?
Solved

Inherited Rights/NTFS Folder Permissions...

Posted on 2004-11-12
9
Medium Priority
?
2,262 Views
Last Modified: 2013-12-04
When assigning NTFS group rights to a folder.  How do I force rights to be inherited by folders that are specifically set NOT to inherit rights.    (I don't want to replace rights... I want to ADD rights and have only the added rights propagate all the way down the folder structure)

Example.  F:\Main\Dept-10\production\wave1\data

F:\Main (rights are not inherited and are specifically defined)
F:\Main\Dept-10 (rights are not inherited and are specifically defined)
F:\Main\Dept-10\production  (rights are inherited)
F:\Main\Dept-10\production\wave1 (rights not inherited)

If I want to give the group "checkers" read rights to F:\Main and everything below it, assigning that group read rights to F:\Main will work ONLY for this directory as the next directory is SET NOT to inherit rights.   This example is only a few layers deep.   If we have directory structures where rights are SET NOT to inherit rights dozens of layers deep, there is no way to quickly identify those nor would we want to have to find each inherited rights break to assign the proper specified rights.

I must be missing something, but where is the magic button to force JUST THE NEWLY ADDED RIGHTS to propagate all the way down the structure?  In the example above.  In order to give the "checkers" group read rights to a file in the F:\Main\Dept-10\production\wave1 folder as well as ALL FILES IN BETWEEN.  I would have to manually assign the "checkers" group to each directory where rights were set NOT to inherit rights.  This just doesn't seem right.

I've played with the "replace all permissions on all child..." options in the advance tab, but all that does is replace everything on all child objects to whatever you currently have on the folder at hand.    I want to apply only NEW changes to all child objects  (basically add the new NTFS group right), not replace or change child objects to the existing set of NTFS rights.

Coming from the Netware world, this seems entirely restrictive in how you can implement different security rights through out a file server structure in an efficient manner.






0
Comment
Question by:rdelrosario
  • 3
  • 3
7 Comments
 
LVL 4

Accepted Solution

by:
tengage earned 500 total points
ID: 12569987
Good question.  There is no answer though.  I use the following tool for those situations.  The site license was really reasonable.  3rd party is the only way to do what you're describing.

http://www.scriptlogic.com/eng/products/securityexplorer/main.asp
0
 
LVL 4

Expert Comment

by:tengage
ID: 12570062
The reason I bought it was because the help desk needed specific "special" rights to every file on every file server (about 50 file servers and what feels like billions of files).  We have a mix of inheritance and there was only one tool that MS had to do what we wanted.  These were perl scripts on the 2000 resource kit supp 1.  The tools caused us some pretty severe damage although we never actually pinned our problems to the tools.  The tool was FILEDACLS.PL and requires the active perl extensions be installed.  Why there are perl scripts for ACLS on a W2k res kit is beyond me.  It was run on a handful of servers a majority of them died with identical results (sorry I don't remember what that was, but they were pretty dead).  The good thing is that we have LANMAN shares backed up and good tape backups, and parallel installs of the OS so recovery usually took about 15 minutes.
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 12570655
Open a command prompt on the server in question, and enter
cacls F:\Main /t /e /g checkers:R
cacls is the command line tool to change NTFS permissions. This will process the folder F:\Main, it will process the folder and its subdirectories (/t), it will edit the ACLs (/e) instead of replacing them (do NOT forget the /e, or you'll have to reassign the permissions ...), and it will grant (/g) the group "checkers" read access (R). If it's a global group, you might have to add the domain name in front of the group name: YourDomain\checkers.
You can of course try that on a test structure with similar permissions before you use it for real.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:rdelrosario
ID: 12570769
I looked at the Security Explorer tengage recommended and it is very comprehensive.   It is cheap as well.. I downloaded it and will try it out.   The  command line thingy looks good too, but leaves me nervous about someone making a mistake.

Can both of you really tell me that this is it... there is really know magic button built in the security tab that I'm just missing?   How can Microsoft leave this functionality out of the GUI?   Is this that uncommon of an issue?

I really have to say that this is where Novell shines...

0
 
LVL 85

Expert Comment

by:oBdA
ID: 12570909
Nope, no magic button, sorry. The "error factor" when using the command line actually isn't much higher (if at all) than in the GUI; changing permissions requires some knowledge about what you're doing, with or without images.
0
 
LVL 4

Expert Comment

by:tengage
ID: 12583381
I used cacls and have had some mixed results.  It seems that when I used it in my situation, it appeared to work but when I went to view the properties of some folders, and click the "security" tab I kept getting these messages "the security acls are incorrectly ordered" or something like that.  If I clicked OK on the message I could view the permissions and they appeared fine, but the message bothered me.  I reverted to XCACLS, but then broke down and bought the tool.  It can be scripted and I especially love its ability to "Back Up" permissions.

NOVELL is definately more robust here.  I don't know why shares are not a integral part of AD as well as printers as in Novell.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 12583556
You probably used cacls on a pre-SP2 system; this error is fixed in the meantime:
Cacls.exe Orders ACEs Incorrectly When Granting Rights
http://support.microsoft.com/?kbid=268546
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Loops Section Overview
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question