Solved

Add "Include inheritable permissions from this object's parent" to subfolders

Posted on 2010-09-10
40
9,818 Views
Last Modified: 2013-03-19
I have deep folder structure and there is random folders where inheritable permissions are unchecked. I would like to automatically add "Include inheritable permissions from this object's parent" to all subfolders (and subfolders' subfolders...). I think that I could handle this with powershell but I havent found a way to do this. Does anyone have idea how to handle this?

Thanks in advance :)
0
Comment
Question by:thaapavuori
  • 21
  • 13
  • 6
40 Comments
 
LVL 12

Expert Comment

by:Dave
ID: 33652732
I couldn't find any powershell but did find this VBS script.

http://www.jdhitsolutions.com/resources/scripts/resetinheritance.txt

0
 

Author Comment

by:thaapavuori
ID: 33652794
Hi,

Thanks. I tried that in my test environment. I think that I didnt maybe understand the syntax. I tried these combinations but I didnt success. Basically just nothing happen...? Some idea? Still PowerShell would be more useable but vbs is also enough if I get it to work.

Thanks :)


C:\poista>cscript inherit.vbs c:\temp noinherit ON
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Resetting inheritance on c:\\temp to 37892

C:\poista>cscript inherit.vbs c:\temp\aditro noinherit ON
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Resetting inheritance on c:\\temp\\aditro to 37892

C:\poista>cscript inherit.vbs c:\temp\aditro noinherit
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Resetting inheritance on c:\\temp\\aditro to 37892
0
 
LVL 12

Expert Comment

by:Dave
ID: 33653064
I think you need "inherit" not "noinherit". Still look for powershell.
0
 
LVL 12

Expert Comment

by:Dave
ID: 33653293
You might want to download Power Gui which will help you script things. The attached script will reset inheritance on the "c:\acltest" folder. Do you need code to wlak the tree?

Details of the properties of the ACL are here

http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.objectsecurity_members(v=VS.80).aspx



$acl = Get-Acl "c:\acltst"

$acl.areaccessrulesprotected

$acl.SetAccessRuleProtection($false, $true);

set-acl -aclobject $acl "c:\acltst" 

Open in new window

0
 

Author Comment

by:thaapavuori
ID: 33657334
Hi,

This VBS script worked but only for that folder which I specified (e.g. c:\temp) but not for subfolders. I would like to reset this inherit to all of my subfolders.

I tried this  powershell which you gave me. I got following error:

C:\Windows\system32>powershell
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> $acl = Get-Acl "c:\temp"
PS C:\Windows\system32> $acl.areaccessrulesprotected
False
PS C:\Windows\system32> $acl.SetAccessRuleProtection($false, $true);
PS C:\Windows\system32> set-acl -aclobject $acl "c:\temp"
Set-Acl : The security identifier is not allowed to be the owner of this object.
At line:1 char:8
+ set-acl <<<<  -aclobject $acl "c:\temp"
    + CategoryInfo          : InvalidOperation: (C:\temp:String) [Set-Acl], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand


Thanks again :)
0
 
LVL 12

Expert Comment

by:Dave
ID: 33657989
Well it works for me!. Two thoughts, that folder already has inheritance set. so that might be the issue. Can you clear inheritance and try again?
0
 

Author Comment

by:thaapavuori
ID: 33660258
You were right. It worked when I spesified a folder where inheritance was not checked. But this doesnt help me in my problem. Becouse I have a folder (e.g. c:\temp) and there is number of subfolders and subfolders' subfolders. I would like to set inheritance on for all of these folders. Already now most of the folder has this inheritance on but there is random folders where it's not.

0
 
LVL 12

Expert Comment

by:Dave
ID: 33661196
Sorry, I might be a VB veteran, but powershell takes me much more time, but I need to learn so thanks for providing practical oppertunities.   I am a bit suprised some one with more experience hasn't bobbed in and sorted this.  However working with ACLs in powershell & .net does seem simpler than VBScript. The problem is there is so much to learn.

Any way the code below should walk the tree and sets inherited permissions on. Note it doesn't remove any existing permissions. These will remain in addition to the inherited rights. If you have any DENY ACLs explicitley defined these will remain in place and may over ride any ALLOW acls inherited from above.

