If you are looking for the latest OpenManage software for you servers, the first step is to go to http://support.dell.com and click on “Drivers and Downloads”. Next you will be prompted for the service tag or model of you unit you need to download Open Manage for. You will want to select “Systems Management” and search for “DVD ISO – Dell Systems Management Tools and Documentation”. You will want to select “More Download Options” from the right hand side. This selection might prompt you for the service tag since the OpenManage is model specific; so have the service tag handy.

Here you will find DVD ISO Image files; OM_6.2.0_SMTD_A00.iso.001 and OM_6.2.0_SMTD_A00.iso.002. These files are not ISO files they are actually half of the ISO file. So if you burn the first file you will boot up and be functional until you get to the “Precopy Preparation” where you will hang around 15% or 17%.

In order to fix the problem of OpenManage hanging at the “Precopy Preparation” stage: download both the files 001 and 002. Place them in a folder where you will concatenate them into one file. This process you will find under the instructions, however it is not documented anywhere else on the download page. So you think there are two separate ISO files and burn them only to find the first boots and hangs.

Dell does this to address a browser limitation around downloading large files (see Microsoft KB article 298618: You cannot download files that are 2 GB or larger – http://support.microsoft.com/kb/298618). Dell Systems Management Tools and Documentation DVD is no longer available as a single ISO for web download.

Process:

1. Download the two ISO file segments to an empty folder.
2. Run the command to concatenate them into one file.

copy /b OM_6.2.0_SMTD_A00.iso.001+OM_6.2.0_SMTD_A00.iso.002 OM_620_SMTD_A00.iso

3. Burn the OM_620_SMTD_A00.iso file to DVD.

If you are running Linux the command is:

Linux: cat OM* > OM_620_SMTD_A00.iso

The icacls.exe command was introduced in Windows 2003 Service Pack 2. It now comes installed by default in Windows Vista, Windows Server 2008 (R2) and Windows 7. So administrators will need to learn this command sooner or later. Recently I found the tool to be very flexible and I extensively documented the options. I mapped the different command line options to the GUI, for the network admins that need the GUI to understand how to use the command line.

The first point that should be made about icacls.exe is that it defaults to edit mode. The original cacls command defaults to replace mode. Next are the commands:

/grant will grant user permissions or the add option in the GUI.
/remove will remove the user from the DACL and is equivalent to
 the remove option in the GUI.

Note: /remove:g will remove only grants for the user
      and /remove:d will remove only denys for the user.

/deny is equivalent to the deny column in the GUI
 and should always be used cautiously.
/setowner is a handy little command which allows you to change
 the ownership of a file or folder to another user;
 this is similar to the linux chown command.
/findsid which finds entries in a DACL for a specified SID or user.
/setintegritylevel is a bit out of the scope of this article
 and may be in a future article.

The icacls command also has an /inheritance command which performs the same function as un-checking the “Include inheritable permission from this object’s parent” in the GUI. This of course presents you with the question of how to proceed; copy the permissions or remove all existing permissions. So the command line you can specify:

/inheritance:e to enable same as a check box in the GUI.
/inheritance:d to disable and copy the permissions
 from the parent same as the GUI.
/inheritance:r to disable and remove the
 current permissions again same as the GUI.

The next thing to learn is how inheritance is propagated for permissions. When using either the /grant or /deny statement you will build the permissions as /grant {user}:{inheritance}{permissions} everything is encapsulated by parenthesis. The default in Windows when applying permissions in the GUI is “This folder, subfolders and files”, but to achieve the default at the command line you need to use /grant {user}: (OI)(CI){permissions} and the permissions should be encapsulated in parenthesis. The table below is to help you formulate your inheritance for permissions:

This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)

The last thing to learn is the permissions. You can use macro permissions, which are also called simple permissions or you can use advanced permissions. The simple permissions are the permissions found in the first properties tab under security. The advanced permissions are when you select advanced and you get the full permissions list. So building on the permissions line from above; if we wanted to grant testuser on the folder test and apply modify permissions so all subfolders and files inherited the permissions. The line would be ‘icacls test /grant testuser:(OI)(CI)(M)’

Simple Permissions

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced Permissions

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)

When you master this command you will be able to do anything with permissions from the command line. Including understanding the SDDL or Security Descriptor Definition Language; which Microsoft uses to create group policy permissions.

