none
Tool for resetting NTFS Permission

    Question

  • Dear All,

    Need your help for getting one Software / Tool for restiing NTFS permission.

     


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA
    Thursday, April 14, 2011 8:56 AM

Answers

  • Dear Shaon,

    I have tried all these things with local Administrator...

    Still the problem is exist, Still the users is not able to to open any folders / files..

    Help me


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA


    Ravinsankar,

    • First - MAKE A BACKUP OF THEIR AD SERVER... - Take it off-site with you but make a backup of that infrastructure so you can rebuild it easier without reinventing the wheel each time they break their AD server.
    • Second - Take ownership of the data drive from "My computer" - Not folders... the drive.
    • Third - Set Default permissions across the drive.

    Domain Admins Group, Administrators Group, System Account - Full Control - (Advanced: This Folder, Subfolders, and Files)

    Creator Owner - Full Control - (Advanced: Subfolders and Files only)

    Domain Users - Read & Execute, List folder Contents, Read (Advanced: This folder, subfolders, and files)

    Everyone - Adv Sec: Trav. Folder/exec file, List Folder/read data, Read Attrib., Read Extended attrib. - (Advanced: This Folder Only)

    Replace Permissions on all child objects... yada ya files and folders. You know what I mean! :)

    Individually set each folder share up again with Everyone Read/Write.

    Once the share has been made read/write... distribute NTFS security. Advanced NTFS permissions set for the corresponding departmental or organizational folder groups properly. Usually with NTFS, no permission is a denial... But.. you can remove the Domain Users - Read Only permission from NTFS after you've taken over and setup the drive properly again.

    So for each share you have... You should have explicit permissions that are not inheriting permissions from the higher directories closer to the root.

    Verify Access for a specific user group set... after confirmation! BACKUP!!


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    This posting is "as is" without warranties and confers no rights.

    Friday, April 22, 2011 2:49 PM

All replies

  • You can use cacls or Helge Kleins brilliant SetACL (http://helgeklein.com/setacl/)
    Thursday, April 14, 2011 9:07 AM
  • Hello,

    if you talk about Domains and OU see also DSREVOKE: http://www.microsoft.com/downloads/en/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383&displaylang=en


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, April 14, 2011 9:53 AM
  • Hi Ravisankar,

    I cannot confirm the exact file or folder you need to reset permission.

    Please have a look on this article to see if it can help:

    How do I restore security settings to a known working state?

    http://support.microsoft.com/kb/313222


    Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
    Friday, April 15, 2011 9:17 AM
  • What do you mean by “resetting” the permission? Resetting to what? To default? or do you have a baseline?

    Anyway, look at Xcacls also..

    http://support.microsoft.com/kb/825751


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, April 15, 2011 11:13 AM
  • Dear Santosh,

    In one customer Place we have reinstalled Windows Server 2003 Server. In that Server AD was running.

    Using this AD users i hvce configured NTFS permission's on other server. Now this AD Server renstalled, Now entire SID is chnaged.

    because of that users are not able to open the files. Now i have to remove al the permission on the server ( Where i have configured Permision, Administrator also not able to open taht folders0

    So i have remove all the old permision on that server..

    Pls help me


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA
    Monday, April 18, 2011 5:21 PM
  • Did you create a new Active Directory Domain?  Is this server part of the “new” AD domain?

    If you know the old and current user or group name, you can replace it using Xcacls.  Also, take the ownership of this folder or share.    You can manually assign permission to Domain admin/local admins from the folder level. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, April 18, 2011 6:45 PM
  • Dear Santhosh,

    Yes, i have configured AD also. This server is part of that domain.

    I have ttreid to chnage the owner ship also , but i was getting an error messgae " you dont have any permission to chnage "

    I tried One software also for resting this permission 9 File Secuirty Manager 2.2 . Using that i have cleared few folders.

    In this server we have around 1000 imporatnt folders is there..

     

    Help me


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA
    Tuesday, April 19, 2011 3:21 AM
  • Instead of changing the ownership, take the ownership.  Try Takeown command also. 

    TAKEOWN /F folderName /A


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Tuesday, April 19, 2011 4:12 AM
  • Dear Santhosh, Tried this Command.. While runnnig this command got the following message X is not accessable ( X is Folder Name ) Access Denied
    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA
    Tuesday, April 19, 2011 5:54 AM
  • Hi,

    Whether you are using a local admin account?

    For example if folders are d:\folder1, d:\folder2, and subfolders in these 2 folders, first try to take ownership of folder1, with right click on it, choose Properties, go to Security tab and click Advanced button, click Onwer and then Edit, highlight current admin account, check "replace owner on subcontainers and objects" if needed and click OK.

    If any of these steps cannot be performed or any error occurs please let us know.


    Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
    Wednesday, April 20, 2011 8:13 AM
  • Dear Shaon,

    I have tried all these things with local Administrator...

    Still the problem is exist, Still the users is not able to to open any folders / files..

    Help me


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA
    Friday, April 22, 2011 9:44 AM
  • Dear Shaon,

    I have tried all these things with local Administrator...

    Still the problem is exist, Still the users is not able to to open any folders / files..

    Help me


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA


    Ravinsankar,

    • First - MAKE A BACKUP OF THEIR AD SERVER... - Take it off-site with you but make a backup of that infrastructure so you can rebuild it easier without reinventing the wheel each time they break their AD server.
    • Second - Take ownership of the data drive from "My computer" - Not folders... the drive.
    • Third - Set Default permissions across the drive.

    Domain Admins Group, Administrators Group, System Account - Full Control - (Advanced: This Folder, Subfolders, and Files)

    Creator Owner - Full Control - (Advanced: Subfolders and Files only)

    Domain Users - Read & Execute, List folder Contents, Read (Advanced: This folder, subfolders, and files)

    Everyone - Adv Sec: Trav. Folder/exec file, List Folder/read data, Read Attrib., Read Extended attrib. - (Advanced: This Folder Only)

    Replace Permissions on all child objects... yada ya files and folders. You know what I mean! :)

    Individually set each folder share up again with Everyone Read/Write.

    Once the share has been made read/write... distribute NTFS security. Advanced NTFS permissions set for the corresponding departmental or organizational folder groups properly. Usually with NTFS, no permission is a denial... But.. you can remove the Domain Users - Read Only permission from NTFS after you've taken over and setup the drive properly again.

    So for each share you have... You should have explicit permissions that are not inheriting permissions from the higher directories closer to the root.

    Verify Access for a specific user group set... after confirmation! BACKUP!!


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    This posting is "as is" without warranties and confers no rights.

    Friday, April 22, 2011 2:49 PM
  • Dear All,

    Problem Solved 


    Regards, Ravisankar K P MCITP, MCT , MCTS , MCSA
    Saturday, April 30, 2011 6:55 AM