I am using ShareGate to migrate data from our network drive to our 365 SharePoint sites.
When doing a migration for certain folders I am getting errors that the SharePoint library cannot contain more than 50,000 unique permissions.
We primarily use security groups to add permissions to folders on the network drive but after the years we have had this data a lot of permissions are messed up and don't even allow admin accounts to change them.
To get around them I am using psexec to open powershell as NT Authority\System and run the following command to make Administrator owner of all the files/folders.
takeown /d Y /a /r /f "folder path"
After doing that I use icacls with the following two commands:
icacls "Folder path" /inheritancelevel:e /t /c /q
icacls "Folder path" /grant "username":f /t /c /q
For username I will use an administrator account to reduce issues with sharegate migration.
This has allowed access to all the files/folders within a main folder of a network drive, but after doing so I get errors for the 50k unique permissions.
I believe I've narrowed it down to icacls making every permission unique when I force add the username with full access. I have tried resetting permissions and forcing inherited permissions which will work for the folders and subfolders, but the files will not take the parent permissions and still recreate the permissions that they had before.
I am currently using powershell v2.0 on a windows server 2008 R2. I have ShareGate version 16.0.0
I installed powershell version 5.0 but have to restart the server after hours tonight so it can do the update and install.
Does anyone know how I would be able to make all permissions the same for future folders and also fix the current permissions so none are unique?
Related
I am trying to change the default location of the documents folder using powershell or cmd specifically.
What I have tried:
I have tried changing both the shell folders and user folders registry path and restarted the computer but nothing happens:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Personal /t REG_EXPAND_SZ /d "C:\users\JatonJustice\desktop\testfolder"
But I still see it in the users folder in documents(even after restarting. The picture below is after restarting the computer.):
I tried using the answer from here: Set location of Special Folders with PowerShell
However that didn't seem to do anything either:
If anyone has any ideas for this, that would be awesome. If I have to I guess I can use wswshell but that is the last resort.
I found out that reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Personal /t REG_EXPAND_SZ /d "C:\users\JatonJustice\desktop\testfolder" works but when you are using an azure domain account or an amazon workspace account, the registry location for the user shell folders will be in a different place
you can verify the user location of the shell folder key by navigating to HKEY_CURRENT_USER and double checking which account you are in. There are accounts like .DEFAULT, or S-1-5-18 (SYSTEM ACCOUNT), etc.
I wanted to ask how one would check who has access to subfolders in a certain directory on a server using either the CMD or Powershell?
For NTFS permissions I like to use the NTFSSecurity PowerShell Module as the output is similar to the windows permissions GUI.
It has simple commands for adding and removing permissions, which is an ugly process using the standard acls commands!
To see current NTFS permissions using this module:
Get-NTFSAccess -Path "\\server\share\folder"
Which would give an output like this:
You are looking for icacls. From cmd type icacls directoryname /t replacing directoryname with the actually directory name to display all of the access permissions for the directory and subdirectories. The /t flag specifies to look in subdirectories. For more info just type in icacls into cmd or look at this link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
What I am trying to do is to backup a user profile from their local workstation to our backup servers and send me an email once it's complete. I currently have this is two different scripts. It would be nice if we could make this in one script. If I need two scripts, that won't be a problem.
The first script is the backup, and it has been working just fine.
robocopy C:\Users\TravisWhiteman.ArchwaySys\AppData \\10.1.10.6\WorkstationBackup\Test\AppData /mir /W:3 /R:1 /log:CopylogAppData.txt
robocopy C:\Users\TravisWhiteman.ArchwaySys\Desktop \\10.1.10.6\WorkstationBackup\Test\Desktop /mir /W:3 /R:1 /log:CopylogDesktop.txt
robocopy C:\Users\TravisWhiteman.ArchwaySys\Documents \\10.1.10.6\WorkstationBackup\Test\Documents /mir /W:3 /R:1 /log:CopylogDocuments.txt
robocopy C:\Users\TravisWhiteman.ArchwaySys\Downloads \\10.1.10.6\WorkstationBackup\Test\Downloads /mir /W:3 /R:1 /log:CopylogDownloads.txt
Now I want to add in a few features, and I don't know how. I want to change it from manually setting the user profile directory to the system automatically find out who the user is. I think it's something like %USERNAME%. The goal is having the system figure the user out is so I don't have to change the C:\Users\TravisWhiteman.ArchwaySys for every workstation. All of our workstations turns on automatically, 10 min before the scheduled task to backup, in case a user were to shut off their computer.
Basically, what you need is the profile path of the currently logged on user for a list of remote computers.
Steps for each computer:
Get the currently logged on user's login name (here is the method I currently use)
Get the SID for this user - let's say $userSID (a method is described here)
Browse this registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$userSID on the remote computer, and read the value ProfileImagePath, it holds the local profile path for this user on this computer (example of remote registry access)
Convert the local path to a network path (C:\Users\... -> \\computerName\c$\Users)
Call robocopy and get some coffee (removed coffee from loop)
One could simply go for \\computer\c$\Users\$userLogin but as OP's example demonstrates it, Windows sometimes appends your domain name to your user name in your local profile folder name, in quite an unpredictable fashion.
(the Remote Registry service must be running on the remote computers)
If the workstation was shut down and then awoken, you I'd target the last modified folder in C:\Users.
I have a bunch of user directories on a Unix server not attached to active directory, but, nearly all the directories are named the same thing as their username in AD. I'm migrating my file server over to Windows, which is bound to AD, but the permissions aren't moving over.
What I need to do is somehow chown (takeown) all the directories in that user folder over to their AD user. In *nix, I'd do something like this:
cd /home
find * --max-depth 0 -exec chown -R {} {} \;
But I can't seem to find anything with PowerShell that will do it. I get 90% of the way there, but end up with errors that it can't assign ownership, etc. This MAY be due to the SeRestorePrivilege, etc, but setting those doesn't seem to help either.
Does anyone have a suggestions, a solution, etc?
File ownership doesn't matter as much in Windows as it does in Linux/Unix, because Windows ACLs are far more versatile than traditional Unix permissions. Just pass ownership to the Administrators group and grant full permissions to SYSTEM, the Administrators group, and the user whose directory it is, replacing the existing permissions. Use takeown and icacls to do so.
Get-ChildItem 'D:\home' -Directory | ForEach-Object {
$path = $_.FullName
$user = $_.Name
& takeown /f "$path" /r /a
& icacls "$path" '/grant:r' 'SYSTEM:(OI)(CI)F' 'Administrators:(OI)(CI)F' "DOMAIN\${user}:(OI)(CI)F"
}
Add read/execute permissions for other users/groups as you see fit.
When navigating to C:\Users\%SomeUsername% as an administrator on a Windows 2008 R2 server I get the error You don't currently have permission to access this folder, Click Continue to permanently get access to this folder. Clicking Continue resolves this problem.
If I try the same by PowerShell (e.g. get-childitem 'C:\Users\' -Directory | get-childitem -Force; or some variant), any profiles to which I've not already granted myself access explicitly give the error Access to the path 'C:\Users\%SomeUsername%' is denied.; even with the Force switch included.
Is there a way to "click continue" via PowerShell; i.e. have the system give me access to anything which I don't strictly have access to, though as an administrator on the server can grant myself access to. Ideally this would be done as I access the files (e.g. by a switch on the Get-Item command) rather than having to code something to explicitly go through all files checking and amending permissions.
Make sure about start Powershell Run As Admin if you want always run it as administrator make shortcut from powershell.exe and follow this image :
My mistake; I hadn't been running the PowerShell session as administrator (i.e. UAC).
right click on powershell.exe
run as administrator