Re-apply ACL to share/folder
I'm performing a file scan and collecting information from all of a server's shares into a report file.
Running into trouble when something is amiss with permissions, requiring me to often take ownership and re-push the permissions down the tree (nothing's changing, just re-applying the inheritance).
Is there a way to automate this, so that my code can accomodate those scenarios, rather than announcing them so I have to perform the cleanup manually and rerun the report? Servers are all Windows 2003
I'm not opposed to command-line tools in a shell process, but would prefer they be native.
Running into trouble when something is amiss with permissions, requiring me to often take ownership and re-push the permissions down the tree (nothing's changing, just re-applying the inheritance).
Is there a way to automate this, so that my code can accomodate those scenarios, rather than announcing them so I have to perform the cleanup manually and rerun the report? Servers are all Windows 2003
I'm not opposed to command-line tools in a shell process, but would prefer they be native.
My copy pasting got mixed up.
The attached file contains instructions on a registry key change for your server so when files are copied they carry the permissions with them.
It came in really handy when I had to create a backup server and had to copy many files where many different users had different permissions to different folders/files.
The attached file contains instructions on a registry key change for your server so when files are copied they carry the permissions with them.
It came in really handy when I had to create a backup server and had to copy many files where many different users had different permissions to different folders/files.
ASKER
Not sure that's what I'm attempting to do here.
I'm simply performing a recursive scan of a local server volume, and collecting file details (date, size, etc.).
Every so often a folder comes up with an Access Denied. If I manually claim ownership, and re-push the permissions, I can re-run the code and get the results back as expected.
So, I'm not copying between servers. Just curious if there was an easy way to take ownership and reaapply perms down the tree...
I'm simply performing a recursive scan of a local server volume, and collecting file details (date, size, etc.).
Every so often a folder comes up with an Access Denied. If I manually claim ownership, and re-push the permissions, I can re-run the code and get the results back as expected.
So, I'm not copying between servers. Just curious if there was an easy way to take ownership and reaapply perms down the tree...
Oh. I see. Are you running your program with elevated permissions, using run as administrator?
ASKER
Win2k3, not 2k8. Running under domain admin credentials.
Hey SirBounty,
Catch the access denied exception then perhaps attempt to call the SetOwner method from System.Security.AccessCont
If that works you may either disable AccessRuleProtection or load a couple of access control entries to finish things off?
Chris
Catch the access denied exception then perhaps attempt to call the SetOwner method from System.Security.AccessCont
If that works you may either disable AccessRuleProtection or load a couple of access control entries to finish things off?
Chris
ASKER
No, I haven't tried it. I'll give it a shot. Thanks.
'I'm performing a file scan and collecting information from all of a server's shares into a report file'
How are you doing that? Take a look at this:
http://www.vbdotnetforums.com/vb-net-general-discussion/21011-my-computer-filesystem-findinfiles-unauthorizedaccessexception-directorysecurity.html
How are you doing that? Take a look at this:
http://www.vbdotnetforums.com/vb-net-general-discussion/21011-my-computer-filesystem-findinfiles-unauthorizedaccessexception-directorysecurity.html
ASKER
Chris-Dent - would you have an example?
This is a slimmed down version of the code snippet:
This is a slimmed down version of the code snippet:
Try
For Each fi As FileInfo In aDir.GetFiles() 'Access denied flags here (5)
Try
Dim ShortName As String = ResolveToShortPath(fi.FullName)
Dim RO As Boolean = False
Dim Owner As String = GetOwner(fi)
Dim ext As String = fi.Extension.ToLower
If (File.GetAttributes(fi.FullName) And FileAttributes.ReadOnly) = FileAttributes.ReadOnly Then RO = True
'...
Catch ex As Exception
IsInError = True
console.writeline ex.message
End Try
ASKER
I've maxed out the points - would really like a working solution on this, if you have any examples?
I appreciate your help! :^)
I appreciate your help! :^)
Damn I'm sorry I completely forgot. Let me throw something together.
Chris
Chris
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No errors against a test folder on my local drive, but the owner doesn't seem to change either - still shows me as the owner, rather than admins.
I think the other part of my issue is that it throws an exception in my for/each block, and I've no clue how to pick up from where it left off. I tried passing the folder/file item to a sub, but it generally burps at the 'collection' piece.
I think the other part of my issue is that it throws an exception in my for/each block, and I've no clue how to pick up from where it left off. I tried passing the folder/file item to a sub, but it generally burps at the 'collection' piece.
ASKER
Oops - my mistake, it actually 'did' work - I was looking at the parent owner - it changed the child object.
However, if I change it to a domain account, Domain Admins, for example, it fails with:
The security identifier is not allowed to be the owner of this object
Any ideas?
However, if I change it to a domain account, Domain Admins, for example, it fails with:
The security identifier is not allowed to be the owner of this object
Any ideas?
Yeah, the constraints on SetOwner are extreme. It must be the current user or token of the current user. Essentailly either the user, or a group like Administrators. Discussed here:
https://connect.microsoft.com/VisualStudio/feedback/details/96556/setowner-method-in-namespace-system-security-accesscontrol-does-not-work
If you want to set to a different security principal I'm afraid you're a bit out of luck with .NET. A frustration I've bumped into before when trying to do much the same thing in PowerShell.
I can spend a bit more time with this and make it more robust and useful if you're happy enough with the limitations?
Chris
ASKER
Tried it also with the SID of Domain Admins, but it gives me the same error. : \
Yeah, limited is a bit of a tame description :)
Chris
ASKER
(oops - didn't refresh)
Oh, so you're saying I'd have to take ownership with my specific account? Hmm... I'm not sure about that....
What I do (manually) now is, right-click, security, advanced, owner, and then assign Administrators to all sub folders. Then I have to go back to the security tab, advanced, and replace permissions on all child objects.
That's the bit I'm trying to automate.
If you're saying that it's not possible, unless I claim ownership for 'my' account, then I'll need to think about that. Didn't really want to take specific user ownership...
Oh, so you're saying I'd have to take ownership with my specific account? Hmm... I'm not sure about that....
What I do (manually) now is, right-click, security, advanced, owner, and then assign Administrators to all sub folders. Then I have to go back to the security tab, advanced, and replace permissions on all child objects.
That's the bit I'm trying to automate.
If you're saying that it's not possible, unless I claim ownership for 'my' account, then I'll need to think about that. Didn't really want to take specific user ownership...
No, you should be able to set Administrators as owner (hopefully as in the example above), provided the current identity (the caller) has the Administrators group listed in their token (which they should if they're a member of that).
Chris
ASKER
I'm a bit confused then? But I'll try a live test and get back to you.
Thanks again for the help!
Thanks again for the help!
Okay, let me know how it goes :)
Chris
ASKER
Having too many .Net related issues, so I switched to vbscript... : \
Thanks.
Thanks.
Forcing-an-ACL-to-accompany-a-fi.pdf