If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
File System Permissions Question
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am being asked to write a little routine that has admin implications. The routine will create a complex directory tree (to support new consulting projects) on a mapped drive located on a Windows File Server (not sure exactly which OS as yet). Once created, the routine then needs to control access at various levels in the directory tree to various groups of users. At first glance, it appears that there are at least 2 general approaches I can take to accomplish the access control portion of the process: (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time, but which I assume exists) to set the NTFS file system permissions. (b) Use the Group Policy Editor (or some similar API, unknown to me at this time, but which I assume exists) to accomplish the same - or similar - results. Perhaps both are really just two different interfaces the same thing, it is not clear to me. If they are indeed different, is there some best practice which relates to a case like this? Any pointers to API's, Powershell cmdlets, or scriptable objects for this sort of thing is appreciated. Thanks |
Ads |
#2
|
|||
|
|||
File System Permissions Question
I have never done anything that complex myself but there is another utility
called fileacl that you may also look into for your project. I have not tried the latest versions but it is much more powerful than CACLS or XCACLS. It is availalbe free at the link below. http://www.gbordier.com/gbtools/fileacl.asp Steve "David White" wrote in message om... Hello and pardon the cross-post but I am not really sure where the best place is to ask about this... I am a programmer not an admin but I am being asked to write a little routine that has admin implications. The routine will create a complex directory tree (to support new consulting projects) on a mapped drive located on a Windows File Server (not sure exactly which OS as yet). Once created, the routine then needs to control access at various levels in the directory tree to various groups of users. At first glance, it appears that there are at least 2 general approaches I can take to accomplish the access control portion of the process: (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time, but which I assume exists) to set the NTFS file system permissions. (b) Use the Group Policy Editor (or some similar API, unknown to me at this time, but which I assume exists) to accomplish the same - or similar - results. Perhaps both are really just two different interfaces the same thing, it is not clear to me. If they are indeed different, is there some best practice which relates to a case like this? Any pointers to API's, Powershell cmdlets, or scriptable objects for this sort of thing is appreciated. Thanks |
#3
|
|||
|
|||
File System Permissions Question
David,
David White schrieb: (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time, but which I assume exists) to set the NTFS file system permissions. (b) Use the Group Policy Editor (or some similar API, unknown to me at this time, but which I assume exists) to accomplish the same - or similar - results. From my limited programming knowledge, I'd probably go with option (a) - having a local GPO configured programmatically is afaik pretty painful compared to the effort you'd have to put into one of the pre-definded tools in (a). Cheers, Florian -- Microsoft MVP - Group Policy eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste |
#4
|
|||
|
|||
File System Permissions Question
Thanks Steve. Interesting indeed!
Old Rookie wrote: I have never done anything that complex myself but there is another utility called fileacl that you may also look into for your project. I have not tried the latest versions but it is much more powerful than CACLS or XCACLS. It is availalbe free at the link below. http://www.gbordier.com/gbtools/fileacl.asp Steve "David White" wrote in message om... Hello and pardon the cross-post but I am not really sure where the best place is to ask about this... I am a programmer not an admin but I am being asked to write a little routine that has admin implications. The routine will create a complex directory tree (to support new consulting projects) on a mapped drive located on a Windows File Server (not sure exactly which OS as yet). Once created, the routine then needs to control access at various levels in the directory tree to various groups of users. At first glance, it appears that there are at least 2 general approaches I can take to accomplish the access control portion of the process: (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time, but which I assume exists) to set the NTFS file system permissions. (b) Use the Group Policy Editor (or some similar API, unknown to me at this time, but which I assume exists) to accomplish the same - or similar - results. Perhaps both are really just two different interfaces the same thing, it is not clear to me. If they are indeed different, is there some best practice which relates to a case like this? Any pointers to API's, Powershell cmdlets, or scriptable objects for this sort of thing is appreciated. Thanks |
#5
|
|||
|
|||
File System Permissions Question
Thanks. As someone not well versed in Group Policies, I am in complete
agreement. But I do want to conform to best practices, if any exist. Florian Frommherz [MVP] wrote: David, David White schrieb: (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time, but which I assume exists) to set the NTFS file system permissions. (b) Use the Group Policy Editor (or some similar API, unknown to me at this time, but which I assume exists) to accomplish the same - or similar - results. From my limited programming knowledge, I'd probably go with option (a) - having a local GPO configured programmatically is afaik pretty painful compared to the effort you'd have to put into one of the pre-definded tools in (a). Cheers, Florian |
#6
|
|||
|
|||
File System Permissions Question
Hi,
You may want to check out my thread here (beware word wrap). http://groups.google.com/group/micro...04736623c71a84 It has a lot of information about shortcomings of the various Tools and APIs and differences between Microsoft o/s and local vs remote. You won't find this info in the official docs. There's a new twist with Windows 7 too. Creating a folder structure programmatically is not that difficult once you understand all the issues above. I don't think GP will help you. The APIs you choose will really depend on the rest of your app. Beware the clowns who try to work with FileSystem permissions over SMB. David White wrote: Hello and pardon the cross-post but I am not really sure where the best place is to ask about this... I am a programmer not an admin but I am being asked to write a little routine that has admin implications. The routine will create a complex directory tree (to support new consulting projects) on a mapped drive located on a Windows File Server (not sure exactly which OS as yet). Once created, the routine then needs to control access at various levels in the directory tree to various groups of users. At first glance, it appears that there are at least 2 general approaches I can take to accomplish the access control portion of the process: (a) Use CACLS or XCACLS (or some similar API, unknown to me at this time, but which I assume exists) to set the NTFS file system permissions. (b) Use the Group Policy Editor (or some similar API, unknown to me at this time, but which I assume exists) to accomplish the same - or similar - results. Perhaps both are really just two different interfaces the same thing, it is not clear to me. If they are indeed different, is there some best practice which relates to a case like this? Any pointers to API's, Powershell cmdlets, or scriptable objects for this sort of thing is appreciated. Thanks -- Gerry Hickman (London UK) |
Thread Tools | |
Display Modes | |
|
|