Why it takes so much time to change rights on folder that inherent?

Posted on 2011-10-06
Medium Priority
Last Modified: 2012-05-12

Lets say I have a folder named PIC.
in this folder i have 1 million picture files, some are into other folders inside.
all the files and folders are set to inherent from parent , from PIC.

why when i change rights on PIC, like adding a specific user with read and list access.
it takes alot of time. it working on every file under that foldet and setting rights, why ?

Its on 2008 R2 Server, is there a way to change this ? Many Project managers on the nas says it takes alot of time to change rights.
Question by:yairge
  • 2
LVL 13

Accepted Solution

BCipollone earned 1000 total points
ID: 36925735
The reason is those rights need to be applied to every file inside of that folder.  There is no way to change this except for perhaps turning off inheritance.

This of course would defeat the purpose of assigning the permissions.

The best thing to do is create security groups that have access, then you can just add people to those security groups as needed.

Assisted Solution

CanusRufus earned 1000 total points
ID: 36925793

Permissions and security descriptors
Every container and object on the network has a set of access control information attached to it. Known as a security descriptor, this information controls the type of access allowed to users and groups. The security descriptor is automatically created along with the container or object that is created. A typical example of an object with a security descriptor is a file.

Permissions are defined within an object's security descriptor. Permissions are associated with, or assigned to, specific users and groups. For example, for the file Temp.dat, the Administrator group might be assigned read, write, and delete permissions, while the Operator group might be assigned Read and Write permissions only.

Each assignment of permissions to a user or group is known as a permission entry, which is a type of access control entry (ACE). The entire set of permission entries in a security descriptor is known as a permission set or access control list (ACL). Thus, for a file named Temp.dat, the permission set includes two permission entries, one for the Administrator group and one for the Operator group.

For Active Directory objects, not only will the specified objects in the Apply onto field inherit the access control entries but ALL child objects will receive a copy of that ACE. The child objects not specified in the Apply onto field will not utilize the ACE whose copy they receive but if there are enough objects that will get copies of this ACE, then that increased amount of data can cause serious performance problems to your network.

Expert Comment

ID: 36925808
In other words, As BCipollone states, All files need to change there permission attributes. It has to scan every file to see what is there and change it to reflect what you want
LVL 39

Expert Comment

ID: 37081723
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question