ACK, a DC with file serving open for students? Sorry but as a fellow edu type I vote 'very bad' on that idea.
Leave the old unused ACL on the folders, it won't hurt anything. > -----Original Message----- > From: Walker, Clay [mailto:c...@bridgeportisd.net] > Sent: Tuesday, January 06, 2009 10:45 AM > To: NT System Admin Issues > Subject: NTFS Permissions > > Good morning everyone: > Here's the scenario. I have a server originally setup as a member > server (Win 2003 Ent R2). This server acts as a file server that > houses > all of the students' home directories. I setup a local group on this > server giving read/write permissions to all teachers so they can > monitor > the students' home directories as needed. > > Over the Christmas break, I get the bright idea to DCPROMO the server > to > a domain controller. The DCPROMO is successful, BUT, stupid me forgot > about the local group "FAC-STAFF" that has read/write permissions on > every folder and file in the student share. > > I know I can use xcacls to give a new domain group read/write > permissions to the files and folders, but now I need a command line > util > to get rid of the invalid ACL entry (the dreaded SID entry) on every > file/folder. > > When I run an xcacls.vbs on an existing file with invalid entries, I > get > this: > > Allowed BUILTIN\Administrators Full Control This Folder, > Subfolde > Allowed \ Modify This Folder, > Subfolde > > I tried to do an xcacls.vbs /r on the "\" account, but it did not work. > > Any ideas? > > Thanks in advance for all of the help and funny comments that will > ensue. > > Clay > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~