determining subfolder inheritance
What is the simplest way to determine if there is any discrepancy in a sub folders acl?
Say, I want E:\UserData\TomJones folder to have an ACL containing only system, admins, and TomJones account (this being the only explicitly defined entry).
But a child folder within that structure actually has an explicitly defined ACE for the group Marketing.
How can I determine that all child folders do not follow the rules for the parent folder?
I'm thinking I'll have to perform some recursion and test each folder's security within TomJones folder, but I hope not...any suggestions
Say, I want E:\UserData\TomJones folder to have an ACL containing only system, admins, and TomJones account (this being the only explicitly defined entry).
But a child folder within that structure actually has an explicitly defined ACE for the group Marketing.
How can I determine that all child folders do not follow the rules for the parent folder?
I'm thinking I'll have to perform some recursion and test each folder's security within TomJones folder, but I hope not...any suggestions
uescomp
right click the folder, select properties, then security tab, go into the advanced options, there should be a check box in there that has inherit child objects permissions, this might however remove all users from the folder so you would have to then resetup the users you want to have access to the folder/folders.
ASKER
Sorry, I forgot to add that I need a method to do this from command-line.
I don't necessarily want to remove any security, just validate that there is no discrepancy from what the parent shows...
I don't necessarily want to remove any security, just validate that there is no discrepancy from what the parent shows...
Hi,
you can use powershell command to check that get-acl -path FolderName | FL or better
(get-acl -path x:\temp).Access
It will show you IsInherited as true if inheritance is checked otherwise false if unchecked
you can use powershell command to check that get-acl -path FolderName | FL or better
(get-acl -path x:\temp).Access
It will show you IsInherited as true if inheritance is checked otherwise false if unchecked
ASKER
Hmm - don't have powershell on my 2k3 servers, so that's not going to work here.
I'll look into lcacls and let you know...
I'll look into lcacls and let you know...
you can install powershell
anyways you can check the follow two article on how to use cacls
http://support.microsoft.com/kb/318754
http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/1050976
anyways you can check the follow two article on how to use cacls
http://support.microsoft.com/kb/318754
http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/1050976
ASKER
No, sorry we can't install powershell on the 2k3 servers in our environment.
I'm familiar with cacls - just not the logic I would need to pull this off perhaps...hoping icacls will prove a bit better...
I'm familiar with cacls - just not the logic I would need to pull this off perhaps...hoping icacls will prove a bit better...
ASKER
I see icacls has a method to save and restore the acl, but this isn't quite what I'm after either.
Is there any simple solution that will point out that there are any files/folders beneath the parent that differ from the ACL of the parent?
Is there any simple solution that will point out that there are any files/folders beneath the parent that differ from the ACL of the parent?
No there is not a simple tool.
I know that u cant install ps on ser er but u can install on any workstation xp ,win 7 will have it.log in with ur add min creds n map the server drive n use commands they r really easy
ASKER
Ok, I can perhaps ensure that this is run from a Win7/Win2k8 server, so perhaps ps will work...however I think it needs some tweaking?
Presumably this is just the access for the parent folder - how does it inform me on the differences in any child folders?
I do like the layout that this method presents though - could certainly work for what I'm trying to accomplish...(just when I'd given up on pursuing powershell - ha)
Presumably this is just the access for the parent folder - how does it inform me on the differences in any child folders?
I do like the layout that this method presents though - could certainly work for what I'm trying to accomplish...(just when I'd given up on pursuing powershell - ha)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry i gave you for inheritance for access rules everything remains the same except additional property
import-csv -path P:\temp\inheritance.csv | %{Get-Acl $_.FolderName} | FT Path, AccessToString -Wrap
import-csv -path P:\temp\inheritance.csv | %{Get-Acl $_.FolderName} | FT Path, AccessToString -Wrap
ASKER
I get "cannot validate argument on parameter path" (the argument is null or empty).
Where its failing i have tested it works like charms
Can u post the error as well as the command
Can u post the error as well as the command
ASKER
Looks like it's my fault for skipping your instruction to add the header line.
So, this is checking the ACL on each subfolder...how do I compare all of those agains the first (parent) entry?
So, this is checking the ACL on each subfolder...how do I compare all of those agains the first (parent) entry?
I have provided two codes, One check inheritance on subfolder and another one checks permissions
now if you like to compare, the output you will get as boolean true or false.
is that what you looking for?
now if you like to compare, the output you will get as boolean true or false.
is that what you looking for?
ASKER
I'm looking for something that would show
C:\ParentFolder - ACL = Admins:F, Marketing:C, SYSTEM:F
(all matches I don't care about - if any child folders inherit and have no modification on the ACL)
But if there is one that differs, I need to know it:
C:\ParentFolder\Child17 = Admins:F, Marketing:C, SYSTEM:F, Operations:C
I don't really care about the formatting, just that there is a child folder somewhere that isn't holding true to the parent's ACL. Hope that makes sense?
C:\ParentFolder - ACL = Admins:F, Marketing:C, SYSTEM:F
(all matches I don't care about - if any child folders inherit and have no modification on the ACL)
But if there is one that differs, I need to know it:
C:\ParentFolder\Child17 = Admins:F, Marketing:C, SYSTEM:F, Operations:C
I don't really care about the formatting, just that there is a child folder somewhere that isn't holding true to the parent's ACL. Hope that makes sense?
Then i can suggest you a tool called dumsec. Try to use that tool and check if that helps.
ASKER
I ended up using fileacl.
but the code has potential to help with other things. Thanks.
but the code has potential to help with other things. Thanks.