Looking for a Name

If you followed Microsoft’s Best practices for Folder Redirection, you accepted the default settings and allowed the system to create the folders.

The problem is that by default, the Grant the user exclusive rights to My Documents check box is selected, with the following consequence (quote from the Technet library article about folder redirection):

If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.

This means that if you already have a bunch of existing redirected My Documents folders set up that way and that you need to access them, you are out of luck. The only documented way to regain access to the folders is to take ownership of each individual folder and manually edit the permissions to give the Administrators group full control. I found a better way.

Note that if you are just setting up folder redirection and want to make sure that administrators will have access to the folders, follow the steps listed in the following article: Enabling the administrator to have access to redirected folders. For everybody else, read on.

The trick is to realize that the local system account has full control over the folder and that PsExec allows you to run commands using that account (using the -s switch). So, if the command in question happens to be a PowerShell script that gives full control to a group you belong to, the problem is solved!

Here is what you need to do:

1. Download and install PsExec and PowerShell. PowerShell needs to be installed on the computer (probably a server) hosting the redirected folders.

2. Edit the $StartingDir and $Principal variables in the following script to match your environment. $StartingDir should be the path to the shared folder that contains all you users redirected My Documents folders, $Principal is the name of the local user or local group that should be granted the permission. It has to be a local account because the script will be run using the local system account, which doesn’t know about domain accounts. We’ll add domain users and/or groups later (step 4).

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= “C:\Users”

$Principal=”Administrators”

$Permission=”F”

$Verify=Read-Host `n “You are about to change permissions on all” `
“files starting at”$StartingDir.ToUpper() `n “for security”`
“principal”$Principal.ToUpper() `
“with new right of”$Permission.ToUpper()”.”`n `
“Do you want to continue? [Y,N]”

if ($Verify -eq “Y”) {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P “${Principal}:${Permission}” >$NULL

#display new permissions
Write-Host -foregroundcolor Green “New Permissions”
CACLS $file.FullName
}
}

Note: This script is a simplified version of Don Jones’ script found here: http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx. Check it out for more options.

3. Now, we need to run the above script using PsExec using the local system account. Note that the command line shown will run PsExec on the current computer and that the -noexit switch will prevent PowerShell from closing when the script terminates, so you get a chance to read the output.

Here is what you need to type at the command prompt (changing the paths and file names to match your environment):

>psexec -s -i powershell -noexit “& ‘C:\Path\To\ChangePermissions.ps1′”

The -i switch will make the PowerShell window visible on the Desktop. If you use Remote Desktop to connect to your server, make sure that you connect to the console or you won’t see any output.

4. Now that the local Administrators group has full control on all files and folders (and I am assuming that you are a member of the local Administrator group), you can run the script again as yourself (remove the -s switch) to give domain users and groups full control, using the domain\user or domain\group format for the $Principal variable.

5. Done!

Share on Facebook

Outlook 2007 Auto discover feature and SBS2008 & EBS2008
The auto discover feature is really cool but it will give you this error

Why?, Simple, the FQDN is in the certificate that is installed by default. So if you want this to work without any errors you need to replace the certificate with a certificate that also have that name.

In the default certificate Microsoft includes the following name by default, externaldomain.com, remote.externaldomain.com and server.internaldomain.local and we need to put the back in again plus the new name autodiscover.externaldomain.com

So this is how you do

On the SBS server run MMC.EXE and add the snap-in for Certificates and for certificate templates.
Change the permission on the “Web Server” certificate template and allow the SBS server to “Enroll”

Click on Certificates (Local Computer) and open “Personal – Certificates”
Right click “All Tasks – Request New Certificate”
Select “Web Server”

Select Subject Name: as Common name with the value of the external name (remote.externaldomain.com)
Select Alternative name: as DNS and add all the names you would like to have.
externaldomain.com
remote.externaldomain.com
internaldomain.local
autodiscover.externaldomain.com
plus others if you would like to have…
Hit OK and select Enroll
Now you can open IIS Admin, open the SBS Web Application site, and change the certificate by opening “Bindings” and look for 443. Select Edit and change the certificate. You will se at least two certificates with the same name. With the view function you can see the names in the certificates.

Note. This will not destroy or delete your existing certificate, if you want you can always switch back.

There is of course one other way to fix this issue and that is to change in the external DNS. The SBS Diva has a really nice post about this if you prefer to do it in DNS instead

Mikael Nystrom
MCT, MVP Windows Server – Setup/Deployment

Share on Facebook

Share on Facebook

Share on Facebook

Well at least in my little soccer world that is what it seems to have become.  It all started with an innocent little email from the team manager regarding the upcoming tournaments, forms needed and dues for the upcoming season.   Normally no big deal but this year was the first time I gave an advance notice that we wouldn’t be going to one of the tournaments.  Every year we have played it was based on who was going to be at that tournament.   So I politely emailed her back and reminded her we wouldn’t be at the tournament and to please revise the amount.  The response received from her startled me, that her and the coaches had decided that all families would pay the same amount regardless on if they were going or not.  ”Most travel teams (for any sport) handle the money this way as it is the only way to be fair to all.” Now that set me off.  So I responded back that I was going to be forced to pay for something I wasn’t expecting that she would have to wait for the money, that my wife was having surgery with a upfront cost and two months off work and that my family’s well being would come before soccer.  I may have responded a little harshly over a $35-$40 payment but I believe I was treated unfairly asking me to pay.  The comment of most travel teams doing it this way is absolutely untrue I know for a fact.  I emailed four parents on our team and asked 6 other parents including different sports in my survey.  To be exact 8 soccer, 1 football and 1 softball parent.  So overall 9 out 10 told me that it should be charged divided by whomever is playing in that particular tournament.  The lone person’s daughter played softball.  Unless my math is off 10% is a big difference to most.   I was also told the girls are getting older now.  A truthful statement there but again so what.  Is it the girls that are paying the money to play soccer?  One final statement was we did it this way last year.  A part true statement.  Now I don’t know how it was in the fall and spring because we played every tournament but for indoor sessions in winter it was broken down by who played.  In the meantime I get a voicemail from her telling me that not to worry about any of the money that they weren’t aware of things going on with surgery and all.  I should of taken that and ran with it but that is not me.  It wasn’t about the money but the way it was handled and presented.  I plan a month or two ahead if possible and I was expecting something totally different than I was presented without notification.   I originally was just going to give an amount what I thought was fair but when I showed up at practice I gave the whole amount and told her I don’t agree with this but here is all the money.  And then to be an asshole dad I told my daughter this was her sport and her decisions to play or not that I would be taking $35 out of her corn detassalling money.  I think that along with the prompting by one of the coaches that she could possibly get a ride home after the first game so she would be able to go to her brother’s 2nd party of the weekend has made her think twice about if she goes and plays or not.  She has learned more from this that any school these days.  This all could of been avoided if Democracy was still in America and the team had a chance to vote.  Instead decisions were made for us without hesitation.  Welcome to the New Amerika that has trickled down even to the innoncence of our young children.

Share on Facebook