Solved

Windows File Server NTFS Inheritance (auto recursion)

Posted on 2009-04-09
3
1,221 Views
Last Modified: 2012-06-27
We are currently moving from a Novell file server environment to a Windows NTFS file server environment. All going well apart from one thing. The way NTFS permissions are taken with a file/folder when they are cut and pasted. What's that about?!? Effectively this allows any of our users to drag and drop files/folders into other folders and make a right mess of the security structure no?

When using Novell we have a very simple file structure:

ROOT:
------------Departments
------------------------------Sales
------------------------------HR
------------------------------IT
------------------------------Finance
------------Projects
------------------------------G123
------------------------------G010
------------------------------Gxyz

Each level 2 folder (i.e. sales, g123 etc) has a group associated with it that has access to that folder. Users are made members of the group of the folder to which they need access to. If files/folders are copied/moved between folders to share them the security is immediately inherited. But within windows if the file is moved (but not when copied as i understand) the security will not be inherited.

I can hear the support calls now... USER0: "I can see FOLDER_A inside FOLDER_B and i know USER1 has access to FOLDER_B so why can't they see FOLDER_A?"

I'm assuming there is a Windows vs Novell 'mindset' issue that i have to get over to understand this (and if someone can help me out there it would be good), but in the mean time does anyone know of a way to automatically force inheritance on files/folders after they have been moved. A GPO of file security setting or something? I thought that we could run a script regularly to reset the inheritance but that seems like a really rubbish solution.

We have access to both Windows 2003 & 2008 servers. (i understand that 2008 maybe slightly better in resolving this problem?)

Many Thanks.

0
Comment
Question by:MoogControls
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 24107998
Default behavior for files that are moved on the same partition is that the current permissions are kept.
You can change this behavior by setting the MoveSecurityAttributes to 0; check this article for details:
How permissions are handled when you copy and move files and folders
http://support.microsoft.com/kb/310316
0
 

Author Comment

by:MoogControls
ID: 24243087
The registry change seems hit and miss based on the OS and SP level. But its a good start.

After thinking about it and resigning myself to the Microsoft model for file permissions. I think i will need that permission reset script after all.

Does anyone know how to effectively check the box... "Replace all existing inheritable permissions on all descendants with inheritable permissions from this object" found in the security, advanced, tab?
0
 

Accepted Solution

by:
MoogControls earned 0 total points
ID: 25438064
Didn't really find a microsoft solution for this, in the end i had to write a script using the SETACL.exe tool that would reassign access rights each time it was run. Here is the script...... its a bit customised for our use but you get the idea i think. The script takes three inputs at the command line so it can be used for different paths.






path = %PATH%;"\\DOMAIN\NETLOGON\All\system"    rem - provides access to setacl.exe
 
@For /F "tokens=1,2,3 delims=/ " %%A in ('Date /t') do @( 
Set Day=%%A
Set Month=%%B
Set Year=%%C
Set LOGDATE=%%C%%B%%A
)
 
set LOGPATH="\\servername\c$\batch\PERMISSIONS\logs\%LOGDATE%_%1.txt"
set LISTPATH="\\servername\c$\batch\PERMISSIONS\lists\%1.txt"
set FOLDERNAME=%1
set FOLDERPATH=%2
set FOLDERTYPE=%3
 
 
echo --------------------------------------------- 	>> "%LOGPATH%"
echo ---------------Started Script---------------- 	>> "%LOGPATH%"
echo --------------------------------------------- 	>> "%LOGPATH%"
 
SetACL.exe -on  "%FOLDERPATH%" ^
		-ot file ^
		-actn ace ^
		-actn clear 	-clr "dacl,sacl" ^
		-actn setprot 	-op  "dacl:p_nc;sacl:p_nc" ^
		-ace "n:DOMAIN\Domain Users;p:read_ex" ^
		-ace "n:DOMAIN\Domain Admins;p:full" ^
		-ace "n:Administrators;p:full" ^
		-ace "n:SYSTEM;p:full" >> "%LOGPATH%"
 
echo --------------------------------------------- 	>> "%LOGPATH%"
echo ---------------Started Loop------------------ 	>> "%LOGPATH%"
echo --------------------------------------------- 	>> "%LOGPATH%"
 
dir "%FOLDERPATH%" /b /a:d > "%LISTPATH%"
 
for /F "tokens=*" %%A in (C:\Batch\PERMISSIONS\lists\%FOLDERNAME%.txt) do (
 
echo --------------------------------------------- 	>> "%LOGPATH%"
echo ---------------%%A					>> "%LOGPATH%"
echo --------------------------------------------- 	>> "%LOGPATH%"
 
echo "%FOLDERPATH%\%%A" >> "%LOGPATH%"
 
