Is there a way to export NTFS permissions in a csv file, change the groups and users manually and import them in the file server again?

Hi,

I have Windows file server 2008 and I want to change groups and users (clean up). Is there a way to export NTFS permissions in a csv file and after change the groups and users manually and import them in the file server again? I want to add first and not replace old groups and users immediately.

Before removing the old groups and users I want to make sure the new groups and users have been added properly with same permission.

Like:

1-  Export permission in a csv file
2- Change groups and users in csv file
3- Add new groups and user with same permission by importing permission from csv file
4- If everything is ok, remove old groups and users


What the best way for me to do that?

Thanks
LVL 1
SAM2009Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you could use icacls but I prefer using powershell get-acl and set-acl
New-Item -type directory -path C:\MyFolder
$Acl = Get-Acl "C:\MyFolder"
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("username","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl "C:\MyFolder" $Acl

Open in new window

https://blogs.msdn.microsoft.com/johan/2008/10/01/powershell-editing-permissions-on-a-file-or-folder/
1
Michael B. SmithManaging ConsultantCommented:
icacls.exe is really the way to do this.

It's just too painful, in my opinion, using get-acl/set-acl for this.
0
Shaun VermaakTechnical Specialist IVCommented:
I use SetACL for everything permission related
https://helgeklein.com/setacl/examples/managing-file-system-permissions-with-setacl-exe/

Backup
SetACL.exe -on "\\server1\share1\users" -ot file -actn list
           -lst "f:sddl;w:d,s,o,g"
           -rec cont
           -bckp "d:\data\setacl listing.txt"

Open in new window

Restore
SetACL.exe -on "dummy entry" -ot file -actn restore
           -bckp "d:\data\setacl listing.txt"

Open in new window

1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Michael B. SmithManaging ConsultantCommented:
And SetACL.exe  is a fine tool(note to readers - this is a separate executable not the Set-ACL cmdlet), but that doesn't help the OP.

He wants to export permissions to a file: icacls.exe has that feature built-in.

He wants to be able to change the permissions in the file. No problem - icacls.exe uses simple (non-SDDL) text for permissions making them easy to change.

He wants to duplicate permissions for groups and users. No problem - same reason as above.

He want to reimport permissions to the original source tree from the modified file. No problem - icacls.exe has that feature built-in.

Anyway, I'd do it with icacls. That's just my preference. Y'all can make your choices too. :-)
0
Shaun VermaakTechnical Specialist IVCommented:
He wants to export permissions to a file: icacls.exe has that feature built-in.

He wants to be able to change the permissions in the file. No problem - icacls.exe uses simple (non-SDDL) text for permissions making them easy to change.

He wants to duplicate permissions for groups and users. No problem - same reason as above.

He want to reimport permissions to the original source tree from the modified file. No problem - icacls.exe has that feature built-in.
So does SetACL and it doesn't have an issue with file folders with millions of files as what icalcs has
1
Michael B. SmithManaging ConsultantCommented:
I don't know what you're talking about. I've used icacls to change permissions on fileservers doing domain/forest migrations with millions of files and dozens of petabytes of data.
1
Shaun VermaakTechnical Specialist IVCommented:
I have

Here are but one of ICACLS limitations. My issue related to nested groups if I remember correctly
https://social.technet.microsoft.com/Forums/en-US/206ddcb2-3587-41d6-bd98-6dc22956c72a/icacls-reset-fails-on-files-that-exceed-maxpath-limit?forum=winserverfiles
https://rakhesh.com/windows/use-setacl-if-you-want-to-overcome-the-260-character-limit-when-setting-acls-2/

[quote]domain/forest migrations with millions of files and dozens of petabytes of data.[/quote]
You think you are the only one in the industry with that experience?
1
SAM2009Author Commented:
Thank you very much for all your suggestions guy!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.