Solved

What is the best/perfect way to take complete file/folder ownership and full permissions in NTFS?

Posted on 2011-02-17
26
1,016 Views
Last Modified: 2012-05-11
As a computer tech frequently engaged with customer data recovery, I seek advice on infallible means for taking file and folder ownership and subsequent full permissions on NTFS partitions. My initial research led me to using <icacls> and <takeown> when working from Vista/Win7 kernel O/Ses. However, <takeown> appears not to have a switch to turn off link-following, as does <icacls>. This has been problematic in some circumstances for me. I subsequently pursued the use of <subinacl> when working from XP O/S environments. This appears to offer a superior method. Subsequent testing on my part whether <subinacl> might operate in Vista/Win7 suggests that it will (to my surprise), in fact, work (in both 32-bit and 64-bit settings), and in what appears to be normal manner. However, I wanted to settle my uncertainty by asking Experts Exchange. Thanks for what I hope will be definitive advice that resolves this issue for me.
0
Comment
Question by:quickfixbryant
  • 12
  • 5
  • 5
  • +1
26 Comments
 

Author Comment

by:quickfixbryant
ID: 34921440
P.S. - I also explored using <SetACL>, but found this to not work, at least not in my hands. Of course, I won't rule out that I may have incorrectly used the required syntax for <SetACL>, which I, frankly, found a bit confusing/complex.
0
 
LVL 10

Expert Comment

by:rscottvan
ID: 34926541
Can you explain a little better what you're doing?  Why are you needing to take ownership of folders?  What's the symptom your fixing?  Is there a reason the GUI won't work for you?
0
 

Author Comment

by:quickfixbryant
ID: 34927102
There have been occasions where I have received access denied errors during <robocopy> file transfers when backing up customer data from a hard drive prior to performing repair service on their system. Due to the absolute criticality of saving user data, I want to ensure that I have used absolutely the biggest hammer possible to guarantee that I am, by no means, missing any files. Vista/Win7 <robocopy> support for raw copying of EFS files (using the /efsraw switch) has eased my concerns about missing EFS files. However, the GUI method has failed to provide me permissions and full access I've sought, on some occasions. For that reason, I am seeking advice on what is the most-absolute method available so I can communicate, with highest confidence, to our customers that I can effectively guarantee that I will miss no files that they could possibly ever need during my data backup procedure.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 34929593
Ahh, then for one, you use the backup program in windows, or there are Enterprise class backup programs that have a client/server type setup where the backup server centrally administersthe schedules and media and a client piece runs on the clients to collect workstation-local files for the central backup.  These can be full, differential or incremental.  

Besides the best hammer for clobbering permissions on existing stuff, would be some best practices considerations: a) organize folders so that permissions can be set once on the parent folder and all subfolders and files therein can simply inherit the right ownership/permission, and b) use local groups to define functional groups much the same way the folders need to be secured/separated/organized, so it is a simple matter of adding local users, or in a domain model add global groups or domain users to a local group and voila, they have the right permission. c) generally whoever made the file is the owner of the file, and that's probably best to keep it that way.  An idiosyncratic exception is when on as Administrator, ownership defaults to the Administrators group instead of just the admin user.  d) XP/Vista/7 "simple file sharing" doesn't mean the layers of ACL and security aren't there, it just means the tab is hidden and everything defaults to a simple default permission e) Server editions, whether standalone and especially domain have slightly more "default" security of the folder permissions, and share permissions, than a XP box with simple file sharing would.

For a further explanation of a) b) and d) see my answer here http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_26799846.html
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 34929687
One of the things you'll be interested to know is, when running in Windows you cannot do certain things to files that you do not have permission on or do not own, BUT... some of those maintenance type operations are possible without having to take ownership of a whole whack of content recursively simply by running in a WinPE (preinstall environment), so for example if booting from a recovery console or BartPE or Unbutu or Linux and mounting/accessing the filesystem that way, you can backup a disk folder tree or make repairs to corruption of a disk without first having to take ownership of all those objects.  When there are problems on a filesystem, that is NOT the time to start trying to apply thousands of ACL changes.
It seemed to me you might even get access to files that the Administrators group does not otherwise have permission to, avoiding the need to take ownership so that you can then fix the permissions so that Administrators group can access, BUT.... not completely sure on that, you'd have to test to confirm that, unless someone else can say for certain?
0
 

