Video Screencast Help

Add NTFS permissions to share - best practices?

Created: 04 Oct 2012 • Updated: 05 Oct 2012 | 3 comments
dfrancis's picture
This issue has been solved. See solution.

Hey guys,

I'm working on a new hire workflow and am trying to create the new user's share on our file server and give them permissions to the share, but I'm having difficulties.

The "Create Directory" component works flawlessly, but I need to give the newly-created user full rights to that directory.  I've found the "Add User to Share" component in the Active Directory components doesn't seem to work at all, and the "Set File/Folder System Rights" works intermittently.

In this example, say I created \\server\share$\username upstream in the workflow.

Using Set File/Folder System Rights, I configured it as such:

  • Path Type = Folder
  • Folder = Dynamic value: \\server\share$\[samaccountname_variable]
  • User = Dynamic value: [samaccountname_variable]@domain.local
  • Rights = FullControl

Half the time this component works, the other half it doesn't.  I've placed pauses in the workflow beforehand, thinking that things didn't finish getting created before this component hits, but that doesn't seem to be the issue.

Using Add User to Share, I've tried to configure as such:

  • Shared folder input source: Unc Path
  • Shared Folder UNC Path = Dynamic value: \\server\share$\[samaccountname_variable]
  • User Name or SAM or UPN: [samaccountname_variable] OR [samaccountname_variable]@domain.local
  • User Domain Admin Credentials = Checked
  • Permission Level = Full

This follows the Error path and the ActiveDirectoryError variable is "Not found" in every situation.

 

How do you handle this?

Comments 3 CommentsJump to latest comment

b3tts32's picture

Have you tried using the Add User NTFS Permissions to Folder component? I know this has worked for me in the past and I'm trying to find the project that I had it setup on. It's pretty straight forward.

I've since moved to using the setacl executable and just calling it from the execute batch component or execute process and wait. It allows you to set/remove permissions on the ntfs level as well as the share level and it's very powerful. I'd definitely recommend it. The example below removes everyone from the share, adds domain admins and gives them full access, and adds local system with full access.

 

 

E:\Workflow\setacl.exe -on \\computername\source -ot shr -actn ace -ace "n:everyone;m:revoke" -ace "n:domain.local\domain admins;p:Full" -ace "n:domain.local\it_admin;p:Read" -ace "n:domain.local\local_admin;p:Read" -ace "n:system;p:Full"
 
SOLUTION
dfrancis's picture

Late yesterday I got a little more aggressive with my pause execution workflow item between folder creation and permission setting via Set File/Folder System Rights and it seemed to be consistently going through without throwing errors.  I'm still testing the workflows on my laptop vs. deploying it to the server so my guess is that the folder wasn't fully created by the time it was hitting the permissions piece.

I like what you've done with setacl.exe, though.  I'll have to keep that in mind.

--Dave

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.

jhallam3's picture

Hi, Yes you need a good pause time to complete this takes a while for AD to replicate. I found that the setacl did the job however wasn't consistent and also found that creating the user with specifics like mail box in exchange was also an issue with exchange 2010. I then wrote a powershell command that executes. 

basically I have a template file that has variables in it. I then change the variables to what I need entering ie username full name ext... then save that file as username.ps and execute the powershell from workflow. this then allows me to log to a logfile then parse that log file for errors. Any errors then I just rerun the powershell. 

You will find that alias and exchange 2010 configs are difficult without using powershell.

Jon

 

 

Thanks

Jon Hallam

ManagedDesktop.com