File security, moving files

Dir1 has ACL of name1, with new inheritance
Dir2 has ACL of name2, with new inheritance
If i move a directory "test" from dir1 to dir2,
where does the directory test inherit its ACL security from ? dir1 or dir2 ??
Seems to me to be from old parent dir1, isnt this messy??
LVL 3
GunsenAsked:
Who is Participating?
 
mikecrCommented:
Files and folders will always inherit permissions from the root folder that they are copied/moved into, if, they are moved from one partition to another. However, if they are moved within the same partition they keep their permissions.
0
 
jehobCommented:
"Test" will maintain it's permissions from 'dir1' after being moved because the inherited permissions are not automatically updated.  The permissions will not be changed until the next time the parent propagates its permissions, which occurrs when permissions are changed or when inheritance is disabled and then re-enabled for the parent directory. Either of these two actions forces the parent to propagate its permissions.  

So the bottom line is:  'Test' will inherit it's permissions from 'Dir2', however this inheritance will not take place until the next time permissions for the parent directory are propagated.

Hopefully this will help you out!
0
 
mikecrCommented:
Keep in mind Jehob that if the box is unchecked on the original folder to inherit permissions from parent, permissions won't be inherited from anywhere as long as it is on the same partititon. Only if moved to another partition will this take effect. You would need to reset and propagate permissions on the whole directory structure to overcome this.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
jehobCommented:
Thanks mikecr!  That's a very good point and a possiblity that I had not even considered.
0
 
GunsenAuthor Commented:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320246
This shows that moving (on same volume as was my case) is a feature by design.

Anybody a good practical approach on how to avoid keeping the permissions from Dir1/folder1 ?
0
 
mikecrCommented:
So after you copy the folder you want it to inherit the permissions of the destination, correct? Off the top of my head I wouldn't know how to automate this but you could go into the folder after it's copied and uncheck then recheck the box to inherit permissions from parent. I'll see if there is a resource kit tool or something that might help.
0
 
mikecrCommented:
I found this in the Windows 2000 Resource kit. You could create a batch file to run it with paramaters each time that you move a folder and need it to reset the permissions.

XcAcls Syntax

Open command prompt now.


--------------------------------------------------------------------------------

xcacls filename [/T] [/E] [/C] [/G user:perm;spec] [/R user] [/P user:perm;spec [...]] [/D user [...]] [/Y]

Where:

filename
indicates the name of the file or directory to which the access control list (ACL) or access control entry (ACE) should be applied. All standard wildcard characters can be used.
/T
recursively walks through the current directory and all its subdirectories, applying the chosen access rights to the matching files and/or directories.
/E
edits the ACL instead of replacing it. If you specify the following command line:


XCACLS test.dat /G Administrator:F


only the Administrator has access to TEST.DAT. All ACEs applied earlier are lost.
/C
causes XcAcls to continue if an "access denied" error occurs. If /C is not specified, XcAcls stops on this error.
/G user:perm;spec
grants access to user to the matching file or directory. The perm variable applies the specified access right to files and represents the special file-access-right mask for directories. The Perm variable accepts the following values:
R
Read
C
Change (write)
F
Full Control
P
Change Permissions (special access)
O
Take Ownership (special access)
X
EXecute (special access)
E
REad (Special access)
W
Write (Special access)
D
D Delete (Special access)
The spec variable applies only to directories, and accepts the same values as perm, with the addition of the following special value:

T
NoT Specified. Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory. At least one access right has to follow. Entries between ; and T will be ignored.


Notes


The access options for files (for directories, special file access and special directory access) are identical. For detailed explanations of these options, see the Windows 2000 operating system documentation.
All other options, which can also be set in Windows Explorer, are subsets of all possible combinations of the basic access rights. Therefore, there are no special options for directory access rights like LIST or READ.

/R user
revokes all access rights for the specified user.
/P user:perm;spec
replaces access rights for user. The rules for specifying perm and spec are the same as for the /G option. See XcAcls Examples.
/D user
denies access to the file or directory for user.
/Y
disables confirmation when replacing user access rights. By default, CACLS asks for confirmation. Because of this feature, when CACLS is used in a batch routine, the routine hangs until the right answer is entered. The /Y option was introduced to avoid this confirmation, so XcAcls can be used in batch mode.
0
 
jehobCommented:
There seems to be no real "practical" approach to automating the process available from Microsoft, however you can use VBS to accomplish this.  The article below shows how you can use a VBScript to automate this process:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279682

Personally I am not real familiar with VB script so I would probably just stick with the manual approach of unchecking and rechecking the box to inherit permissions, but that's just me!
0
 
GunsenAuthor Commented:
Well actually i have 4000 directories (that is parental directories like Dir1, with inheritable ACL for all subdirectories) in a world-wide wan, and its the end-users that do the copying!  So hope for a good solution to this....(?) :-(

btw: 25000 users....
0
 
mikecrCommented:
Are they copying from one machine to another? If they are, they will inherit from where they are copying to. Is that what you want?
0
 
GunsenAuthor Commented:
No, the problem only appears when drag&droped or cut&n-pasted  on same volume...
0
 
mikecrCommented:
At that point your definately going to have to reset permissions on these directories either manually or using an automated too like xcalc or the vbscript.
0
 
vladhCommented:
Gunsen,

Not sure if this is at all helpful, but I am working on a tool that can set NTFS permissions in Batch mode. You feed it the CSV file (exported from your Excel worksheet) with folder/group or user/permission list and it will go through the list and assign specified permissions and create detailed log of everything it did. The tool is still in beta, and if you would like to give it a try, email me at vovkah@yahoo.com and I can set you up with a copy.

Cheers
Vlad
0
 
SpideyModCommented:
Gunsen,
Please take care of your open questions older than 30 days.   I am posting in all of them.   Please see:
http://www.cityofangels.com/Experts/Closing.htm

If you have further questions, feel free to post them in Community Support:
http://www.experts-exchange.com/Community_Support/

I will return in 72 hours to see if this has been completed.  If it has not, I have an obligation to turn your account over to site administration.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
kjp17Commented:
Does someone get a solid answer for this question? I don't mind installing some scripts to automate the process of updating ACL when moving files/folders.  But the solution posted by microsoft seems to be a manual process.  I cannot ask my end-users to run the script everytime they move some files/folders.  

It seems to me this is a very common problem appeared in a business network.  Yet, I see so little postings on the web regarding this matter.  Am I correct?

Many thanks to people who participate in this thread.

Joe
kjp17@yahoo.com
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.