Author Comment

by:quickfixbryant
ID: 34929740
Perhaps I should have explicitly stated that the hard drives from which I am dumping files are (almost always) system drives pulled out of boxes that are extremely ill (i.e., viciously infected, extremely corrupted O/S installations, extremely corrupted file systems, drives that are physically failing but hanging on by the barest of threads, etc.). As such, these sick hard drives are slaved to our shop utility boxes, from which the file extraction is performed. None of the activities to which this question pertains are performed natively from healthy systems. I appreciate the significance and relevance of the suggestions by <ocanada techguy>, however, to implement effectively assumes dumping files natively, from an otherwise healthy O/S environment. That is not my circumstance. As opposed to offering alternative possible functional scenarios, if a dead-on-specific answer to the direct question I posed could be offered, that would be great. Thanks much!
0
 

Author Comment

by:quickfixbryant
ID: 34929785
So, <ocanada techguy>, are you suggesting that the most reliable way to retrieve files from an NTFS partition is to execute a <sudo cp -aux *> from an H/D slaved to an Ubuntu booted box, for example? I have done this, but, again, in some circumstances I have not been able to extract all of the files from the NTFS partition. Would another command line instruction set perform more aggressively?
0
 

Author Comment

by:quickfixbryant
ID: 34929906
Revise: I meant <sudo cp -auv *>, not <x>. Also, your point about yicking around with ACLs on unhealthy file system drives is well taken. I probably have not appreciated strongly enough that point. I generally do execute file system corrections prior to data extraction on drives that present with significantly unhealthy symptoms. What I have resorted to in this regard includes using <ntfsfix> from Ubuntu on drives onto which I cannot force a mount from a Windows environment, followed by <chkdsk>, if/when <ntfsfix> gets me to a point where I can work with the partition from a Win environment. If you have additional/alternative suggestions in this regard, I'm all ears. Thanks again very much for your input!
0
 

Author Comment

by:quickfixbryant
ID: 34935391
Another thought: From a Linux environment, might recursive superuser application of <chown> and/or <chmod> to relieve access restrictions prior to attempting a <cp -auv> file dump overcome denied accessibility limitations? Agani, thanks much for any insight(s) that can be offered.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 34936151
In my experience, linux doesn't really care what windows ownership/permissions the files have.

Especially using dd (instead of cp) and mounting them to a USB port through USB-to-EIDE/SATA adapters.

Your mileage may vary, of course.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 34948891
Right, exactly, that was my impression, that chown was not required and that is why Unbutu/Linux/Unix variants are preferred platform on boot CDs for data backup/clone (Acornis, Paragon, Clonezilla etc) data recovery (PartedMagic, TestDisk, GetDataBack, etc) or even straight dd copy or getting access to the drive and its contents.

I like a cube/desktop rather than a laptop for a test-bench/diagnostic/repair machine because I am against using a USB adapter if possible for two reasons: a) USB is a 7x slower bus than SATA so a single drive is typically 3.5x slower on USB, and when the drive may be failing or problems are thermal, the faster I can get a copy/backup, the far far better it is
b) the USB spec standardized on the SCSI command-set, so many programs, HDDRegenerator, SpinRite, Hdat2, manufacturer's disk diagnostics, cannot directly access the drive, a you can't get there from here, lost in translation, type issues, making some repairs impossible
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:quickfixbryant
ID: 34951194
Thanks for the commentary, all. Not all H/D partitions are always freely accessible from Linux mounts, either internal or, certainly, USB via ATAPI bridge, so even that route has failed to always allow unfettered access. However, your input has been appreciated, but now I'll close this question. Thanks again.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 34952968
Hey no fair.
What are you a wise guy? Do I amuse you? - Joe Pesci
Ahem, by your own admission answers were very helpful, so how then can they not at least qualify as assist and points?  so "appreciate" away there buddy. *laughs
0
 

Author Comment

by:quickfixbryant
ID: 34953175
Nope. Not a wise guy. Nope. Not amused. Not sure where "my own admission" is in the above thread. Glad my appreciation gave you a few laughs. Any alternative suggestion to <subinacl> that can be deemed superior? --Buddy
0
 
LVL 44

Expert Comment

by:Darr247
ID: 34958629
If the question wasn't answered, this thread should be deleted, in my honest opinion.
0
 

Author Closing Comment

by:quickfixbryant
ID: 34988609
No additional comments.
0
 

Accepted Solution

by:
quickfixbryant earned 0 total points
ID: 35002082
So, I didn't mean to give all points to Darr247... sorry about that one.  I clicked the wrong button.