I did a brief test but suggest you do some thourough tests before unleashing it on the world.
Get-childitem -recurse p:\test |

foreach-object {

	

	$acl = Get-Acl $_.FullName

	if ($acl.areaccessrulesprotected){

		$acl.SetAccessRuleProtection($false, $true);

		set-acl -aclobject $acl $_.FullName

		$_.FullName

	}

}

Open in new window

0
 

Author Comment

by:thaapavuori
ID: 33661757
Hi,

Thanks again. However there is still something that doesnt work. Only thing that I did I changed p:\test to c:\temp.  

Here is that output which I got:

Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
At C:\poista\joo.ps1:7 char:10
+         set-acl <<<<  -aclobject $acl $_.FullName
    + CategoryInfo          : PermissionDenied: (C:\temp\SCX-4725:String) [Set-Acl], PrivilegeNotHeldException
    + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

Then I tried also some other folder. If all folders have inheritance set ON I got no errors (and nothing happen neather). If I some subfolder has not inheritance ON I get that same error message... So there is still some issue.

Im not a guy how has a lot of knowledge about programming so that's why I appreciate your help a lot.

timo
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671192

If you don't have permission over the folders you won't be able to change the setting. You would have to investigate problematic folders manually.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33671211
I have rights over the folders. Problem is that some other users dont have permissions and I should give it to them...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671221

If you're getting the error above then the account you're using to make the change does not have sufficient access to make the changes.

Either that or User Account Control is getting in the way and you need to do the ol' Run As Administrator thing.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33671254
Yes I have UAC turned on and that is the problem because in my old server 2003 I gave permissions for domain admins group and now because of UAC I face problems. But I have started first cmd as administrator and and then strarted powershell... so i dont see that this would be the problem. And actually this test which I did I used my laptop and I just manually unchecked inheritance... So i dont understand how it could be permission issue.
0
 
LVL 12

Expert Comment

by:Dave
ID: 33671331
If inheritance is disabled how can you be sure you have the necessary rights? Can you use the Security, "advanced button" then "effective rights" tab to check you effective permissions on one of the folders. I expect it shows non. If does you can't reset ownership in powershell.

I always find this a problem even in the GUI. I would do a take ownership in the GUI and find even though I tick "replace owner on objects and subtrees" it doesn't....
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671354

> But I have started first cmd as administrator and and then strarted powershell

Starting PS itself as Administrator is faster, but what you've done there should suffice :)

> And actually this test which I did I used my laptop and I just manually unchecked inheritance... So i dont understand how
> it could be permission issue.

The command you're running is telling you Permission Denied, you need to verify the rights held by your account.

Which version of Windows is it? If it's XP, grab these:

http://www.microsoft.com/downloads/en/details.aspx?familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en

Then run:

whoami /priv

It should show you the state of SeSecurityPrivilege (Enabled or Disabled).

It's one of the more frustrating security levels.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33671408
Hi,

In my laptop where I have tested scripts I have Windows 7 x64 Enterprise (my goal is use that script in 2008 R2 server).

I ran this whoami /priv after I started my cmd as admin and here are results:
C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled


In my test in my Win7. I have c:\temp folder where I have number of subfolders. Just for testing I took one of my subfolder and took that inheritance off and clicked add to keep existing permissions. Then just for testing I deleted one user group (as authenticated users) and then I tried to use that script and I faced problems which I told you. Does it make sense?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671469

Yeah, it does indeed. It should be granting SeSecurityPrivilege via the Administrators group. This match up to rights assigned by the local system policy. I wouldn't be entirely surprised to discover that whoami isn't reporting them correctly.

We should see that if we run PS as Administrator, then run this:

New-Item "C:\Temp\Test\Other" -Type Directory -Force

Then manually untick "Inherit permissions" and finally run this:

$Acl = Get-Acl "C:\Temp\Test\Other"
$Acl.SetAccessRuleProtection($False, $True)
Set-Acl "C:\temp\test\other" -AclObject $Acl

It should pop the flag back on without whining at you.

If it doesn't, we need to make sure that Administrators still has rights over the folder after removing inheritance.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33671554
This worked as it should and inheritance came back.

It was like this script before
$acl = Get-Acl "c:\acltst"
$acl.areaccessrulesprotected
$acl.SetAccessRuleProtection($false, $true);
set-acl -aclobject $acl "c:\acltst"

That one worked as well. Problem was that I would like to automatically put that inheritance back to all subfolders where that is missing...

Thanks :)
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 33671706

The same privilege requirements apply, but lets go for a recursive example, this is pretty much identical to what you've already been given. Just a bit added to help us debug stuff.

Chris
# Get the directory listing
Get-ChildItem "C:\Temp" -Recurse | ForEach-Object {

  # Get the current ACL
  $Acl = Get-Acl $_.FullName

  # If the access rules are protected inheritance is disabled
  If ($Acl.AreAccessRulesProtected) {

    Write-Host "Enabling Inheritance: $($_.FullName)"

    $Acl.SetAccessRuleProtection($False, $True)
    Set-Acl $_.FullName -AclObject $Acl

    # If that command failed
    If (!$?) {
      Write-Host "I failed. These rights are set on $($_.FullName)"
      Write-Host $Acl.AccessToString
    }
  }
}

Open in new window

0
 

Author Comment

by:thaapavuori
ID: 33671850
Thanks. Now I tried your script and that script which I got before. This your script worked and here are the results:

PS C:\poista> .\inheritance.ps1
Enabling Inheritance: C:\Temp\aditro
PS C:\poista>

Here that script before and I still get error. However I think that new script would be enough.

PS C:\poista> .\inherit.ps1
False
Set-Acl : The security identifier is not allowed to be the owner of this object.
At C:\poista\inherit.ps1:4 char:8
+ set-acl <<<<  -aclobject $acl "c:\temp"
    + CategoryInfo          : InvalidOperation: (C:\temp:String) [Set-Acl], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand



This actually already different question but it's about partly of this same issue. So if you migh know.

In our old windows 2003 server (terminal server) we have folder structure like f:\users\username

In this our old system end user doesnt have permission to this users folder. Only to folder under users which is same like his username. This is working perfectly in 2003. In 2008 R2 this doesnt work anymore. If user doesnt have least read rights to this users folder he is no able to run that program. The point is that users dont see other user names but it looks that I need to change our architecture or do you have some idea that I could try.  

That path how end user is starting the program is here:
"C:\Program Files (x86)\Microsoft Office\Office12\msaccess.exe" /excl /runtime "f:\users\%username%\em7.mdb"

If that user doesnt have rights that users folder he will get error message: "68:Device unvailable".

Thank you very much. I really appreciate your time and effort :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671894

It should let you traverse. However, if it completely refuses you can enable Access Based Enumeration to achieve the same thing (they only see what they have rights to see).

Typically I map our user drives to the user folder directly so the "users\%username%" folder are masked.

e.g.

net use h: \\server\users\%username%

That way they don't need rights to the folders above at all (under any circumstances), only to their own folder.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33671941
Yep. In my case I can't map that drive it need be local drive (or let's say that vendor is saying that need to use local paths).

How I can enable this "Access Based Enumeration". Can I use same thing for c:\users (or c:\documents and settings) folder (folder where user profiles are stored). That has been problem because I havent found a way to deny users to see content of this folder.

Thanks :)
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33671972

Oh I see, I assumed mapped. I don't think you can enable Access Based Enumeration on a regular client OS, although I confess I've never actually tried.

I'm afraid I'm not entirely sure how you'd get around it there.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33672023
Okay. Thanks anyway. You already solved my other issue :)
0
 

Author Comment

by:thaapavuori
ID: 33676958
Now I used this script in our production environment. Script worked as it should but it wasnt enough. There is couple of files and folders where this inheritance doesnt work yet as it should. Inheritance is checked as it should but permissions are not following for these particular files and folders. I think that in some point these files' and folders' ACL has somehow corrupted. Is there some way to check ACL for whole folder structure and fix it? This folder structure is very old and this is not first time when we have moved it to new server and I think that that's why it has somehow corrupted...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33680765

It depends on the nature of the problem. It could simply be that specific entries are not set to apply to files.

It's not going to be very easy to fix without knowing exactly what's broken about it :-\

Chris
0
 

Author Comment

by:thaapavuori
ID: 33681170
Please look my pic. First pic is subfolder. As you can see inheritance is checked. Second pic is parent folder of that first pic. As you can see, these permissions are not moving from parent folder to subfolder. This is my new problem. Most of files and folders started to work after your powershell script but now there is multiple files and folder which are acting like this example.

I made also new question about this and it's here: http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_26474122.html?cid=1333#a33680465

Thanks again.
inheritance.png
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33681235

Unset then reset inheritance on the child folder and see which entries appear?

