[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Find permissions on directories

We have a windows server 2003 file server that I will be virtualizing into a windows 2008 file server.

We have permissions throughout directories , sub directories and even files. I am looking for a way to run a report that shows me all these permission to be able to put in place on the 2008 server.
0
MECIT
Asked:
MECIT
  • 16
  • 11
5 Solutions
 
oBdACommented:
My favorite tool for this is the free DumpSec (http://www.systemtools.com/somarsoft/index.html)
Set the Permissions Report Options to not show the owner, and to "Show directories (not files) whose permissions differ ..." to create the most concise report possible.
But you're aware that you can simply copy the file structure including the current NTFS permissions, for example using robocopy (comes with W2k8)? I've used it without any problems for several migrations.
Some hints:
- use /copyall to copy NTFS permissions as well.
- robocopy will *by* *default* only copy files that aren't in the target already.
- If you want to do several sync runs, you can use /mir to delete files in the target that aren't in the source anymore.
- You might want to set /r (retry) and /w (wait) to something more useful in a LAN, like /r:2 /w:1.
- Check robocopy.doc in the ResKit installation folder (to run it, you actually only need robocopy.exe), it's a very useful documentation.
- You can safely use /nfl (no file list) and /ndl (no directory list) to reduce the log file size; errors will still be logged.
- Use /np if you're logging to a text file, otherwise the log will be filled with control characters.
0
 
czentzCommented:
If you are going to be keeping the same file structure and doing a copy of the files and folders over to the 2008 server, you could always use Robocopy to copy over the ACLs with the files and folders.  This is how I move data from server to server when wanting to keep security the same.

The command looks like

robocopy.exe "<path being copied>" "<destination path>" /S /MIR /R:1

This basically syncs the destination path to the path being copied.  It copies over all files, folders and sub-folders and all attributes, including readonly, security, etc.  

If you are just moving the data, this can save a lot of time as you don't have to recreate the directory tree and permissions.  It just moves it as is.

Hope that helps.
0
 
MECITAuthor Commented:
Could you guys kind of walk me through robocopy since i have never used it.

Would I run robocopy on the new server or old server?

old server data is on e:\\data1
new server data on e:\\data1

can I move one folder at a time to see how it works?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
MECITAuthor Commented:
i downloaded dumpsec.How do I run it ?
0
 
oBdACommented:
robocopy has a slightly different syntax than copy or xcopy, it expects the source folder as first argument, then the target folder as second argument, then the other options.
Run it on the W2k8, robocopy comes with it; on W2k3, it was part of the ResKit.
Example to mirror a complete share, logging only errors to robocopy.log:
robocopy.exe "D:\New\Server" "\\OldServer\OldShare" *.* /mir /r:0 /w:0 /nfl /ndl /np /tee /log:D:\Temp\robocopy.log

Open in new window

For test, you can use "/L", which will only log/show what would be copied, but not actually do anything for real, and "/LEV:x", which will only copy the first x levels of folders.

You can install the DumpSec download on any machine, uncheck Hyena during setup, then copy DumpSec.exe and the help file to wherever you need it.
0
 
MECITAuthor Commented:
Would this be right:

robocoy.exe "E:\Data1\All Managers" "\\mecx2\data1\All Managers" *.* /mir /r:0 /nfl /ndl /np /tee /log:E:\Temp\robocopy.log

I only want to copy one directory from the old server to the new server.
0
 
oBdACommented:
Mostly, if you're running this on the old server and want to copy the "all managers" folder.
Sorry, forgot the copying of the permissions above; add /copyall
robocoy.exe "E:\Data1\All Managers" "\\mecx2\data1\All Managers" *.* /copyall /mir /r:0 /nfl /ndl /np /tee /log:E:\Temp\robocopy.log

Open in new window

0
 
MECITAuthor Commented:
The way I wrote was from the new server to the old server so I would need to run it from the 2003 server.

