CommCatz
asked on
Duplicate security groups in folder/file NTFS security with same level of permissions getting denied where duplicated. Once duplication is deleted access is granted.
Our NTFS file permissions structure has become very polluted with duplicate security groups that have the same level of permissions in most cases for each duplicate. This is causing the users assigned to those security groups to be denied at the folders/files with the duplication. We have used icacls to try and remove the duplicate security groups, but it is only capable of removing all instances of the security group from the folder/file. Since we have a very large NTFS share it would take weeks to go through all of the folders/files to remove the duplicates. Is there a tool, script, or command that we can use to remediate this issue. Thank you in advance.
You could try Netwrix Effective Permission Reporting Tool.
https://www.netwrix.com/netwrix_effective_permissions_reporting_tool.html
Sudeep
https://www.netwrix.com/netwrix_effective_permissions_reporting_tool.html
Sudeep
have you used the icacls option to replace permissions? /grant (r) the (r) replaces all existing permissions
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Get help from this current permission analysis solution to evaluates the current effective permissions after calculating the NTFS permissions and Share permissions.
ASKER
Mahesh,
In trying to clarify "duplicate groups" - Has same security group listed twice for same permissions and in some cases different permissions. I also wanted to add that this is an enterprise level NTFS with broken inheritance all throughout.
In trying to clarify "duplicate groups" - Has same security group listed twice for same permissions and in some cases different permissions. I also wanted to add that this is an enterprise level NTFS with broken inheritance all throughout.
as suggested you can approach this by replacing existing permissions instead of trying to fix what is broken -- make a list of folders and what permissions you want each to have and then replace them using either icacls or use takeown and icacls.
It is because you have assigned multiple permissions to group and there would be one entry for each permission on security advance tab
All you need to do is just take the entire folder ownership followed by with Subinacl or SetACL and then remove groups and add them again
But obvious when you remove group, it will remove al instance of same group, however after that you can control entire folder
The purpose of Subinacl or SetACL tool is to keep other permissions intact
All you need to do is just take the entire folder ownership followed by with Subinacl or SetACL and then remove groups and add them again
But obvious when you remove group, it will remove al instance of same group, however after that you can control entire folder
The purpose of Subinacl or SetACL tool is to keep other permissions intact
ASKER
Lionel MM,
Since we have an enterprise level NTFS with a 1000+ users and around 200+ security groups, it would take too long and use up too much time to do as you have suggested. I do appreciate however your feedback. We have tried to use icacls to fix this issue but it will only remove security groups completely. If there is a security group added twice with the same or different NTFS permissions then icacls can only remove both of the permissions.
Since we have an enterprise level NTFS with a 1000+ users and around 200+ security groups, it would take too long and use up too much time to do as you have suggested. I do appreciate however your feedback. We have tried to use icacls to fix this issue but it will only remove security groups completely. If there is a security group added twice with the same or different NTFS permissions then icacls can only remove both of the permissions.
ASKER
Thank you all for your help in this matter! Because of my unique environment I was unable to use any suggestions for NTFS software; however, I was able to use the advice of Mahesh to take ownership at the top level and work my way down to get rid of the duplicate security groups. Once the duplicate security groups were cleaned up (from the top level down) NTFS permissions were restored for users that needed access. Thank you all again for your help.
If u could explain in more simple way