NTFS Permissions on a Remote Domain

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • veei
    New Member
    • Feb 2008
    • 5
    #1

    NTFS Permissions on a Remote Domain

    Hi all,

    I am writing a program that will automate our user creation in Active Directory. Problem is, most of the servers are in stand-alone domains (mixed 2K and 2K3 servers). We are moving towards merging them all into the same tree but it will take some time.

    Anyway, I have successfully been able to create the user, set passwords, put them in the group I wish to, and create their home folder on the remote server via LDAP. The machine I am running the app from is not part of the domain(s) I am creating users in.

    You think it wouldn't be this hard but I've searched everywhere for an answer as to how to set a user's newly created Home folder to not inherit NTFS permissions and set Administrators, System, and the user with full control.

    Seeing as the machine the app is running on is not in that domain, I guess it doesn't know what the SIDs are for those users and groups. Is there a way to do this remotely via code? If not, is there a way to have the remote server run a cacls.exe from it's own command prompt to do this or something similar?

    I'm using VB but I'll take C# code or anything .net for that matter at this point!! Even a link... anything to put me on the right trail!

    Thanks in advance
    Tags: None
    • Plater
      Recognized Expert Expert
      • Apr 2007
      • 7872
      #2
      So you want to setup user accounts for a domain user on a non-domain system, so that in the future when it goes on the domain it will have the correct user privledges?
      I am not sure that can be done.

      What you MIGHT be able to do is make a special user called like myChangeUser and call the user that on every system you install on to.
      Then when the system joins the domain, have a script handy that changes ownership on EVERYTHING "myChangeUs er" to the correct domain account?

        Comment

        • veei
          New Member
          • Feb 2008
          • 5
          #3
          Sorry, I don't think I explained it quite right. The created user and their permissions would be exclusive to that remote domain.

          Example:

          Using a .NET application running on a machine that is a member server of the Test.Local domain, I create the user TomJones in the LV.com domain (NETBIOS domain name = LV) via LDAP. Set the password, add them to the LV\Entertainmen t group located in the LV.com domain, and create the home folder \\LV1\Home\TomJ ones on the domain controller for LV.com.

          All I'm trying to do is set the NTFS permissions on \\LV1\Home\TomJ ones to give LV\Administrato rs, LV\System, and LV\TomJones Full Control to the directory and all subdirs.

          But, since the computer the program is running on is in the Test.Local domain, it doesn't know the SIDs for any of those three users/groups. That's my problem.

            Comment

            • Plater
              Recognized Expert Expert
              • Apr 2007
              • 7872
              #4
              Would giving control to the groups "DomainAdmi ns" or some other slightly-ambiguous group work?
              Or maybe even getting your random remote domain to "talk" to the domain that the admins are comming from?
              (I think there is a way to do that if you can supply valid credentials for an admin actually on the domain, you can like piggyback in)

                Comment

                • veei
                  New Member
                  • Feb 2008
                  • 5
                  #5
                  I figured it out. It was a problem with my trusts for the other domains. Though the external domains were in a two-way trust, by default, Win2K SP4 and Win2K3 Servers automatically enable SID filtering when you set up the trust. Turning it off worked.

                  To turn it off, install the support tools from the Win2K/2K3 cd and run netdom:

                  netdom trust <TRUSTING_DOMAI N> /domain:<TRUSTED _DOMAIN> /FilterSIDs:no


                  I can now use XCACLS to remotely give permissions to the users' home folders! YAY!

                    Comment

                    Previous template Next
                    Working...