To date, I believe the best/most effective tool to gain full access is to use subinacl in a batch like this:

subinacl /subdirectories %1 /setowner=everyone
subinacl /subdirectories %1\*.* /setowner=everyone
subinacl /subdirectories %1 /grant=everyone=f
subinacl /subdirectories %1\*.* /grant=everyone=f
attrib -r -a -s -h %1 /s /d
attrib -r -a -s -h %1\*.* /s /d

This has gotten me around 'access denied' errors in even the most stubborn cases.  

I've been VERY surprised to get these access denied errors even in Linux...  After using this routine, I no longer need to use Linux.  The files come off in a windows environment.



0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 35016689
You can do that, but clobbering the ownerships and permissions and attributes is far from best, not best practices, and so not perfect.  There are better ways to image or backup disk contents that retain the ACLs, or data recovery of files that bypass/ignore them.  Are those the "fastest", no likely not.  Presumably these ACLs were set for a reason.  Neither is it good practice to expose operating system hidden and system files changing them to neither system nor hidden attribute.  And again, if this were during disk failure rescue then you also increase risk of further damage by writing changes to the disk in addition to throwing ACL settings, information of a sort, out the window in doing so.  We can also anticipate encountering more encrypted and BitLocker'd content in future where best practice would be a requirement and data backup steps had best be followed not ignored.

That said, if a specific folder tree had been permissioned "all wrong" or say a box were migrating from standsalone to domain and needed ACLs adjusted, closer to the narrow scope of your specific constraints on the question, subinacl would work, attrib would still not be appropriate though.   But i'll repeat I think your perception and so your narrow question turns a blind eye to the real problem.  Sure, most of the time you may not care, individual home users and such, but keep in mind it may come back to bite you, especially corporate and enterprise environments.

And further, it is not best in the long run for storage or performance to set security descriptors on every single object individually like that.  If you have 750000 files you don't really need 750000 individual security descriptors set.  Best practices is for files to be organised such that you set the security permissions on a parent folder, and objects beneath inherit their permissions from the parent object, and when different security is needed, make a subfolder and set it on that.

Admitedly, the catch-22 problem, the concern comes when users try to shield their files from the Administrators group, which in theory should never be allowed, but that's why even if a user narrowly constrains the ACL security, the administrator is the exception and can still take ownership. But the problem has been many XP programs require or expect administrator priviledge such that everybody is an administrator, which should also never have been allowed to be so, prompting security privavcy paranoid to try to lock out administrators, and is finally being corrected in Vista/7.  

I appreciate your very specific question, and the very important questions that are raised by it.  It is I think a very interesting and important question.  I very much enjoyed the discussion.  

PS Sorry if my attempt at injecting humour as a Goodfellas character left you cold.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 35017245
> So, I didn't mean to give all points to Darr247...
> sorry about that one.  I clicked the wrong button.


I've requested this be re-opened so you can try again.
0
 

Author Comment

by:quickfixbryant
ID: 35047664
Thanks, but I solved my own question.  These hard drives are headed for the trash can.  I only need access to the files once.  My solution solves this data recovery issue.  It gives me total permission and control of the files.  I can get them off of even the most sick file systems now (win xp, vista, and win7).  No other tool combo has been able to do this... not even Linux.  You can mark it as answered, but there are no points to assign.  This comment should be marked as a solution:

02/28/11 05:15 PM, ID: 35002082

I hope this thread can help others suffering from messed up file systems and data recovery problems.  Thanks to all who took the time to answer and offer suggestions.

Sorry, ocanada_techguy, for mistaking your humor for a dig.  I appreciate your input and time.

Take care, all.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 35047687
Just mark that message as the solution and give yourself 0 points.

I think the only way that shouldn't work is if you try to then give yourself points for the solution, which is not allowed.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 35175494
Well, I hope users looking for answers in similar situations (overriding ownership/permissions during data rescue) do not skip past the caveats given in http:#34929687 and http:#35016689 just because they were not selected as assists.
0
 

Author Closing Comment

by:quickfixbryant
ID: 35239012
I solved my own problem.  The other suggestions I had already tried... they failed.  This successfully granted me access to a damaged hard drive's files so that I could perform a data recovery.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now