Is there a way to export NTFS permissions in a csv file, change the groups and users manually and import them in the file server again?

SAM2009
SAM2009 used Ask the Experts™
on
Hi,

I have Windows file server 2008 and I want to change groups and users (clean up). Is there a way to export NTFS permissions in a csv file and after change the groups and users manually and import them in the file server again? I want to add first and not replace old groups and users immediately.

Before removing the old groups and users I want to make sure the new groups and users have been added properly with same permission.

Like:

1-  Export permission in a csv file
2- Change groups and users in csv file
3- Add new groups and user with same permission by importing permission from csv file
4- If everything is ok, remove old groups and users


What the best way for me to do that?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
you could use icacls but I prefer using powershell get-acl and set-acl
New-Item -type directory -path C:\MyFolder
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("username","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\MyFolder" $Acl

Open in new window

https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/
Michael B. SmithManaging Consultant
Commented:
icacls.exe is really the way to do this.

It's just too painful, in my opinion, using get-acl/set-acl for this.
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
I use SetACL for everything permission related
https://helgeklein.com/setacl/examples/managing-file-system-permissions-with-setacl-exe/

Backup
SetACL.exe -on "\\server1\share1\users" -ot file -actn list
           -lst "f:sddl;w:d,s,o,g"
           -rec cont
           -bckp "d:\data\setacl listing.txt"

Open in new window

Restore
SetACL.exe -on "dummy entry" -ot file -actn restore
           -bckp "d:\data\setacl listing.txt"

Open in new window

PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Michael B. SmithManaging Consultant

Commented:
And SetACL.exe  is a fine tool(note to readers - this is a separate executable not the Set-ACL cmdlet), but that doesn't help the OP.

He wants to export permissions to a file: icacls.exe has that feature built-in.

He wants to be able to change the permissions in the file. No problem - icacls.exe uses simple (non-SDDL) text for permissions making them easy to change.

He wants to duplicate permissions for groups and users. No problem - same reason as above.

He want to reimport permissions to the original source tree from the modified file. No problem - icacls.exe has that feature built-in.

Anyway, I'd do it with icacls. That's just my preference. Y'all can make your choices too. :-)
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
He wants to export permissions to a file: icacls.exe has that feature built-in.

He wants to be able to change the permissions in the file. No problem - icacls.exe uses simple (non-SDDL) text for permissions making them easy to change.

He wants to duplicate permissions for groups and users. No problem - same reason as above.

He want to reimport permissions to the original source tree from the modified file. No problem - icacls.exe has that feature built-in.
So does SetACL and it doesn't have an issue with file folders with millions of files as what icalcs has
Michael B. SmithManaging Consultant

Commented:
I don't know what you're talking about. I've used icacls to change permissions on fileservers doing domain/forest migrations with millions of files and dozens of petabytes of data.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
I have

Here are but one of ICACLS limitations. My issue related to nested groups if I remember correctly
https://social.technet.microsoft.com/Forums/en-US/206ddcb2-3587-41d6-bd98-6dc22956c72a/icacls-reset-fails-on-files-that-exceed-maxpath-limit?forum=winserverfiles
https://rakhesh.com/windows/use-setacl-if-you-want-to-overcome-the-260-character-limit-when-setting-acls-2/

[quote]domain/forest migrations with millions of files and dozens of petabytes of data.[/quote]
You think you are the only one in the industry with that experience?

Author

Commented:
Thank you very much for all your suggestions guy!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial