Mimic NDS file permissions in Windows NTFS environment

Posted on 2008-06-18
Medium Priority
Last Modified: 2013-12-04
I am trying to mimic Novell NDS file permissions on a windows NTFS box.
Here is the basic problem:
I have a share named Vol2 which consists of multiple directories that contain thousands of subfolders.  
Vol2 \Parent1
In Novell I can grant read access to Grandchild 1 and the user is automatically given traversal access to Child1.  In Windows this does not occur.  If I give access to Grandchild1 the user is not give access to child1.  
For a few nested directories this is not an issue but when nesting reaches 10 folders deep it becomes an issue.  
Is there a proper way to mimic the NDS rights in a Windows environment  or a best practices method of doing this?
Note: I cannot simply create new shares b\c users have files with embedded links that rely on specific shares and directory paths.

Question by:onlineofmq
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

ShineOn earned 2000 total points
ID: 21819144
First off, NDS (now called eDirectory) is a directory service, not a filesystem.  The NetWare filesystem (nwfs) and Novell Storage Services (nss) which can be on modern NetWare or Novell OES/Linux, is what you're talking about.  Dynamic inheritance is the term.  Rights (not Permissions) get inherited bidirectionally, so not only does the user or other object inherit rights to a child from a parent, necessary rights to see the path to the parent dynamically "reverse inherit" up the directory tree.  Not so with NTFS.

Novell is the company name, by the way - it's either NetWare or OES, when talking about their Enterprise-class Network Operating Systems.  You say, "In Windows this does not occur." - you don't say "In Microsoft this does not occur."

Anyway, sorry to say, but you're pretty-much out of luck.  The only way permissions inherit automatically is when the permissions are initially granted.  Any changes at any level of NTFS after the initial permissions inheritance takes place requires you to manually force inheritance again - and you have to be careful when forcing inheritance that you don't override the self-contradicting "deny permissions."

There is no such thing as dynamic inheritance with Windows NTFS.  You have to manually force inheritance when the static ACL's break down.   That's by choice.  When Microsoft was in the heat of battle with Novell over network supremacy, they FUDded people into thinking that their old, tired static ACL scheme was superior to Novell's dynamic inheritance, claiming it was more efficient and faster.  Both lies.  It's far inferior to NWFS or NSS, as you are learning the hard way.

I, too, am looking for a way to resolve the built-in, flawed inheritance scheme Microsoft has saddled us with, so I don't have to putz with forcing NTFS permissions re-inheritance.

I've heard that Windows Server 2008 may have this problem resolved, at least to some degree, but of course Microsoft would never back-port the fix to Windows Server 2003 R2 - they want us to spend more money over and over in an endless upgrade cycle just to get bugfixes that shouldn't have been there to begin with, because the technology was available well over a decade, going on 20 years, ago.

If anyone out there has a third party tool or a tweak or something, you'd be a hero to many disgruntled former NetWare admins that miss the superior technology they were forced off of because of politics or PHBs.

Or, would we be better off dumping Windows for Linux and ZFS? ;)

Anyway, the only way I'm aware of to make sure you can do what you are trying to do is with a combination of shares and NTFS permissions.  You can establish a share at any point in a folder structure, and the visibility of child folders flow from the share.  If you don't want to grant regular access permissions to multiple levels of parent folders all the way up to the share, you can create a share at that grandchild level directly.

To do it that way you have to change how things are accessed in general.  If you want to only have a single mapped drive and access everything off that, then the multiple "subordinate" shares won't work for you, because with Windows/AD you have to map to a share - and if the user doesn't have intermediate folder-level visibility, you can't map directly to a great-grandchild of a share - they have to be able to see the whole path from the share.  But, if you can use UNC, you could point them at the "subordinate" share at that multi-grandchild level directly, bypassing the need to have visibility of the interim folders up to the root.

Does that make sense?  I know, it's so much easier with NetWare, but we've been forced to work with the bill of goods our PHB's were sold, so we have to change how we do things to mitigate the shortcomings of AD/NTFS.

Another tool to mitigate the shortcomings of AD/NTFS is the AGUDLP permissions/groups method, which is the recommended method to avoid "permissions hell."  If you always - ALWAYS - stick to the standard of Accounts > Global groups>Universal groups>Domain Local groups> Permissions, then you'll be much happier down the road.

Author Closing Comment

ID: 31468653
Thanks. I was afraid you were going to say what you said about  dynamic inheritance.  Basically, we are just going to have to give our users read only permissions to the parent folders leading to the folder in which they should have full control access.  At least we can still use ABE to hide directories for which users do not need access to.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question