There turned out to be at least several possibilities:
- Export shares, including permissions from registry, and restore on new servers.
- Use net share, but it is only good for creating shares, it can not list or modify share permissions.
- RMTSHARE.EXE from WinNT ressource kit can do all we need.
- Use a VBS script to list and create shares, Win32_LogicalShareSecuritySetting and Win32_ACE.
I went down the VBS script path, and it worked out fine, created a bunch of command oneliners I could use on the new servers or on the new clusters, eg:
cluster . res "share" /priv security="domain\group",grant,F:security
cluster . res "share" /priv security="domain\user",grant,R:security
net share="d:\path\to\share" /GRANT:"domain\user1",READ /GRANT:"domain\user2",FULL
The net share command creates the share, but on the cluster share was created with a wrapper script was made from a Microsoft example, only changing ShareSubDirs=0. Then the above cluster command works fine.
The problem with the script method was that if there was no ACL for a share, my script did not list the share. And i didnt make the script query remote servers, so i used a little psexec workaround in the scripts:
copy listshares.vbs \\server\d$\
psexec \\server -e cmd /C "cscript d:\listshares.vbs"
psexec \\server -e cmd /C del d:\listshares.vbs
Anyway, in the future I recommend using RMTSHARE.EXE which works fine on 2000/2003/xp, can query shares remote, modify permissions, create and all I need. Some examples:
List shares: RMTSHARE \\server
List permissions of a share: RMTSHARE \\server\share /users
Add a user to a share remote: RMTSHARE \\server\share /grant "domain\user":F
Revoke a user permissions: RMTSHARE \\server\share /grant "domain\user"
By the way, note that "net share" command is different on Windows 2003 and on XP. There are permissions options on the Windows 2003 version:
The syntax of this command is:
NET SHARE
sharename
sharename=drive:path [/GRANT:user,[READ CHANGE FULL]]
[/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Documents Programs None ]
sharename [/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Documents Programs None]
{sharename devicename drive:path} /DELETE
There is no permission option on the XP version:
net share /?
The syntax of this command is:
NET SHARE sharename
sharename=drive:path [/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Automatic No ]
sharename [/USERS:number /UNLIMITED]
[/REMARK:"text"]
[/CACHE:Manual Automatic No ]
{sharename devicename drive:path} /DELETE
For NTFS file permissions setting, remove and modify, I use XCACLS.VBS, which can do all we need. It also works on the clusters. Some examples:
Listing access, if you want subdirs add /s /t:
cscript c:\bin\XCACLS.vbs d:\dat\ /server server
Give access, with /e so other users are left as they were:
cscript c:\bin\XCACLS.vbs d:\dat\ /e /g "domain\user":F /server server
Revoke (/r) example, remote: !!! WARNING !!! remember the /e or every permission will be gone:
cscript c:\bin\XCACLS.vbs d:\dat\ /e /r "domain\user" /server server
My only problem with XCACLS.VBS so far, is that it it truncates output of the users, so its hard to wrap into a script for recreation. Eg, it shows only "Domain\Some_domain_gruo" below and not the full groupname:
"Allowed Domain\Some_domain_gruo Modify..."
Ideas for solving this are very welcome :-)
2 comments:
WHAT IS THE DIFFRENCE FAT32 & NTFS ?
report ntfs permissions
Post a Comment