Inherited Rights/NTFS Folder Permissions...

When assigning NTFS group rights to a folder.  How do I force rights to be inherited by folders that are specifically set NOT to inherit rights.    (I don't want to replace rights... I want to ADD rights and have only the added rights propagate all the way down the folder structure)

Example.  F:\Main\Dept-10\production\wave1\data

F:\Main (rights are not inherited and are specifically defined)
F:\Main\Dept-10 (rights are not inherited and are specifically defined)
F:\Main\Dept-10\production  (rights are inherited)
F:\Main\Dept-10\production\wave1 (rights not inherited)

If I want to give the group "checkers" read rights to F:\Main and everything below it, assigning that group read rights to F:\Main will work ONLY for this directory as the next directory is SET NOT to inherit rights.   This example is only a few layers deep.   If we have directory structures where rights are SET NOT to inherit rights dozens of layers deep, there is no way to quickly identify those nor would we want to have to find each inherited rights break to assign the proper specified rights.

I must be missing something, but where is the magic button to force JUST THE NEWLY ADDED RIGHTS to propagate all the way down the structure?  In the example above.  In order to give the "checkers" group read rights to a file in the F:\Main\Dept-10\production\wave1 folder as well as ALL FILES IN BETWEEN.  I would have to manually assign the "checkers" group to each directory where rights were set NOT to inherit rights.  This just doesn't seem right.

I've played with the "replace all permissions on all child..." options in the advance tab, but all that does is replace everything on all child objects to whatever you currently have on the folder at hand.    I want to apply only NEW changes to all child objects  (basically add the new NTFS group right), not replace or change child objects to the existing set of NTFS rights.

Coming from the Netware world, this seems entirely restrictive in how you can implement different security rights through out a file server structure in an efficient manner.






rdelrosarioAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tengageCommented:
Good question.  There is no answer though.  I use the following tool for those situations.  The site license was really reasonable.  3rd party is the only way to do what you're describing.

http://www.scriptlogic.com/eng/products/securityexplorer/main.asp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tengageCommented:
The reason I bought it was because the help desk needed specific "special" rights to every file on every file server (about 50 file servers and what feels like billions of files).  We have a mix of inheritance and there was only one tool that MS had to do what we wanted.  These were perl scripts on the 2000 resource kit supp 1.  The tools caused us some pretty severe damage although we never actually pinned our problems to the tools.  The tool was FILEDACLS.PL and requires the active perl extensions be installed.  Why there are perl scripts for ACLS on a W2k res kit is beyond me.  It was run on a handful of servers a majority of them died with identical results (sorry I don't remember what that was, but they were pretty dead).  The good thing is that we have LANMAN shares backed up and good tape backups, and parallel installs of the OS so recovery usually took about 15 minutes.
0
oBdACommented:
Open a command prompt on the server in question, and enter
cacls F:\Main /t /e /g checkers:R
cacls is the command line tool to change NTFS permissions. This will process the folder F:\Main, it will process the folder and its subdirectories (/t), it will edit the ACLs (/e) instead of replacing them (do NOT forget the /e, or you'll have to reassign the permissions ...), and it will grant (/g) the group "checkers" read access (R). If it's a global group, you might have to add the domain name in front of the group name: YourDomain\checkers.
You can of course try that on a test structure with similar permissions before you use it for real.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

rdelrosarioAuthor Commented:
I looked at the Security Explorer tengage recommended and it is very comprehensive.   It is cheap as well.. I downloaded it and will try it out.   The  command line thingy looks good too, but leaves me nervous about someone making a mistake.

Can both of you really tell me that this is it... there is really know magic button built in the security tab that I'm just missing?   How can Microsoft leave this functionality out of the GUI?   Is this that uncommon of an issue?

I really have to say that this is where Novell shines...

0
oBdACommented:
Nope, no magic button, sorry. The "error factor" when using the command line actually isn't much higher (if at all) than in the GUI; changing permissions requires some knowledge about what you're doing, with or without images.
0
tengageCommented:
I used cacls and have had some mixed results.  It seems that when I used it in my situation, it appeared to work but when I went to view the properties of some folders, and click the "security" tab I kept getting these messages "the security acls are incorrectly ordered" or something like that.  If I clicked OK on the message I could view the permissions and they appeared fine, but the message bothered me.  I reverted to XCACLS, but then broke down and bought the tool.  It can be scripted and I especially love its ability to "Back Up" permissions.

NOVELL is definately more robust here.  I don't know why shares are not a integral part of AD as well as printers as in Novell.
0
oBdACommented:
You probably used cacls on a pre-SP2 system; this error is fixed in the meantime:
Cacls.exe Orders ACEs Incorrectly When Granting Rights
http://support.microsoft.com/?kbid=268546
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.