Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.
Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure is five levels deep. All shared folder access is granted on per user basis and no groups are defined, causing the folder access control list (ACL) to become exhausted.
The file server is part of one domain and since they have acquired another company, we have to grant the second company's users (another domain) appropriate rights to the file server data. The domain level trust is already in place.
For many folders, administrators don’t have even read access and can’t even check folder ACL. They are unable to see the folder owner and are unable to access the folder as well and hence they are unable to handle file server access.
I am even unable to see folder owner:
If I click here Yes now, all existing permissions will be destroyed by granting me full control (in addition to ownership) which is not the objective here. I have to click on No by force. I immediately got the following warning messages:
Unless I get folder ownership, I can’t add or modify anybody or myself on the folder access control list.
The root cause of this problem is that multiple users have Full Control NTFS permissions on the root folder. Some smart users have removed the built-in administrators group from the access control list and from the owners tab. The Creator Owner group is listed on the ACL of folders, as a fact the person \ user who creates files and folders automatically becomes the owner of those files and folders. The permissions model became complicated. User level access is granted instead of groups, which is difficult to track.
NTFS Folder ownership
Ownership can be taken by
Ownership can be transferred in the following ways:
If you look at above diagram, there is special group called CREATOR OWNER. This group is getting inherited from drive root and because of this group, the person who creates files and folders is automatically assigned ownership of those files and folders as long as this group is listed on the ACL.
I have shared folders with size from 10GB to 250GB; I need some method to take ownership of all folders without destroying existing folder permissions.
There are TWO options left:
Either I take folder ownership from top to bottom without destroying existing permissions
I need some user who already has got full control permissions on folder who can grant my admin account access to folder and from there I can take it ahead. There are multiple free tools available on the internet to accomplish this. Membership in the server local administrator group is the minimum prerequisite to use any tool.
Takeown – Built-in tool available in Windows-based systems for managing folder ownership
Takeown has its own limitations and can destroy existing NTFS permissions in addition to take folder ownership. In order to take ownership with the Takeown utility without destroying existing permissions, you must have read permissions at least on folder and files; otherwise you cannot take ownership. So the verdict is until you get ownership of all sub folders and files you have to run below TWO commands one by one again and again.
takeown /f <directory path> /r /a where /f stands for file \ folder /r stands for recursive /a stands for administrators group AND Icacls <Directory Path> /grant administrators:f /t /t switch will take care of sub folders and files f stands for full control permission Example: takeown /f C:\TFolders /r /a Icacls C:\Tfolders /grant administrators:f /t
In above example Takeown has assigned ownership of the "C:\TFolders" folder root to only the administrators group, even you specify /r switch for recursive ownership because you do not have read permissions to subfolders and files. If you press Y in above command when prompted, all folder permissions will be destroyed and only your admin account would granted full control permissions. You can specify additional /D switch with Y OR N parameter to suppress every permission replacement prompt. You have only ownership of root folder; you still don’t have any ownership of subfolders, nor any permission on the root folder or subfolders.
This is the same case when you try to take folder ownership from the GUI in recursive mode:
Now that you have ownership of root folder, you need to run below command with the Icacls Windows built-in utility to grant administrators full control. This utility will grant administrators full control on root folder only because you don't have ownership of rest of subfolders and files yet.
In above diagram still there is one access denied error.You need to run both commands multiple times until you get ownership and access of entire folder. Then you can manage all aspects of that folder.
Subinacl – Free utility available from Microsoft
SetACL and Subinacl are very powerful tools and can do much more than Takeown. I prefer these tools over Takeown utility. The major advantage of these tools is that they can take ownership of entire folder, including subfolders and files regardless of access permissions in one shot without destroying existing permissions, even if you don’t have read permissions on the folder root, subfolders and files.
Syntax of command:
Syntax: Subinacl /noverbose /Subdirectories <Directory Path> <action parameter> Ex: To take ownership of folder root: Subinacl /noverbose /Subdirectories F:\Projects\1016120 /setowner=administrators If folder name having spaces in name: Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /setowner=administrators To take ownership of all sub folders and files underneath root folder: Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /setowner=administrators If folder name having spaces in name: Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /setowner=administrators To grant administrators full control on folder root: Subinacl /noverbose /Subdirectories F:\Projects\1016120 /grant=administrators=f If folder name contains spaces: Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /grant=administrators=f To grant administrators full control on all subfolders and files underneath folder root: Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /grant=administrators=f If folder name contains spaces: Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /grant=administrators=f
The example below shows how to take folder ownership and access with Subinacl tool. The tool can take ownership of all subfolders and files including root folder and can grant full control access to the built-in administrators group without destroying any existing permissions.
The Subinacl utility gives you one additional facility that allows you to back up NTFS security along with ownership on entire folder before making any chnages. In case you make a mistake during taking folder ownership or modifying folder access control list, you can restore entire NTFS access control list.
Syntax of command:
Subinacl /noverbose <action parameter> /subdirectories <Directory path> To backup NTFS permissions of root folder: Subinacl /noverbose /output=C:\TFolders_Root.txt /subdirectories C:\TFolders If folder contain spaces: Subinacl /noverbose /output=C:\MyData_Root.txt /subdirectories "C:\My Data" To backup NTFS permissions of all sub folders and files underneath root folder: Subinacl /noverbose /output=C:\TFolders_Child.txt /subdirectories C:\TFolders\ If folder contain spaces: Subinacl /noverbose /output=C:\MyData_Child.txt /subdirectories "C:\My Data\*" To restore NTFS permissions on folder root: Subinacl /noverbose /playfile C:\TFolders_Root.txt To restore NTFS permissions on sub folders: Subinacl /noverbose /playfile C:\TFolders_Child.txt The 1st command will restore security on root folder (C:\TFolders) The 2nd command will restore security on all subfolders and files underneath folder root (C:\TFolders\*)
The Subinacl command line reference help file is attached here subinacl.zip
The command line version is freeware. There is no need to install as it is a standalone .exe file. Download it, and use it from elevated command prompt. This utility also works great like Subinacl, capable of taking folder ownership and granting folder access without destroying existing folder permissions.
Syntax of command:
SetAcl -on <Directory Path> -ot <object type> -actn <parameter> -rec cont_obj -silent Where -on stands for "object name",the name of directory -ot stands for "Object type" -actn stands for action to be performed, setting up owner (setowner) in our case -rec stands for recursive action, to be carried out on all sub folders and files (cont_obj) -silent no output will be printed on screen. Ex: To set owner on entire folder: SetAcl -on C:\TFolders -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent If folder name contain spaces: SetAcl -on "C:\My Imp Data" -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent To grant administrators group full control on entire folder: SetAcl -on C:\TFolders -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent If folder name contain spaces: SetAcl -on "C:\My Imp Data" -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
The above command will assign entire folder ownership to the built-in administrators group and will grant full control access permissions without destroying any existing folder permissions. You can refer SetAcl online command reference for more information: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/
Some best practices about setting up standard share folders to minimize management efforts:
|Exchange Server Message Queue Error "451 4.4.0 DNS query failed"||1,712|
|The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR||820|
|Remote Desktop Connection, “The server’s authentication policy does not allow connection requests using saved credentials. Please enter new credentials.”||494|
|Measuring Server's processing rate with a simple powershell command.||68|