All my data is coming from the 2003 server and going to the 2008 server.
So where would I run the robocoy again.
0
 
oBdACommented:
As I said: I'd run it on W2k8 where robocopy is already included.
The source would then be a unc path to the old server's share and folder ("\\OldServer\OldShare\SomeFolder\Whatever"), and the target the local folder on the W2k8 machine ("E:\NewFolder\Whatever")
robocoy.exe "\\mecx2\data1\All Managers" "E:\Data1\All Managers"  *.* /copyall /mir /r:0 /nfl /ndl /np /tee /log:E:\Temp\robocopy.log

Open in new window

If UAC is enabled on W2k8, open the command prompt where you start robocopy using "run as administrator".
0
 
MECITAuthor Commented:
This is what I got when running the command

C:\>robocopy.exe "\\mecx2\data1\All Managers" "E:\data1\All Managers" *.* /copya
ll /mir /r:0 /nfl /ndl /np /tee /log:E:\Temp\robocopy.log

2011/10/29 11:31:01 ERROR 3 (0x00000003) Opening Log File E:\Temp\robocopy.log
The system cannot find the path specified.

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows

-------------------------------------------------------------------------------

  Started : Sat Oct 29 11:31:01 2011

   Source - \\mecx2\data1\All Managers\
     Dest - E:\data1\All Managers\

    Files : *.*

  Options : *.* /NDL /NFL /TEE /S /E /COPYALL /PURGE /MIR /NP /R:0 /W:30

------------------------------------------------------------------------------

ERROR : Invalid Parameter #11 : "/log:E:\Temp\robocopy.log"

       Simple Usage :: ROBOCOPY source destination /MIR

             source :: Source Directory (drive:\path or \\server\share\path).
        destination :: Destination Dir  (drive:\path or \\server\share\path).
               /MIR :: Mirror a complete directory tree.

    For more usage information run ROBOCOPY /?


****  /MIR can DELETE files as well as copy them !

C:\>
0
 
MECITAuthor Commented:
I created the TEMP folder on the E: and ran the commmand again.
0
 
MECITAuthor Commented:
it worked. How do I know the permissions stayed intacted
0
 
oBdACommented:
The folder E:\Temp probably does not exist.
Note that after the copy, "E:\data1\All Managers" will be (due to "/mir") an EXACT copy of "\\mecx2\data1\All Managers".
0
 
oBdACommented:
If there were no errors reported, just check a few folders on the target folder; permissions there should be the same as on the equivalent source folder.
0
 
MECITAuthor Commented:
So I can continue using this format but just change ther folder names. will it overwrite the log or add to the log.
0
 
MECITAuthor Commented:
if I have a directory that is about 50G, will this process make the copying faster or should I do one sub folder at a time.
0
 
oBdACommented:
Up to you, but obviously depends on the folder structure as well; I'd just do root to root and be done with it.
If you want to add to the log, you can use "/log+:E:\temp\robocopy.log".
0
 
MECITAuthor Commented:
is there something i can add to view the status while it is coping.

Also I am getting some Error 5 access denied . doe this mean it will not copy over
0
 
oBdACommented:
You can remove the /nfl and /ndl options, which will cause robocopy to log any file or folder copied, but that makes it harder to find errors in the log.
If access is denied on a source file or folder, then yes, it will not be copied; you'll have to correct the permissions first.
Another reason for "access denied" can be if the file is open; in this case, simply run the script again once the files have been closed.
0
 
MECITAuthor Commented:
I have the aministrator account, domain admins and they have full control but I still get access denied.

How can i give myself access to copy it over?
0
 
MECITAuthor Commented:
I think i found the issue. on some of the subfolders there are differents users as the owner.

If I change that to administrator will this allow me to copy over.  Once Im done can I change it back to the users as the owner.
0
 
oBdACommented:
You can try to take ownership and give it back, but if you indeed have full access, that should work without taking ownership. Again: make sure you open the command prompt on the W2k8 machine using "run as administrator".
0
 
MECITAuthor Commented:
I am running it under administrator. I took ownership .

Getting

Error 5 - Copying NTFS Security to destination.
Access denied
0
 
oBdACommented:
Start a Command Line as an Administrator
http://technet.microsoft.com/en-us/library/cc947813(WS.10).aspx
0
 
MECITAuthor Commented:
tried both way and still get the access denied
0
 
MECITAuthor Commented:
I had to change the ownership on both directories on the old server and the new since it kept the settings when it copied it over.
0
 
oBdACommented:
If you don't want to copy the owner, you can replace /copyall with /copy:datsu or /copy:dats if you don't need audit setting copied.
You can use the following characters after "/copy:" to determine what to copy:
D=Data
A=Attributes
T=Timestamps
S=Security (NTFS ACLs)
O=Owner info
U=aUditing info
0
 
MECITAuthor Commented:
Thank you for helping me.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 16
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now