Restoring NT file security settings
We have a Win2k server that has 75+ shares based on the hospital department that uses it. The security on the folders is configured so that users can only access there own department's folder. And, depending on the user, they can only do certain things within each folder. The director of the department has full rights and each user down the line has less and less rights all the way down to the lowest person in the department who has almost no rights. Yes, it's complicated but that's the way they want it. One of our IS guys decided to add a superuser to the shares and somehow screwed up all the security settings on the folders. All the settings are wrong now and we can't figure out what he did to screw it up so bad. It would take far too long to restore all the files. I have been playing with the restore using the command line to try and do a directory only restore. I have restored the directory tree to another location to see if it is doing what I want it to do and it looks like it might work. The restored folders have all the right security settings. I'm using the "restore d:\wrkgrp\*.* -dirsonly d:\temp\" command on the local server to bring back the directory structure. Is this a good approach to repair this mess? I'm running TSM 5.1.5 on the server. David Tyree Microcomputer Specialist South Georgia Medical Center 229.333.1155 Confidential Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Restoring NT file security settings
It depends. Doing a directory only restore will bring back the directory NTFS security acl's but it will not bring back the directory share level security. NTFS object security information is stored with the object on the server and will be restored when the individual NTFS object is restored. Share level security (may be set on all types of file systems) is stored in the registry and currently is only backed up as part of the registry so the only way to get it back is to restore a previous copy of the registry. Backing up the individual directory share information with the directory is a well known requirement which development has contemplated implementing (draw your own conclusions on that statement), and this would accomplish what you trying to do regardless of whether NTFS acl's or Share security were used. Hope this answers your question Regards, Pete Pete Tanenhaus Tivoli Storage Solutions Software Development email: [EMAIL PROTECTED] tieline: 320.8778, external: 607.754.4213 "Those who refuse to challenge authority are condemned to conform to it" -- Forwarded by Pete Tanenhaus/San Jose/IBM on 06/20/2003 03:37 PM --- Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by:"ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject:Restoring NT file security settings We have a Win2k server that has 75+ shares based on the hospital department that uses it. The security on the folders is configured so that users can only access there own department's folder. And, depending on the user, they can only do certain things within each folder. The director of the department has full rights and each user down the line has less and less rights all the way down to the lowest person in the department who has almost no rights. Yes, it's complicated but that's the way they want it. One of our IS guys decided to add a superuser to the shares and somehow screwed up all the security settings on the folders. All the settings are wrong now and we can't figure out what he did to screw it up so bad. It would take far too long to restore all the files. I have been playing with the restore using the command line to try and do a directory only restore. I have restored the directory tree to another location to see if it is doing what I want it to do and it looks like it might work. The restored folders have all the right security settings. I'm using the "restore d:\wrkgrp\*.* -dirsonly d:\temp\" command on the local server to bring back the directory structure. Is this a good approach to repair this mess? I'm running TSM 5.1.5 on the server. David Tyree Microcomputer Specialist South Georgia Medical Center 229.333.1155 Confidential Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Restoring NT file security settings
We are facing a similar situation as below. If we restore a directory to its original location, it doesn't seem to over write the NTFS permissions of the directory we are restoring. This is what we want. If we restore a directory to some place other than the original location, it is inheriting the permissions of the parent directory of where it is being restore. So we can't see what permissions for that directory should look like. Client 5.1.5.9 - W2K server TSM Server 5.1.6.2 - AIX 5.1 Suggestions?? Matt Restoring NT file security settings Forum: ADSM.ORG - ADSM / TSM Mailing List Archive Date: Jun 20, 15:46 From: Pete Tanenhaus <[EMAIL PROTECTED]> It depends. Doing a directory only restore will bring back the directory NTFS security acl's but it will not bring back the directory share level security. NTFS object security information is stored with the object on the server and will be restored when the individual NTFS object is restored. Share level security (may be set on all types of file systems) is stored in the registry and currently is only backed up as part of the registry so the only way to get it back is to restore a previous copy of the registry. Backing up the individual directory share information with the directory is a well known requirement which development has contemplated implementing (draw your own conclusions on that statement), and this would accomplish what you trying to do regardless of whether NTFS acl's or Share security were used. Hope this answers your question Regards, Pete Pete Tanenhaus Tivoli Storage Solutions Software Development email: [EMAIL PROTECTED] tieline: 320.8778, external: 607.754.4213 "Those who refuse to challenge authority are condemned to conform to it" -- Forwarded by Pete Tanenhaus/San Jose/IBM on 06/20/2003 03:37 PM --- Please respond to "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> Sent by:"ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject:Restoring NT file security settings We have a Win2k server that has 75+ shares based on the hospital department that uses it. The security on the folders is configured so that users can only access there own department's folder. And, depending on the user, they can only do certain things within each folder. The director of the department has full rights and each user down the line has less and less rights all the way down to the lowest person in the department who has almost no rights. Yes, it's complicated but that's the way they want it. One of our IS guys decided to add a superuser to the shares and somehow screwed up all the security settings on the folders. All the settings are wrong now and we can't figure out what he did to screw it up so bad. It would take far too long to restore all the files. I have been playing with the restore using the command line to try and do a directory only restore. I have restored the directory tree to another location to see if it is doing what I want it to do and it looks like it might work. The restored folders have all the right security settings. I'm using the "restore d:\wrkgrp\*.* -dirsonly d:\temp\" command on the local server to bring back the directory structure. Is this a good approach to repair this mess? I'm running TSM 5.1.5 on the server. David Tyree Microcomputer Specialist South Georgia Medical Center 229.333.1155 Confidential Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. - If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
Re: Restoring NT file security settings
Are you sure TSM is not indeed restoring everything but the result is useless itself? Some arguments: "Security" in Windows NTFS is having three modes - inherited, explicitly specified and mixed permissions. In first mode the only security info is "provide same access as the parent directory is providing". In second mode there is a list of users along with set of allowed operations. In third mode you have both - access inherited from the parent plus some explicitly specified additions/deletions/changes to the ACL. So what TSM will do in each case: Mode 1: TSM will restore the "checkmarked" inheritance. It *will not* restore parent's ACL, or the ACL of the parent's parent, ... up to the origin of the inherited ACL. As result you have resolved ability to inherit but not *what* to inherit. Mode 2: that is what you probably desire. TSM will restore "no inheritance" mode and list of defined privileges. Mode 3: both "inheritance" mode and the explicit access will be restored. As result the explicitly defined entities will have their access intact but the other are left to the mercy of ACL inherited from the parent directory. If the whole drive is restored simultaneously, the file/directory specific ACL elements are restored together their parents' ones. As result inherited ACL in mode 1&3 is producing the same mixture. Hope this ought to explain why sometimes you see the ACL "restored", sometimes "not restored" and sometimes "partially restored". Zlatko Krastev IT Consultant "Adams, Matt (US - Hermitage)" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 30.06.2003 21:31 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Restoring NT file security settings We are facing a similar situation as below. If we restore a directory to its original location, it doesn't seem to over write the NTFS permissions of the directory we are restoring. This is what we want. If we restore a directory to some place other than the original location, it is inheriting the permissions of the parent directory of where it is being restore. So we can't see what permissions for that directory should look like. Client 5.1.5.9 - W2K server TSM Server 5.1.6.2 - AIX 5.1 Suggestions?? Matt ...