SetACL.exe -on  "%FOLDERPATH%\%%A" ^
		-ot file ^
		-actn ace ^
		-actn clear 	-clr "dacl,sacl" ^
		-actn setprot 	-op  "dacl:p_nc;sacl:p_nc" ^
		-ace "n:DOMAIN\Domain Users;p:read_ex" ^
		-ace "n:DOMAIN\Domain Admins;p:full" ^
		-ace "n:Administrators;p:full" ^
		-ace "n:SYSTEM;p:full" ^
		>> "%LOGPATH%"
 
echo "%FOLDERPATH%\%%A\public" >> "%LOGPATH%"
 
SetACL.exe -on  "%FOLDERPATH%\%%A\public" ^
		-ot file ^
		-actn ace ^
		-actn clear 	-clr "dacl,sacl" ^
		-actn rstchldrn -rst "dacl,sacl" ^
		-actn setprot 	-op  "dacl:p_nc;sacl:p_nc" ^
		-ace "n:DOMAIN\Domain Users;p:read_ex" ^
		-ace "n:DOMAIN\Domain Admins;p:full" ^
		-ace "n:Administrators;p:full" ^
		-ace "n:SYSTEM;p:full" ^
		-ace "n:DOMAIN\%FOLDERTYPE%_%%A;p:change" ^
		>> "%LOGPATH%"
 
echo "%FOLDERPATH%\%%A\private" >> "%LOGPATH%"
 
SetACL.exe -on  "%FOLDERPATH%\%%A\private" ^
		-ot file ^
		-actn ace ^
		-actn clear 	-clr "dacl,sacl" ^
		-actn rstchldrn -rst "dacl,sacl" ^
		-actn setprot 	-op  "dacl:p_nc;sacl:p_nc" ^
		-ace "n:DOMAIN\Domain Admins;p:full" ^
		-ace "n:Administrators;p:full" ^
		-ace "n:SYSTEM;p:full" ^
		-ace "n:DOMAIN\%FOLDERTYPE%_%%A;p:change" ^
		>> "%LOGPATH%"
 
echo "%FOLDERPATH%\%%A\scanning" >> "%LOGPATH%"
 
SetACL.exe -on  "%FOLDERPATH%\%%A\scanning" ^
		-ot file ^
		-actn ace ^
		-actn clear 	-clr "dacl,sacl" ^
		-actn rstchldrn -rst "dacl,sacl" ^
		-actn setprot 	-op  "dacl:p_nc;sacl:p_nc" ^
		-ace "n:DOMAIN\Domain Admins;p:full" ^
		-ace "n:DOMAIN\xerox;p:change" ^
		-ace "n:Administrators;p:full" ^
		-ace "n:SYSTEM;p:full" ^
		-ace "n:DOMAIN\%%A;p:change" ^
		>> "%LOGPATH%"
 
SetACL.exe -on  "%FOLDERPATH%\%%A\web" ^
		-ot file ^
		-actn ace ^
		-actn clear 	-clr "dacl,sacl" ^
		-actn rstchldrn -rst "dacl,sacl" ^
		-actn setprot 	-op  "dacl:p_nc;sacl:p_nc" ^
		-ace "n:DOMAIN\Domain Admins;p:full" ^
		-ace "n:DOMAIN\Domain Users;p:read_ex" ^
		-ace "n:SERVERNAME\IIS_IUSRS;p:read_ex" ^
		-ace "n:Administrators;p:full" ^
		-ace "n:SYSTEM;p:full" ^
		-ace "n:DOMAIN\%%A;p:change" ^
		>> "%LOGPATH%"
 
echo --------------------------------------------- 	>> "%LOGPATH%"
echo ---------------Finished Script--------------- 	>> "%LOGPATH%"
echo --------------------------------------------- 	>> "%LOGPATH%"
 
)

Open in new window

0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to set IPSec under Server 2008 R2 and Server 2012 R2 3 60
How to Disable screen lock using group policy 10 62
NTP Servers 4 48
Cannot join domain and UNC paths 9 55
1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question