09 December 2015

Using a NAS for storing your Windows Domain Users folders

At 1508 we have used a NAS (Synology DS1010+) for handling the users private folders.

The users folder are part of the users private folders and requires that each of the folders are locked down to the specific user so their data is secure. Managing the NTFS ACL security can either be handled by a manuel process or automated using a tool like SetACL by Helge Klein (http://helgeklein.com/) and a shell batch.

We have chosen to utilities a script for security a strict implementation and an easy way of resetting security on all folders in the root.

We created two jobs for managing the ACL's Access Control List, the files are located in the root of the users share on the NAS with the SetACL.exe in the same location.

SetPermission (edit me).cmd

The job can create a single folder and set the permissions, this is used for creating a new user in the domain. 

set userfolder=lpd
rem set security and clear custom settings below
"\\nas\users\SetACL.exe" -on "\\nas1\users\%userfolder%" -ot file -actn ace -ace "n:1508DOMAIN\%userfolder%;p:change" -ace "n:Domain Admins;p:full" -rec cont_obj -actn clear -clr "dacl"
rem remove inherited security
"\\nas\users\SetACL.exe" -on "\\nas1\users\%userfolder%" -ot file -actn setprot -op "dacl:p_c" -rec cont_obj
pause

ResetPermissions.cmd

For allowing the folder structure to be reset we created a batch that used the above line and detected the username based on the foldername. 

@echo off

if "%~1"=="?" goto HELP
if "%~1"=="/?" goto HELP
set target=%~dp0%

echo Target must be an attached drive: %target%
FOR /F %%f IN ('DIR %target% /B /AD') DO CALL :executeResetACL %%f
echo Done!
pause
GOTO:EOF

:executeResetACL
rem "%target%SetACL.exe" -on "%target%%1" -ot file -actn setowner -ownr "n:1508DOMAIN\jhe" -rec cont_obj -actn clear -clr "dacl,sacl"
"%target%SetACL.exe" -on "%target%%1" -ot file -actn ace -ace "n:1508DOMAIN\%1;p:change" -ace "n:Domain Admins;p:full" -rec cont_obj -actn clear -clr "dacl"
GOTO:EOF

:HELP
echo  Set ACL change access to the Network Service on the specified path
echo.   
GOTO:EOF

These files have helped us run the domains private user shares for 5 years now...
Feel free to use the scripts as you like.
Posted by
Labels: ,

No comments: