Link to home
Start Free TrialLog in
Avatar of Wavey_Dave_76
Wavey_Dave_76Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Recursively adding NTFS permissions

Is anyone aware of scripts or applications that will manipulate file and folder permissions easily?

I am currently working for an organization which has historically not had a very good grasp of security. I am trying to get this changed and introduce a number of best practices that have been ignored to date, one of which is the concept that administrators should not be logging on for general use with a domain admin account. I have got all their admins logging on with user accounts and using an elevated rights account to use their applications and consoles under a different context.

The one sticking point in doing this is that they are still expected to help manage the file shares across the network. However, there is only the domain admins group added in with full rights to all our folders. Ultimately I want to add a "file admin" group in so I can manage who has this responsibility but the problem is the folder structure has been built up over the past 15 years and is horrendously complex. Inheritance has been removed from many folders to protect sensitive data so I cannot just add the new group at the top level.

What I guess I am looking for is some way of recursively checking each folder and subfolder to make sure the group does not already exist (for those folders that DO still have inheritance turned on) and adding it with specific permissions for those that don't. I really don't want to even contemplate attempting this manually.
ASKER CERTIFIED SOLUTION
Avatar of Zoppo
Zoppo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of moon_blue69
moon_blue69

Hi


On the parent folder stop inheriutence if something unwanted is coming from top. Now you have a check box to replace permission entries on child object with that of the settings of the parent folder. This will propagate the permissions to the child objects and remove whatever it has got configured on it. Hope this is what you want.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Wavey_Dave_76

ASKER

I am not planning on removing domain admins from the files, that is our ultimate get-out when (not if) the users stuff things up. I just want to take away the domain admin accounts from the administrators without stopping them being able to do their job.

You make some good points though Jake, worth some points and this certainly isn't something I am planning on doing without testing every permutation properly first.

XCACLS seems to be working very well for me so far with more options than CACLS (the logging and debug is a big plus to confirm it all works in test first).

Thanks guys.