Posted on 2011-10-06
On a Windows Server 2008 R2 system, we heavily use ICACLS.exe within a sizeable command-line batch file script for creating dedicated security groups, creating a specific folder tree, and assigning very specific NTFS permissions to numerous folders within the tree.
The first iteration of the script used XCACLS.vbs, which was very effective, but very slow. Each use of XCACLS.vbs in the script could take anywhere from 0.25 seconds to more than 120 seconds to complete depending on network and server load factors at the time the script was run. The script contains approximately 75 separate commands to set specific, granular ACL entries on individual folders.
When we upgraded to Windows Server 2008 R2, we discovered the hard way that XCACLS.vbs doesn't support the newer OS, so we revamped the script to use ICACLS.exe, which turned out to be far, FAR faster anyway.
However, we have come across some odd, inconsistent anomalies when using the script. Every now and then, we'll discover that some ACLs were not changed after the script has completed. We generally try to keep an eye on the script results to ensure that "Failed processing 1 files" doesnt appear, and we've confirmed that the results report successful processing even though some permissions are not set according to the scripting.
The biggest point here is that it is NOT consistent. It correctly sets all of the specified permissions most of the time, and every now and then we find folders that are missing specified permissions. We've gone through the scripting very carefully, and cannot cause the issue to occur when stepping through.
Is anyone aware of an issue with ICACLS.exe that may account for this?
Is it possible that the script may be processing so quickly that ICACLS actually misses a few steps along the way?
Is it possible that the script may be processing so quickly that the server cannot keep up with the changes and drops a few steps?
(These last two questions are hard to believe they might be true, but we're grasping at straws here...)
We're aware the scripting could be re-written using PowerShell, but the learning curve could be prohibitively steep. Is there an alternative command-line utility to ICACLS.exe that might be more reliable?
Any information or suggestions would be greatly appreciated.