Solved

File security, moving files

Posted on 2002-07-10
15
306 Views
Last Modified: 2012-05-05
Dir1 has ACL of name1, with new inheritance
Dir2 has ACL of name2, with new inheritance
If i move a directory "test" from dir1 to dir2,
where does the directory test inherit its ACL security from ? dir1 or dir2 ??
Seems to me to be from old parent dir1, isnt this messy??
0
Comment
Question by:Gunsen
  • 6
  • 3
  • 3
  • +3
15 Comments
 
LVL 17

Accepted Solution

by:
mikecr earned 200 total points
ID: 7143104
Files and folders will always inherit permissions from the root folder that they are copied/moved into, if, they are moved from one partition to another. However, if they are moved within the same partition they keep their permissions.
0
 
LVL 2

Expert Comment

by:jehob
ID: 7143120
"Test" will maintain it's permissions from 'dir1' after being moved because the inherited permissions are not automatically updated.  The permissions will not be changed until the next time the parent propagates its permissions, which occurrs when permissions are changed or when inheritance is disabled and then re-enabled for the parent directory. Either of these two actions forces the parent to propagate its permissions.  

So the bottom line is:  'Test' will inherit it's permissions from 'Dir2', however this inheritance will not take place until the next time permissions for the parent directory are propagated.

Hopefully this will help you out!
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7143197
Keep in mind Jehob that if the box is unchecked on the original folder to inherit permissions from parent, permissions won't be inherited from anywhere as long as it is on the same partititon. Only if moved to another partition will this take effect. You would need to reset and propagate permissions on the whole directory structure to overcome this.
0
 
LVL 2

Expert Comment

by:jehob
ID: 7143213
Thanks mikecr!  That's a very good point and a possiblity that I had not even considered.
0
 
LVL 3

Author Comment

by:Gunsen
ID: 7143214
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320246
This shows that moving (on same volume as was my case) is a feature by design.

Anybody a good practical approach on how to avoid keeping the permissions from Dir1/folder1 ?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7143242
So after you copy the folder you want it to inherit the permissions of the destination, correct? Off the top of my head I wouldn't know how to automate this but you could go into the folder after it's copied and uncheck then recheck the box to inherit permissions from parent. I'll see if there is a resource kit tool or something that might help.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7143286
I found this in the Windows 2000 Resource kit. You could create a batch file to run it with paramaters each time that you move a folder and need it to reset the permissions.

XcAcls Syntax

Open command prompt now.


--------------------------------------------------------------------------------

xcacls filename [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]

Where:

filename
indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) should be applied. All standard wildcard characters can be used.
/T
recursively walks through the current directory and all its subdirectories, applying the chosen access rights to the matching files and/or directories.
/E
edits the ACL instead of replacing it. If you specify the following command line:


XCACLS test.dat /G Administrator:F


only the Administrator has access to TEST.DAT. All ACEs applied earlier are lost.
/C
causes XcAcls to continue if an "access denied" error occurs. If /C is not specified, XcAcls stops on this error.
/G user:perm;spec
grants access to user to the matching file or directory. The perm variable applies the specified access right to files and represents the special file-access-right mask for directories. The Perm variable accepts the following values:
R
Read
C
Change (write)
F
Full Control
P
Change Permissions (special access)
O
Take Ownership (special access)
X
EXecute (special access)
E
REad (Special access)
W
Write (Special access)
D
D Delete (Special access)
The spec variable applies only to directories, and accepts the same values as perm, with the addition of the following special value:

T
NoT Specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right has to follow. Entries between ; and T will be ignored.


Notes


The access options for files (for directories, special file access and special directory access) are identical. For detailed explanations of these options, see the Windows 2000 operating system documentation.
All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights like LIST or READ.

/R user
revokes all access rights for the specified user.
/P user:perm;spec
replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. See XcAcls Examples.
/D user
denies access to the file or directory for user.
/Y
disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine hangs until the right answer is entered. The /Y option was introduced to avoid this confirmation, so XcAcls can be used in batch mode.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Expert Comment

by:jehob
ID: 7143306
There seems to be no real "practical" approach to automating the process available from Microsoft, however you can use VBS to accomplish this.  The article below shows how you can use a VBScript to automate this process:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279682

Personally I am not real familiar with VB script so I would probably just stick with the manual approach of unchecking and rechecking the box to inherit permissions, but that's just me!
0
 
LVL 3

Author Comment

by:Gunsen
ID: 7143343
Well actually i have 4000 directories (that is parental directories like Dir1, with inheritable ACL for all subdirectories) in a world-wide wan, and its the end-users that do the copying!  So hope for a good solution to this....(?) :-(

btw: 25000 users....
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7143379
Are they copying from one machine to another? If they are, they will inherit from where they are copying to. Is that what you want?
0
 
LVL 3

Author Comment

by:Gunsen
ID: 7143397
No, the problem only appears when drag&droped or cut&n-pasted  on same volume...
0
 
LVL 17

Expert Comment

by:mikecr
ID: 7143408
At that point your definately going to have to reset permissions on these directories either manually or using an automated too like xcalc or the vbscript.
0
 
LVL 3

Expert Comment

by:vladh
ID: 7322280
Gunsen,

Not sure if this is at all helpful, but I am working on a tool that can set NTFS permissions in Batch mode. You feed it the CSV file (exported from your Excel worksheet) with folder/group or user/permission list and it will go through the list and assign specified permissions and create detailed log of everything it did. The tool is still in beta, and if you would like to give it a try, email me at vovkah@yahoo.com and I can set you up with a copy.

Cheers
Vlad
0
 

Expert Comment

by:SpideyMod
ID: 8384107
Gunsen,
Please take care of your open questions older than 30 days.   I am posting in all of them.   Please see:
http://www.cityofangels.com/Experts/Closing.htm

If you have further questions, feel free to post them in Community Support:
http://www.experts-exchange.com/Community_Support/

I will return in 72 hours to see if this has been completed.  If it has not, I have an obligation to turn your account over to site administration.

SpideyMod
Community Support Moderator @Experts Exchange
0
 

Expert Comment

by:kjp17
ID: 10069492
Does someone get a solid answer for this question? I don't mind installing some scripts to automate the process of updating ACL when moving files/folders.  But the solution posted by microsoft seems to be a manual process.  I cannot ask my end-users to run the script everytime they move some files/folders.  

It seems to me this is a very common problem appeared in a business network.  Yet, I see so little postings on the web regarding this matter.  Am I correct?

Many thanks to people who participate in this thread.

Joe
kjp17@yahoo.com
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
NT Print server: Should be able to print? 1 593
Making a spare domain pc 12 320
Application Deployment 2 247
Group Policy 9 556
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now