Windows Server – List Existing File Server Permission Groups/Users

file-permissionswindows-server-2008

So we took over a new client and their file server is frankly a mess.

We have migrated their old file server from a 2k box to a 2k8 DFS cluster and now I'm looking at rebuilding both the folder structure and their permissions. Unfortunately its been half done with AD groups (poorly named/no description/notes) and half with individuals named in security on the folders themselves.

What I'm looking to do is to dump a complete list of all the folders with their security permissions (ideally I'd like to ignore files but not essential).

CACLS got me half way there but fails with an odd error message and its output isn't particularly user friendly and I'm working with roughly 2Tb/250,000 files here so I really need something that gives me a bit more functionality.

Question : does anyone have any experience of something similar/know of a bit of software that might help me out?

Best Answer

you have several options. But first I would suggest you maybe make your life easier by using xcopy to only copy the directories and their respective ACL/Auditing settings.

you might be able to continue with cacls or use something else...

AccessEnum from Sysinternals
PowerShell may have some possibilites. This LINK may help (corrected).
Python calling on Win32 API. I haven't tested this LINK, but have a look...

All that, but why not do the human part and sit down with people and ask who needs access to what? Then create a new structure and permissions based on the needs using your conventions and documentation.

Related Solutions

Users removing Administrator from files/folders permissions

Q1: Is there a way to restore at least read access to all files/folders to the Administrator account in a recursive fashion?

If permissions are inherited (ie. not set separately on different files and folders) then changing the permissions on the root folder and setting the "Replace all child object..." checkbox will replace all the permissions with inherited permissions.

This will of course replace permissions on child items that are supposed to have different permissions.

Q2: Is there a way to prevent users from removing Administrator from files/folders permissions on Windows Server 2003/2008?

No.

While there is a separate flag for "Change Permissions" Windows will ignored this for the owner of the file (the owner can always change the permissions), otherwise an empty ACL (or one with deny everyone everything ACE) wouldn't be reversible.

we can't even backup files manually as we get permission errors.

Why would you want such manual operations? Backup software should be run with and assert the backup (and on restore, the restore) privilege which will bypass ACLs. If the user needs to manually backup some part of their files that they own then they can easily copy.

Perhaps this is really an issue of user training: if you deny administrators access then administrators cannot help you with file management.

Windows – batch file infinite loop when parsing file

Would you accept to use powershell ? It could do the whole job, even avoiding the cygwin part.

The first way is to just do the loop through powershell:

$dirlist=Get-Content dirlist.txt
foreach ($dir in $dirlist)
{
    write-output "doing $dir"
    echo y | cacls "$dir" /T /C /G "Domain Admins":f "Some Group":f "some-security-group":f
}

Would leverage much more powershell by using it to change ACL:

$dirlist=Get-Content dirlist.txt
foreach ($dir in $dirlist)
{
  write-output "doing $dir"
  $acl=(get-item $dir).GetAccessControl()
  $colRights = [System.Security.AccessControl.FileSystemRights]::FullControl
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 
  $objType =[System.Security.AccessControl.AccessControlType]::Allow 
  $objUser = New-Object System.Security.Principal.NTAccount("wingroup\kenmyer") 
  $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
  $acl.AddAccessRule($objACE)
}

more detail can be found here: http://technet.microsoft.com/en-us/library/ff730951.aspx

Best Answer

Related Solutions

Users removing Administrator from files/folders permissions

Windows – batch file infinite loop when parsing file

Related Topic