WatchDirectory Forum
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl
watchDirectory forums >> How to... >> Using WatchDirectory to set file security
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl?num=1441104400

Message started by TonyF on Sep 1st, 2015 at 12:46pm

Title: Using WatchDirectory to set file security
Post by TonyF on Sep 1st, 2015 at 12:46pm
I set up a task to monitor a folder and when a new file is created in the folder to run a 'WD Test2.cmd' file (see attached txt version) that removes the existing security settings on the file and sets the security to prevent certain Active Directory groups from editing or deleting the file. When I save a file to the folder, the task works as expected and the security settings are modified, however when another user saves a file to the folder, the security settings are not modified.

I wondered if this was because the Watch Directory service account that is running the task does not have the privilege to take ownership of the file and then change the security settings.

Any advice on this matter would be appreciated.

Many thanks,

Tony
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl?action=downloadfile;file=WD_Test2.txt (0 KB | 134 )

Title: Re: Using WatchDirectory to set file security
Post by Gert on Sep 2nd, 2015 at 7:22am
Hello Tony,

It probably has to do with privileges, to be sure you need to see the output of your script.

Create a new script, call it debugger.bat with the following content:

[code]
echo === %WD_FILE% >> "C:\temp\log.txt"
SET WD_ >> "C:\temp\log.txt"
call "C:\Bin\wd_test2.cmd"  >> "C:\temp\log.txt" 2>&1
echo =============================  >> "C:\temp\log.txt"
[/code]

and let WD run this new script instead. After a new file is found, the output of your script is inside c:\temp\log.txt
The funny "2>&1" bit above makes sure also error messages are redirected to the log.txt file.

If you see "error 5" or "access denied" messages it is a privilege issue.

Do you run this task as a Windows Service? Then you can set the user/pwd of the service to "someone" who is a full admin of the computer, he should be able to take ownership.

Title: Re: Using WatchDirectory to set file security
Post by TonyF on Sep 2nd, 2015 at 3:44pm
Hello Gert,

Many thanks for your prompt response. Great tip on sending the output to a log file  :) . I have done this now and for the files owned by the other user I get the 'access denied' message while for the files that I have created I get no error message. I attach the log file for your information.

Looks like I need to sort out the privileges of the account that is running the WatchDirectory task.

Thanks again.

Tony
http://www.watchdirectory.net/cgi-bin/yabb25/YaBB.pl?action=downloadfile;file=log.txt (9 KB | 138 )

Title: Re: Using WatchDirectory to set file security
Post by Dirk on Sep 2nd, 2015 at 4:00pm
Hi Tony,

for security reasons its highly recommend to use MSA on Windows servers and not a user with dom admin rights for the service user. https://technet.microsoft.com/en-US/library/Dd378925(v=WS.10).aspx for W2008R2 servers

and

https://technet.microsoft.com/en-US/library/JJ128431.aspx for 2012R2

WatchDirectory Forum » Powered by YaBB 2.5.2!
YaBB Forum Software © 2000-2017. All Rights Reserved.