The problem exists when you use a script to create the folders and apply the permissions using the cacls.exe command on a Windows 2003 R2 server. A user on a Mac OS X client with not be able to drag files into the folder on a Windows 2003 R2 server share or perform a copy procedure and will result in the error: “You may need to enter the name and password for an administrator on this computer to change the item name “item-name”.”. You may also see the exclamation error if the file has a preview fork attached of “Couldn’t open the file. It may be corrupt or a file format that Preview doesn’t recognize.”. After much reading on this problem I was almost convinced that it was an OS X bug, but I realize now it is actually a flaw in the cacls command. We use a script similar to the snippet of code below to create the directories.

mkdir \\server\share\userdir
cacls \\server\share\userdir /e /t /g userdir:c

explanation:

cacls {file or folder} /e {edits} /t {changes on all sub directories} /g {grants} userdir:c {user:permission of change}

The problem was solved using the command that was introduced in Vista and Server 2003 R2 called icacls.exe. The icacls tool is now included in Windows Server Service Pack 2 and is standard in Vista. This command allows you to set inheritance, which is the root cause of the problem. The inheritance properties were first introduced in NTFS 5.0 with Windows 2000, however something has changed recently in the OS X 10.5 software or Windows Server 2003 R2. The problem also exists in Windows Server 2008 and Windows Server 2008 R2 so the problem is not going away and I am guessing it is OSX at fault.

When setting a directory with the code above, if you use the icacls command to export the permissions structure out to a file you can see the problem. This will export the security into Microsoft’s SDDL language which is documented here http://msdn.microsoft.com/en-us/library/aa379567(VS.85).aspx.

icacls.exe \\server\share\userdir /save aclfile.txt

notepad.exe aclfile.txt

D:(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) (A;OICIID;FA;;;DA)(A;OICIID;FA;;;SY)
(user:chage) (domain admin:full) (system:full)

The problem is not is not evident until we set the permission properly with the icacls.exe command.

icacls \\server\share\userdir /t /c /grant userdir:(OI)(CI)M

explanation:

icacls {file or folder} /t {changes on all sub directories} /grant {grants} userdir:(OI)(CI) {see below}M { change/modify }

CI CONTAINER INHERIT
OI OBJECT INHERIT
NP NO PROPAGATE INHERIT
IO INHERIT ONLY
ID INHERITED
SA SUCCESSFUL ACCESS FLAG
FA FAILED ACCESS FLAG

Complete list http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx

D:AI(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) (A;OICIID;FA;;;DA)(A;OICIID;FA;;;SY)

Explanation:

D: - Defines the DACL
AI - is the MISSING Auto Inheritance Flag
(A;OICI;0x1301bf;;;S-1-5-21-123456789-123456789-123456789-12345) - is the user’s SID and permissions
(A;OICIID;FA;;;DA) - is the “Domain Admin” permissions identified by the trailing DA
(A;OICIID;FA;;;SY) - is the “System” permissions identified by the trailing SY

The AI in the DACL or Discretionary Access Control List is missing when using the cacls command. My guess is that the client when using Windows is responsible for the completion and writing of the DACL. When a Mac OS X client copies a file they utilize SAMBA which does not carry the DACL and consequentially fails. This would explain the empty file that gets created when an OS X client drags and drops the file. The file entry gets created, but is inherited with only the original permissions that have inheritance from above. This same problem could also exist on Linux or UNIX using SAMBA since it is SAMBA that drops the ball.

The Fix:

Use ‘icacls \\server\share\userdir /t /c /grant username:(OI)(CI)M’ to grant access to NTFS folders and replace all entries in scripts using the cacls command.