Solved

Mimic NDS file permissions in Windows NTFS environment

Posted on 2008-06-18
2
1,256 Views
Last Modified: 2013-12-04
I am trying to mimic Novell NDS file permissions on a windows NTFS box.
Here is the basic problem:
I have a share named Vol2 which consists of multiple directories that contain thousands of subfolders.  
Ex:
Vol2 \Parent1
                       \Child1
                                \Grandchild1
In Novell I can grant read access to Grandchild 1 and the user is automatically given traversal access to Child1.  In Windows this does not occur.  If I give access to Grandchild1 the user is not give access to child1.  
For a few nested directories this is not an issue but when nesting reaches 10 folders deep it becomes an issue.  
Is there a proper way to mimic the NDS rights in a Windows environment  or a best practices method of doing this?
Note: I cannot simply create new shares b\c users have files with embedded links that rely on specific shares and directory paths.


0
Comment
Question by:onlineofmq
2 Comments
 
LVL 35

Accepted Solution

by:
ShineOn earned 500 total points
Comment Utility
First off, NDS (now called eDirectory) is a directory service, not a filesystem.  The NetWare filesystem (nwfs) and Novell Storage Services (nss) which can be on modern NetWare or Novell OES/Linux, is what you're talking about.  Dynamic inheritance is the term.  Rights (not Permissions) get inherited bidirectionally, so not only does the user or other object inherit rights to a child from a parent, necessary rights to see the path to the parent dynamically "reverse inherit" up the directory tree.  Not so with NTFS.

Novell is the company name, by the way - it's either NetWare or OES, when talking about their Enterprise-class Network Operating Systems.  You say, "In Windows this does not occur." - you don't say "In Microsoft this does not occur."

Anyway, sorry to say, but you're pretty-much out of luck.  The only way permissions inherit automatically is when the permissions are initially granted.  Any changes at any level of NTFS after the initial permissions inheritance takes place requires you to manually force inheritance again - and you have to be careful when forcing inheritance that you don't override the self-contradicting "deny permissions."

There is no such thing as dynamic inheritance with Windows NTFS.  You have to manually force inheritance when the static ACL's break down.   That's by choice.  When Microsoft was in the heat of battle with Novell over network supremacy, they FUDded people into thinking that their old, tired static ACL scheme was superior to Novell's dynamic inheritance, claiming it was more efficient and faster.  Both lies.  It's far inferior to NWFS or NSS, as you are learning the hard way.

I, too, am looking for a way to resolve the built-in, flawed inheritance scheme Microsoft has saddled us with, so I don't have to putz with forcing NTFS permissions re-inheritance.

I've heard that Windows Server 2008 may have this problem resolved, at least to some degree, but of course Microsoft would never back-port the fix to Windows Server 2003 R2 - they want us to spend more money over and over in an endless upgrade cycle just to get bugfixes that shouldn't have been there to begin with, because the technology was available well over a decade, going on 20 years, ago.

If anyone out there has a third party tool or a tweak or something, you'd be a hero to many disgruntled former NetWare admins that miss the superior technology they were forced off of because of politics or PHBs.

Or, would we be better off dumping Windows for Linux and ZFS? ;)

Anyway, the only way I'm aware of to make sure you can do what you are trying to do is with a combination of shares and NTFS permissions.  You can establish a share at any point in a folder structure, and the visibility of child folders flow from the share.  If you don't want to grant regular access permissions to multiple levels of parent folders all the way up to the share, you can create a share at that grandchild level directly.

To do it that way you have to change how things are accessed in general.  If you want to only have a single mapped drive and access everything off that, then the multiple "subordinate" shares won't work for you, because with Windows/AD you have to map to a share - and if the user doesn't have intermediate folder-level visibility, you can't map directly to a great-grandchild of a share - they have to be able to see the whole path from the share.  But, if you can use UNC, you could point them at the "subordinate" share at that multi-grandchild level directly, bypassing the need to have visibility of the interim folders up to the root.

Does that make sense?  I know, it's so much easier with NetWare, but we've been forced to work with the bill of goods our PHB's were sold, so we have to change how we do things to mitigate the shortcomings of AD/NTFS.

Another tool to mitigate the shortcomings of AD/NTFS is the AGUDLP permissions/groups method, which is the recommended method to avoid "permissions hell."  If you always - ALWAYS - stick to the standard of Accounts > Global groups>Universal groups>Domain Local groups> Permissions, then you'll be much happier down the road.
0
 
LVL 1

Author Closing Comment

by:onlineofmq
Comment Utility
Thanks. I was afraid you were going to say what you said about  dynamic inheritance.  Basically, we are just going to have to give our users read only permissions to the parent folders leading to the folder in which they should have full control access.  At least we can still use ABE to hide directories for which users do not need access to.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Admin File Share Access 9 78
SID change in file permissions 3 88
Ransome Ware Question 10 116
How to implement SSO? 22 77
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now