Link to home
Start Free TrialLog in
Avatar of MoogControls
MoogControls

asked on

Windows File Server NTFS Inheritance (auto recursion)

We are currently moving from a Novell file server environment to a Windows NTFS file server environment. All going well apart from one thing. The way NTFS permissions are taken with a file/folder when they are cut and pasted. What's that about?!? Effectively this allows any of our users to drag and drop files/folders into other folders and make a right mess of the security structure no?

When using Novell we have a very simple file structure:

ROOT:
------------Departments
------------------------------Sales
------------------------------HR
------------------------------IT
------------------------------Finance
------------Projects
------------------------------G123
------------------------------G010
------------------------------Gxyz

Each level 2 folder (i.e. sales, g123 etc) has a group associated with it that has access to that folder. Users are made members of the group of the folder to which they need access to. If files/folders are copied/moved between folders to share them the security is immediately inherited. But within windows if the file is moved (but not when copied as i understand) the security will not be inherited.

I can hear the support calls now... USER0: "I can see FOLDER_A inside FOLDER_B and i know USER1 has access to FOLDER_B so why can't they see FOLDER_A?"

I'm assuming there is a Windows vs Novell 'mindset' issue that i have to get over to understand this (and if someone can help me out there it would be good), but in the mean time does anyone know of a way to automatically force inheritance on files/folders after they have been moved. A GPO of file security setting or something? I thought that we could run a script regularly to reset the inheritance but that seems like a really rubbish solution.

We have access to both Windows 2003 & 2008 servers. (i understand that 2008 maybe slightly better in resolving this problem?)

Many Thanks.

Avatar of oBdA
oBdA

Default behavior for files that are moved on the same partition is that the current permissions are kept.
You can change this behavior by setting the MoveSecurityAttributes to 0; check this article for details:
How permissions are handled when you copy and move files and folders
http://support.microsoft.com/kb/310316
Avatar of MoogControls

ASKER

The registry change seems hit and miss based on the OS and SP level. But its a good start.

After thinking about it and resigning myself to the Microsoft model for file permissions. I think i will need that permission reset script after all.

Does anyone know how to effectively check the box... "Replace all existing inheritable permissions on all descendants with inheritable permissions from this object" found in the security, advanced, tab?
ASKER CERTIFIED SOLUTION
Avatar of MoogControls
MoogControls

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial