Solved

Recursively adding NTFS permissions

Posted on 2010-11-18
4
922 Views
Last Modified: 2012-05-10
Is anyone aware of scripts or applications that will manipulate file and folder permissions easily?

I am currently working for an organization which has historically not had a very good grasp of security. I am trying to get this changed and introduce a number of best practices that have been ignored to date, one of which is the concept that administrators should not be logging on for general use with a domain admin account. I have got all their admins logging on with user accounts and using an elevated rights account to use their applications and consoles under a different context.

The one sticking point in doing this is that they are still expected to help manage the file shares across the network. However, there is only the domain admins group added in with full rights to all our folders. Ultimately I want to add a "file admin" group in so I can manage who has this responsibility but the problem is the folder structure has been built up over the past 15 years and is horrendously complex. Inheritance has been removed from many folders to protect sensitive data so I cannot just add the new group at the top level.

What I guess I am looking for is some way of recursively checking each folder and subfolder to make sure the group does not already exist (for those folders that DO still have inheritance turned on) and adding it with specific permissions for those that don't. I really don't want to even contemplate attempting this manually.
0
Comment
Question by:Wavey_Dave_76
4 Comments
 
LVL 30

Accepted Solution

by:
Zoppo earned 350 total points
ID: 34163420
Hi Wavey_Dave_76,

you should check out 'Xcacls'. This is a VBS script which can be used to view/change permissions of files/folders recursiveley - it can be downloaded here: http://support.microsoft.com/kb/825751/en-us

Hope that helps,

ZOPPO

0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34163501
Hi


On the parent folder stop inheriutence if something unwanted is coming from top. Now you have a check box to replace permission entries on child object with that of the settings of the parent folder. This will propagate the permissions to the child objects and remove whatever it has got configured on it. Hope this is what you want.
0
 
LVL 23

Assisted Solution

by:jakethecatuk
jakethecatuk earned 150 total points
ID: 34163524
Before you do anything - plan very thoroughly.

More to the point, add the perms you want first before removing any.

I would suggest that you think long and hard about removing domain admin/administrator permissions as this could introduce more problems than it cures.  If you have to remove domain admin/administrator perms, add a different group first with full control over the whole file system first.

Whatever tool you are going to use, you may struggle with the depth of the folder tree.  NTFS supports very very long file names, but not applications.  If your folder+filepath exceeds 255 chars, you may have problems changing perms.  To get around this, create a hidden share down the folder tree and then map to that to continue with setting your perms.

Zoppo's post for XCACLS will work.  It is a variation on the built in tool CACLS.

Can't stress this enough - plan very thoroughly as if you get this wrong, you will have a lot of egg on your face and you will lose credibility when it comes to your colleagues.
0
 
LVL 7

Author Comment

by:Wavey_Dave_76
ID: 34163868
I am not planning on removing domain admins from the files, that is our ultimate get-out when (not if) the users stuff things up. I just want to take away the domain admin accounts from the administrators without stopping them being able to do their job.

You make some good points though Jake, worth some points and this certainly isn't something I am planning on doing without testing every permutation properly first.

XCACLS seems to be working very well for me so far with more options than CACLS (the logging and debug is a big plus to confirm it all works in test first).

Thanks guys.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now