Brute Force vs. scripting

HCHTech

HCHTech

Well-Known Member
Reaction score
3,824
Location
Pittsburgh, PA - USA
Almost all of my clients with servers are small, like less than 20 users usually. As a result, there is very little time advantage when I look at how to accomplish something. This means, I don't automate or script jobs that can also be done "manually". It also means I don't learn the scripting way, either.

Here is today's example: I'm fixing a security problem at a client. Each domain user has a home folder on the network. Each user has a "Scans" folder inside of that home folder. They have a copier that can scan to each user's "Scans" folder, and the copier was setup to use the DOMAIN ADMIN account to access those shares :🤦:

So I create a new limited rights user on the domain and I want to give that user read/write rights to each user's scans folder so I can then change the copier setup to use the new limited user for access instead of the domain admin.

Brute Force: I could just log onto the production server, locate each user's "Scans" folder and add that user with read/write permissions. There are about 20 users at this client, so this "brute force" way of accomplishing this task would take about 20 minutes.

He-man Scripting: I'm sure there is some powershell command with a FOR EACH loop that would do this job in about 15 seconds. But I guarantee you it would take me more than 20 minutes find the answer, mock it up, test (and inevitably troubleshoot problems) it so that it would actually work. In the end, I gave up and did this manually. It took a little bit longer than 20 minutes, but that was mostly because of interruptions. So I got the task accomplished, but I'm also disappointed in myself again for NOT doing something the "right way".

If I had 1000 users, there would be no choice but to figure out how to script the job. If I only had 5 users, I would do it manually every time. 20 users is somewhere in the middle, so I don't feel too bad, but I'm still disappointed I guess.

How would YOU have done this job?
 
What you need to consider is that when you have a situation like this you have both the luxury of time for experimenting and developing your scripting skills AND the ability to reasonably undertake "by hand" damage control were something to go wrong.

To me, it's way more nerve-wracking if/when I'm faced with the thousand-seat situation where it is possible, despite all efforts to make sure everything is *perfect*, that if it isn't there is not a viable "by hand" way to undo the mess.

I find low-pressure situations far more amenable to skill-development than high-pressure ones.

But you are correct that this is right in the tipping point zone. Depending on what else I have to do I might do it quickly by hand if other pressing issues were calling my name. But if they're not, this is the time to do your research and skill development.
 
I'd be peeling the "scans" folder to a more neutral location, not inside the users home/redirection where you already have complex permissions.

Good job ditching the domain admin creds...that's a HUGE no-no. Compliance audits on the network will pick up too much permissions on MFP credentials for server file deposits, should have separate credentials for low level access, mid level access, high level access etc. In other words....scan destinations in the "common folders" should not be same creds as those used to go to say, HR, or Admin scan destinations.

But yeah, my MO back in the on prem server days has always been to have a "Scan" folder on the file server, break up sub folders under that with permissions. These days, email to a Teams channel with Power Automate to save the file in the doc library there.
 
Even if it took me 20 minutes to script VS 15 minutes to do manually, I would still prefer scripting.

Why? because it's a task I can see a high likelihood of being repeatable. Next time I come across a similar situation I can re-use the same script, maybe a few small tweaks, and have the job done in a few minutes. Thats where the real time savings of scripting comes in - repeatable tasks and automation.

Plus, you get to learn scripting languages somewhat passively in the process.
 
SAFCasper said:
Even if it took me 20 minutes to script VS 15 minutes to do manually, I would still prefer scripting.
Click to expand...

My experience when I actually DO have some spare time to work it out is that it takes me an HOUR to produce something that 90% works, but I can never get that last problem solved, so I give up and do it manually anyway. I've hated programming every time I ever got close to it - all the way back to taking FORTRAN in college! I should have paid more attention back when my brain was able to learn new things... 10-line batch files I can live with, but I get overwhelmed fast when anything complicated is required.
 
YeOldeStonecat said:
I'd be peeling the "scans" folder to a more neutral location, not inside the users home/redirection where you already have complex permissions.
Click to expand...

If I was setting it up new, that would make more sense, but they've been doing it this way (with the scan folder under the user folder) for a long time, so want to keep it that way if we can. Inertia is a common enemy of security it seems.
 
@HCHTech I recall I had a script I'd run on clients I took over, where there were user redirected folders (docs, desktop, etc)....but whoever set them up never gave the domain admin privvies to 'em. I always insist on having that, for the purpose of copying them over when someone leaves, handing files to someone else.

I'll try to dig up that script and give it to ya,
 
HCHTech said:
They have a copier that can scan to each user's "Scans" folder, and the copier was setup to use the DOMAIN ADMIN account to access those shares :🤦:
Click to expand...
Just so I'm clear on this. On the AIO there's a mess of destinations, "mail boxes", for the scanning function? But AIO each scan destination entry, while mapped to each user scan folder, uses the one credential for authentication?