When unsetting tell it to Remove the existing entries.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33681265
Okay. I unset it and all permissions dissapeared. Then I took ownership back to that folder and checked that inheritance back again. Now all permssions came from parent folder... So this way I could solve it... but there is number of this kind of folders and files,,,
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33681297

Hmm you might get around it like this:


$Acl = Get-Acl "TheBrokenFolder"
$Acl.SetAccessRuleProtection($True, $False)
Set-Acl "TheBrokenFolder" -AclObject $Acl
$Acl = Get-Acl "TheBrokenFolder"
$Acl.SetAccessRuleProtection($False, $False)
Set-Acl "TheBrokenFolder" -AclObject $Acl


Ownership may be a problem with that.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33681331
So you mean that I replcase "TheBrokenfolder" with the path. This folder structure is very deep. Can I just spesify the the first parent folder (e.g. c:\temp).

Timo
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33681430

Yep. We need to test this method first to see if it's a viable fix.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33681500
I spesified folder which I know that it include files (direct child files) where I have this problem. Here is results. So look like it fail.

Timo

Set-Acl : Attempted to perform an unauthorized operation.
At C:\temp\acl.ps1:6 char:8
+ Set-Acl <<<<  "F:programs\program\users\username\Pro" -AclObject $Acl
    + CategoryInfo          : PermissionDenied: (F:program\...username\Pro:String) [Set-Acl], UnauthorizedAcce
   ssException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33681532

Thought it might do that.

Fix up that folder, then try this one please.



$Acl = Get-Acl "TheBrokenFolder"
$Acl.SetAccessRuleProtection($True, $False)
$Acl.SetAccessRuleProtection($False, $False)
Set-Acl "TheBrokenFolder" -AclObject $Acl


It shouldn't really make any difference, but I'd like to give it a try.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33681663
Im not sure if I understood. If I run your script as that script before. I dont get any error message but it doesnt neather fix anything. If I fix that folder manually before then there is nothing to fix left. I think that I missed something.

Timo
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33682543

I'm not really surprised. It changes stuff in the ACL but doesn't commit changes until the end.

Anyway, we can't globally fix folders in a structure unless we know what's wrong. We need to be able to test stuff to find a fix.

Chris
0
 

Author Comment

by:thaapavuori
ID: 33682592
I tried this script. This almos worked but this skiped these problem files and folders...
$ErrorActionPreference = "SilentlyContinue" 



$path = 'f:\programs\users' 



$baseACL = Get-Acl $path 



$items = Get-ChildItem -Path $path -Recurse 



foreach ($item in $items) { 

    Set-Acl $item.FullName $baseACL 

    $itemACL = Get-Acl $item.FullName 

    $itemACEs = $itemACL.Access 

    foreach ($itemACE in $itemACEs) { 

        if ($itemACE.IsInherited -eq $FALSE) { 

            $null = $itemACL.RemoveAccessRule($itemACE) 

        } 

    } 

    Set-Acl $item.FullName $itemACL 

} 



$path = $baseACL = $items = $item = $itemACL = $itemACEs = $itemACE = $ACLset = $null

Open in new window

0
 

Author Comment

by:thaapavuori
ID: 33682648
Actually this script which I tried is not a perfect even it would work because it delete these folder spesified permisions but it should not be so big deal because there this username folder has always modify rights for that user which is same name like the folder name. So I think that it's easy to script.

Timo
0
 

Author Comment

by:thaapavuori
ID: 33682838
I made some progress.

I run TAKEOWN /F F:\programs\users /R /A

then I ran that script which I pasted here before. And now it looks that there is no corruption in ACL anymore. My next thing to do is find a way set modify access to users to their own folder.

Timo
0
 

Author Comment

by:thaapavuori
ID: 33683227
Okay. Now I find a way to set permissions for users to their own folder. I attach that batch here. I think that I have finally solved my issue. Thank you very much.
@echo off

Setlocal

If {%1}=={} GOTO bad

If {%2}=={} GOTO bad

If NOT Exist %1 GOTO bad

If {%3}=={} set perm=C&goto ok

If {%3}=={C} set perm=C&goto ok

If {%3}=={F} set perm=F&goto ok

Goto bad

:ok

Set pf=%1

Set dom=%2

Set pf=%pf:"=%

Set dom=%dom:"=%

For /f "Tokens=*" %%a IN ('Dir "%pf%" /AD /B') DO Set user=%%a&call :parse

Endlocal

Goto :EOF

:bad

@echo Usage: SetPerm "Drive:\Directory of Users Parent Folder" "NetBIOS Domain Name" [C or F]

@echo.

Endlocal

Goto :EOF

:parse

For /f "Tokens=5*" %%c IN ('echo Y^| cacls "%pf%\%user%" /E /P "%dom%\%user%":%perm%') do @echo %%d

Open in new window

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A procedure for exporting installed hotfix details of remote computers using powershell
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now