces the same thing, it
> is not clear to me. If they are indeed different, is there some best
> practice which relates to a case like this? Any pointers to API's,
> Powershell cmdlets, or scriptable objects for this sort of thing is
> appreciated.
>
> Thanks
--
Gerry Hickman (London UK) |
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
| |
|
|
Microsoft Windows XP