File System Permissions Question

Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.

The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.

At first glance, it appears that there are at least 2 general approaches
I can take to accomplish the access control portion of the process:

(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.

Thanks

I have never done anything that complex myself but there is another utility
called fileacl that you may also look into for your project. I have not
tried the latest versions but it is much more powerful than CACLS or XCACLS.
It is availalbe free at the link below.

http://www.gbordier.com/gbtools/fileacl.asp

Steve

"David White" wrote in message
om...
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.

The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.

At first glance, it appears that there are at least 2 general approaches I
can take to accomplish the access control portion of the process:

(a) Use CACLS or XCACLS (or some similar API, unknown to me at this time,
but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.

Thanks

David,

David White schrieb:
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

From my limited programming knowledge, I'd probably go with option (a)
- having a local GPO configured programmatically is afaik pretty painful
compared to the effort you'd have to put into one of the pre-definded
tools in (a).

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Thanks Steve. Interesting indeed!

Old Rookie wrote:
I have never done anything that complex myself but there is another utility
called fileacl that you may also look into for your project. I have not
tried the latest versions but it is much more powerful than CACLS or XCACLS.
It is availalbe free at the link below.

http://www.gbordier.com/gbtools/fileacl.asp

Steve

"David White" wrote in message
om...
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.

The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.

At first glance, it appears that there are at least 2 general approaches I
can take to accomplish the access control portion of the process:

(a) Use CACLS or XCACLS (or some similar API, unknown to me at this time,
but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.

Thanks

Thanks. As someone not well versed in Group Policies, I am in complete
agreement. But I do want to conform to best practices, if any exist.

Florian Frommherz [MVP] wrote:
David,

David White schrieb:
(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

From my limited programming knowledge, I'd probably go with option (a)
- having a local GPO configured programmatically is afaik pretty painful
compared to the effort you'd have to put into one of the pre-definded
tools in (a).

Cheers,
Florian

Hi,

You may want to check out my thread here (beware word wrap).

http://groups.google.com/group/micro...04736623c71a84

It has a lot of information about shortcomings of the various Tools and
APIs and differences between Microsoft o/s and local vs remote. You
won't find this info in the official docs. There's a new twist with
Windows 7 too.

Creating a folder structure programmatically is not that difficult once
you understand all the issues above. I don't think GP will help you. The
APIs you choose will really depend on the rest of your app. Beware the
clowns who try to work with FileSystem permissions over SMB.

David White wrote:
Hello and pardon the cross-post but I am not really sure where the best
place is to ask about this... I am a programmer not an admin but I am
being asked to write a little routine that has admin implications.

The routine will create a complex directory tree (to support new
consulting projects) on a mapped drive located on a Windows File Server
(not sure exactly which OS as yet). Once created, the routine then needs
to control access at various levels in the directory tree to various
groups of users.

At first glance, it appears that there are at least 2 general approaches
I can take to accomplish the access control portion of the process:

(a) Use CACLS or XCACLS (or some similar API, unknown to me at this
time, but which I assume exists) to set the NTFS file system permissions.

(b) Use the Group Policy Editor (or some similar API, unknown to me at
this time, but which I assume exists) to accomplish the same - or
similar - results.

Perhaps both are really just two different interfaces the same thing, it
is not clear to me. If they are indeed different, is there some best
practice which relates to a case like this? Any pointers to API's,
Powershell cmdlets, or scriptable objects for this sort of thing is
appreciated.

Thanks


--
Gerry Hickman (London UK)