Are all the machines on the domain? If so just create a group, say userscans, dump all the users into it and then create a Domain GPO? I did something similar for personal folders after doing manually for a while. Now I have the Personal shares automatically mapping for every one. Of course you'll still have to deal with the AIO itself.
 
Markverhyden said:
On the AIO there's a mess of destinations, "mail boxes", for the scanning function? But AIO each scan destination entry, while mapped to each user scan folder, uses the one credential for authentication?
Click to expand...
Yes, and the domain user for that credential is given R/W access to the destination folder under each user's home folder (which is originally set on the Profile tab of the ADUC user object). I'm sure it was done that way in the beginning to avoid having to mess with the copiers every time a user changed their password. Originally, the one credential was the domain admin, I just changed it to a restricted user. As a result, I had to touch each of those "scans" folders and give that new restricted user R/W access - well, I suppose I only need W access, but I'm not doing it again! :) Oh, and just for fun, they have TWO copiers, and you can't import/export the address book, so this whole thing needs to be done TWICE.

So what does your GPO do exactly? I didn't really consider re-thinking the whole process of how this works.
 
HCHTech said:
Almost all of my clients with servers are small, like less than 20 users usually. As a result, there is very little time advantage when I look at how to accomplish something. This means, I don't automate or script jobs that can also be done "manually". It also means I don't learn the scripting way, either.

Here is today's example: I'm fixing a security problem at a client. Each domain user has a home folder on the network. Each user has a "Scans" folder inside of that home folder. They have a copier that can scan to each user's "Scans" folder, and the copier was setup to use the DOMAIN ADMIN account to access those shares :🤦:

So I create a new limited rights user on the domain and I want to give that user read/write rights to each user's scans folder so I can then change the copier setup to use the new limited user for access instead of the domain admin.

Brute Force: I could just log onto the production server, locate each user's "Scans" folder and add that user with read/write permissions. There are about 20 users at this client, so this "brute force" way of accomplishing this task would take about 20 minutes.

He-man Scripting: I'm sure there is some powershell command with a FOR EACH loop that would do this job in about 15 seconds. But I guarantee you it would take me more than 20 minutes find the answer, mock it up, test (and inevitably troubleshoot problems) it so that it would actually work. In the end, I gave up and did this manually. It took a little bit longer than 20 minutes, but that was mostly because of interruptions. So I got the task accomplished, but I'm also disappointed in myself again for NOT doing something the "right way".

If I had 1000 users, there would be no choice but to figure out how to script the job. If I only had 5 users, I would do it manually every time. 20 users is somewhere in the middle, so I don't feel too bad, but I'm still disappointed I guess.

How would YOU have done this job?
Click to expand...

It shouldn't be a difficult script to throw together. I'm not a powershell expert but sounds like your looking at Get-ChildItem to filter the Scans subfolders from all your user folders, then doing a foreach loop and using Get-ACL and Set-ACL to update the ACL on the folder.

Quick Google, this is probably 90% there...
www.sconstantinou.com

Change permissions on multiple folders using PowerShell - Stephanos Constantinou Blog

Change permissions on multiple folders using PowerShell. If you want to change permissions on multiple folders using PowerShell, then this is your solution.
www.sconstantinou.com www.sconstantinou.com

You would just need to modify Get-ChildItem command to filter out only the Scans subfolders and not every folder.
 
HCHTech said:
Yes, and the domain user for that credential is given R/W access to the destination folder under each user's home folder (which is originally set on the Profile tab of the ADUC user object). I'm sure it was done that way in the beginning to avoid having to mess with the copiers every time a user changed their password. Originally, the one credential was the domain admin, I just changed it to a restricted user. As a result, I had to touch each of those "scans" folders and give that new restricted user R/W access - well, I suppose I only need W access, but I'm not doing it again! :) Oh, and just for fun, they have TWO copiers, and you can't import/export the address book, so this whole thing needs to be done TWICE.

So what does your GPO do exactly? I didn't really consider re-thinking the whole process of how this works.
Click to expand...
Sorry for the delay in getting back. I'll upload something by this evening.
 
You must log in or register to reply here.

Similar threads

HCHTech
Automating certificate deployment for RDP over VPN
Replies
10
Views
269
YeOldeStonecat
YeOldeStonecat
HCHTech
Hot-Desking setup
Replies
0
Views
306
HCHTech
HCHTech
14049752
FSLogix + Win10 + Redirected folders issue
Replies
1
Views
440
trevm999
trevm999
HCHTech
How can domain users clear server print queue?
Replies
6
Views
538
HCHTech
HCHTech
thecomputerguy
Story Time. Simple install went to hell in a handbasket REAL quick! Learned some things!
Replies
16
Views
838
Sky-Knight
Sky-Knight
Back
Top