none
Folder ACLS Modifcation

    Question

  • I have an issue where the local administrators and system account has been removed from the ACLS on a folder structure.  This folder structure has inheritance is broken with separate ACLS set on those folders.  Also to complicate maters the local administrators are not set as the owner of the folders or files.

    I need a way to add the local server administrators group to all files and folders in the directory structure without destroying the current ACLS in place.  We have estimated that there are over 5 million objects in the directory structure.  I took a copy of the folder into a test environment and it took 2 weeks to take ownership and replace the acls on all child objects.

    Any help, suggestions, or advise would be very much appreciated,

    Dan

    Saturday, March 17, 2012 5:54 PM

Answers

  • It could be scripted I guess.

    I can see possible issues due to timing on a recursive loop through the sub directories

    Had a word with someone I work with and the pointed me in the direction of SetACL could possibly achieve what you are looking for

    • Marked as answer by dan_c012 Tuesday, March 20, 2012 9:32 PM
    Sunday, March 18, 2012 7:00 PM

All replies

  • You can use Icacls.exe to add to the user permissions as mentioned in this thread http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dbf98ace-a53c-47d8-8633-2760fae1f241. To recursively grant the permission to all sub folders and files under the tree you can use '/t' switch with icacls.exe command.

    hope this helps.


    -CrDev Blogs: http://blogs.msdn.com/b/satyem

    Saturday, March 17, 2012 10:57 PM
  • The problem I have found with the Icacls command {icacls \\server\share /grant administrators:(oi)(ci)(f) /t} is that if I don't already have full control of the share I get access denied.

    Thanks,

    Dan

    Sunday, March 18, 2012 12:35 PM
  • Its not a problem with ICacls, if you dont have permission to grant some one access, you wont be able to do it using any tool.

    If you are administrator, you might try taking ownership of the objects using Takeown.exe and then try Icacls.


    -CrDev Blogs: http://blogs.msdn.com/b/satyem

    Sunday, March 18, 2012 4:27 PM
  • I think I had something like this happen awhile ago.

    If I remember correctly i used the AT command coupled with Icalcs in order to spawn the job as local system and readd the security.

    that was on 2003 server.

    I think you can do the same thing on 2008 using a scheduled task


    • Edited by Liam Holmes Sunday, March 18, 2012 5:05 PM missed abit
    Sunday, March 18, 2012 5:02 PM
  • Its not a problem with ICacls, if you dont have permission to grant some one access, you wont be able to do it using any tool.

    If you are administrator, you might try taking ownership of the objects using Takeown.exe and then try Icacls.


    -CrDev Blogs: http://blogs.msdn.com/b/satyem

    Is there a way to make takeown not erase the current acls?

    Also I am an administrator on the server.

    Sunday, March 18, 2012 5:26 PM
  • Wouldn't the System account need to be on the folders/files with full control?

    I should aslo add from the GUI I can go folder by folder and file by file doing exactly what I am describing.  Take ownership then go back into the securities and add the administrators group back in there without disturbing current acls on the object.  So I know there has to be some way to automate this through some type of command(s), scripting, program, or something.

    Thank you,

    Dan

    Sunday, March 18, 2012 5:31 PM
  • I have just created a folder on a machine, removed all permissions from it.

    Then logged onto the local machine used icalcs and added permissions to it.

    Try logging on to the server locally, instead of tagetting a network share to see if you have diffrent results.

    Sunday, March 18, 2012 5:41 PM
  • From the local machine

    I created a test folder and made the domain users the owner.  Added domain users and a few other accounts to the securities, removed administrators and system form the securities. Then I did the following command.

    C:\Documents and Settings\Administrator\My Documents>icacls test /grant administrators:(ci)(oi)(f)
    test: Access is denied.
    Successfully processed 0 files; Failed processing 1 files

    If I use the takeown it will clear the current acls and replace them with just administrators with full control.   However like I said before i can use the GUI go in and take ownership of just that object.  If I do that the acls stay as they are and I can just add administrators at that point.

    Sunday, March 18, 2012 6:17 PM
  • It could be scripted I guess.

    I can see possible issues due to timing on a recursive loop through the sub directories

    Had a word with someone I work with and the pointed me in the direction of SetACL could possibly achieve what you are looking for

    • Marked as answer by dan_c012 Tuesday, March 20, 2012 9:32 PM
    Sunday, March 18, 2012 7:00 PM
  • Is takeown.exe removing  the already set ACLs on the object? I just tried on the one  test folder(takeown.exe  /R   /F TestFolder) and it just changed the Owner but did not remove the existing ACLs. Can you try this on some  test folder?


    -CrDev Blogs: http://blogs.msdn.com/b/satyem

    Monday, March 19, 2012 3:31 AM
  • Is takeown.exe removing  the already set ACLs on the object? I just tried on the one  test folder(takeown.exe  /R   /F TestFolder) and it just changed the Owner but did not remove the existing ACLs. Can you try this on some  test folder?


    -CrDev Blogs: http://blogs.msdn.com/b/satyem

    Yea.  It actually says in it's warning message "replace current permissions with one that gives you access".

    I have looked over the SetAcls program.  This looks like it will do exactly what we want.  We are going to run some testing in the sandbox environment tonight.

    Thank you everyone for your very fast and very helpful replies.

    Tuesday, March 20, 2012 9:34 PM
  • Also keep in mind when I am running the takeown.exe command I am an administrator on the local server.  However the users have taken ownership and have removed system and administrators from the security tab.

    So essentially I have no access to the folder what so ever.

    Tuesday, March 20, 2012 9:38 PM
  • :) glad thats helped
    Tuesday, March 20, 2012 9:56 PM