WatchDirectory home page
WatchDirectory Startseite (Deutsche Version)
Site WatchDirectory (Français)
  Welcome, Guest. Please Login or Register
YaBB - Yet another Bulletin Board
   
  HomeHelpSearchLoginRegister  
 
Page Index Toggle Pages: 1
Using WatchDirectory to set file security (Read 1393 times)
TonyF
YaBB Newbies
*
Offline



Posts: 37
Using WatchDirectory to set file security
Sep 1st, 2015 at 12:46pm
 
I set up a task to monitor a folder and when a new file is created in the folder to run a 'WD Test2.cmd' file (see attached txt version) that removes the existing security settings on the file and sets the security to prevent certain Active Directory groups from editing or deleting the file. When I save a file to the folder, the task works as expected and the security settings are modified, however when another user saves a file to the folder, the security settings are not modified.

I wondered if this was because the Watch Directory service account that is running the task does not have the privilege to take ownership of the file and then change the security settings.

Any advice on this matter would be appreciated.

Many thanks,

Tony
Back to top
 

WD_Test2.txt (0 KB | 130 )
 
IP Logged
 
Gert
YaBB Administrator
*****
Offline



Posts: 2225
The Netherlands
Re: Using WatchDirectory to set file security
Reply #1 - Sep 2nd, 2015 at 7:22am
 
Hello Tony,

It probably has to do with privileges, to be sure you need to see the output of your script.

Create a new script, call it debugger.bat with the following content:

Code:
echo === %WD_FILE% >> "C:\temp\log.txt"
SET WD_ >> "C:\temp\log.txt"
call "C:\Bin\wd_test2.cmd"  >> "C:\temp\log.txt" 2>&1
echo =============================  >> "C:\temp\log.txt"
 



and let WD run this new script instead. After a new file is found, the output of your script is inside c:\temp\log.txt
The funny "2>&1" bit above makes sure also error messages are redirected to the log.txt file.

If you see "error 5" or "access denied" messages it is a privilege issue.

Do you run this task as a Windows Service? Then you can set the user/pwd of the service to "someone" who is a full admin of the computer, he should be able to take ownership.
Back to top
 

Gert Rijs - gert (at) gdpsoftware (dot) com
Blog: http://blog-en.gdpsoftware.com/
End Alzheimer's: http://www.alz.org&&...
WWW WWW GdPSoftware  
IP Logged
 
TonyF
YaBB Newbies
*
Offline



Posts: 37
Re: Using WatchDirectory to set file security
Reply #2 - Sep 2nd, 2015 at 3:44pm
 
Hello Gert,

Many thanks for your prompt response. Great tip on sending the output to a log file  Smiley . I have done this now and for the files owned by the other user I get the 'access denied' message while for the files that I have created I get no error message. I attach the log file for your information.

Looks like I need to sort out the privileges of the account that is running the WatchDirectory task.

Thanks again.

Tony
Back to top
 

log.txt (9 KB | 134 )
 
IP Logged
 
Dirk
YaBB Administrator
*****
Offline



Posts: 658
South Germany
Re: Using WatchDirectory to set file security
Reply #3 - Sep 2nd, 2015 at 4:00pm
 
Hi Tony,

for security reasons its highly recommend to use MSA on Windows servers and not a user with dom admin rights for the service user. https://technet.microsoft.com/en-US/library/Dd378925(v=WS.10).aspx for W2008R2 servers

and

https://technet.microsoft.com/en-US/library/JJ128431.aspx for 2012R2
Back to top
 

Viele Grüße / Best regards
Dirk - GdP Software

dirk [at] gdpsoftware [dot] com
http://blog-de.gdpsoftware.com
Webseite: http://www.gdpsoftware.com
WWW WWW  
IP Logged
 
Page Index Toggle Pages: 1