Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.

Cleaning out NetBIOS Hostnames from your DFSs

So you have been using DFS for a while and is happy. But you still get some complaints. Smaller companies usually hear that employees have problems accessing the DFS from home on their own computers. In larger companies it is usually not allowed to use private computers anyway. But there we have the problem with partner or purchased companies having problems with the DFS. So what is up?

The common problem is that you still are using hostnames instead of FQDN. So what does that matter really? It works great on my workstation. Most commonly companies automatically tries with the domain that the computer is joined into. This works great for the employees computers but not others. So what is happening then? Suppose we have a company called Contoso with a domain called contoso.local (I know its bad to have a .local domain name). You request the DFS called \\contoso.local\dfs, you will then contact the domain controllers in contoso.local domain and get which file servers are working as the root servers. If the response only contains netbios names the clients will try to attach the domain suffix from DNS (Unless configured differently using GPOs).

So I was at a customers doing a brief DFS analysis. So these are the scripts I ran to check the domainbased DFS. So these are some screenshots from a non-production environment:

DFS-Domain-Target-Netbios

DFS-Domain-Root-Netbios

Scripts:

[Read more…]

Upgrading DFS 2000 to DFS 2008 mode

So you have just been asked to enable ABE on the DFS. But you cant enable it because your namespace is in 2000 mode. So how do we upgrade it? The boring answer is that you don’t, Microsoft doesn’t have an upgrade. But it is quite simple anyway.

Backup your current DFS-Namespace

First lets make sure that we have a copy of your current namespace. This is so we don’t have to rebuild it by hand. This a simple XML file that is the entire configuration both root servers and all links. Just replace the \\<domain.fqdn>\<Namespace> with your DFS namespace information, the file doesn’t really matter. When it is complete just look into the file and see what you got.

Remove the old namespace

This part is quite simple usually, just start with one DFS namespace server and remove them one after another. If you get stuck because the server is no longer alive, don’t worry. Just remove it by force. Once all you delete the last namespace server, the namespace is no more.

Setting up the new environment

Well this is a good time to think about doing it right. For instance were you using FQDN for your namespace servers? I say enable fqdn and lets go.

Now just create a new namespace with the same name as before. Since we are talking about a Namespace which is a bunch of NTFS junctions points I see no point moving the DFS share from the default of %Systemroot%\DFSRoots\NamespaceName. Just remember that everyone should have only Read Only access.

Then add the other namespace servers one after another.

Restore the namespace

So where are my hundreds of links, I cant remember them all. Well importing is as easy as the export we did earlier.. You didn’t skip that step right?

Now for the boring part. You should really test it to make sure it works. Remember that domain based DFS is carried in the AD with all replication delays that could incur..

 

This entry has been on my waiting list for a long time, but since it was a good match for my solution for a question on social I completed it.

Useful WMI(C) commands

Sometimes you need to run WMI queries on older Windows machines or in Preinstallation Environment (WinPE) environments. So with powershell its really easy, Get-WMIObject -Class win32_WhatYouWant. So now you are stuck without Powershell, lets use the old WMIC command instead. WMIC has been available from Windows 2003. [Read more…]

Incorrectly ordered NTFS ACEs?

I got a question today about a strange permissions problem one of their users was having. Even more strange when the checked the permissions on the folder they got the following:

The permissions on Sub_Directory are incorrectly ordered, which may cause some entries to be ineffective.

Well what is this? Microsoft has a few articles about things like this.

But since this was a users homedirectory we decided just to reset all the permissions on the users folder. [Read more…]

Setting up alternative names for a computer

So a friend of mine had a problem with them not being able to access a windows server using a CName they had created for the computer.

So what is wrong with this picture. Well using a Cname is as bad as using an IP, the AD does not know about this name. There are so many more things that you need to fix.

There are a few simple and simpler solutions.

Using netdom

Reboot the computer to make it all work.

OptionalNames for Server service [SMB]

By altering OptionalNames (You might need to create it) under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, you can make the Server service allow other names for the machine. Remember that type of OptionalNames needs to be Multi-String Value.

SPNs (Service Principal Name)

You can also manually edit the SPNs for a server to allow Kerberos to IIS and other services.

Playing with NTFS permissions

So if you need to see what the different parts mean look at my earlier post about icacls rights.

What is needed for

Allow users to create folders but not see all if Access Based Enumeration is enabled. Good for home folders.

Remove all rights for the SID for Authenticated users below and on all files / Folders below.

Grant the Creator fullcontrol of new folders

Icacls rights

These are the simple rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
N No Access None
F Full access Full Control
M Modify access Modify/ Read & Execute/ List folder contents/ Read
RX Read and execute access Read & Execute/ List folder contents/ Read
R Read-only access Read
W Write-only access Write
D Delete access Hidden under Special permissions

These are the specific rights

Short form Long Name Explorer Checkboxes
Short form Long Name Explorer Checkboxes
DE Delete Delete
RC Read control Read permissions
WDAC Write DAC Change permissions
WO Write owner Take ownership
S Synchronize ?
AS Access system security ?
MA Maximum allowed ?
GR Generic read List folder / Read data / List folder / Read data / Read extended attributs / Read permissions
GW Generic write Create files / Write data / Create folders / Append data / Write Attributes / Write extended attributes / Read Permissions
GE Generic execute Traverse folder / Execute file / Read Permissions
GA Generic all All Checked (Full control)
RD Read data/ List directory List Folder / Read data
WD Write data / Add file Create files / Write data
AD Append data / Add subdirectory Create folders / Append data
REA Read extended attributes Read extended attributes
WEA Write extended attributes Write extended attributes
X Execute / Traverse Traverse folder / Execute file
DC Delete child Delete subfolders and files
RA Read attributes Read attributes
WA Write attributes Write attributes

Inheritance

Short form Long Name
Short form Long Name
OI Object inherit
CI Container inherit
IO Inherit only
NP Dont propagate inherit
I permission inherited from parent container

So when you do simple rights in explorer it will select both OI and CI. Which means all files and folders and the current folder.

 

Using %USERNAME% in a DFS link path

So I was reading on technet social a question about using environment variables in DFS paths. In this case he wanted to use the %username% variable. I have also thought about how nice that could be, a little magic. And all users could have the same URN for there homedirectory. Just think how nice \\domain.local\dfs\MyHome feels. Well on with the blog, you cant. It doesn’t work. [Read more…]

Moving a fileshare on the same server

So I saw a question on Social Technet and decided to answer it. So how do I move a server share from one drive to another in the same computer.

First we need to have the data on the new location. I prefer to use robocopy with a minimum of /E /COPYALL.

To make sure nobody changes the data during the final copy I suggest stopping the server service. So now the data is migrated, what about the share then. Since we know that to migrate shares between servers by dumping the registry, just changing the path is simple.

[Read more…]