Best practices for mass editing of NTFS settings on file server?

[Barkley Bees]

We are planning to rework our NTFS permissions for one of our large file
servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
somewhat complex permission changes of nested folders and files many levels
deep. At the top level things are well structured but it turns into a
nightmarish spider-web the deeper down. Regardless of that we have mapped
out the necessary NTFS and share setting changes for this project.

The question that remains, however, is what is the best way to do this?
Possible options:

1. Windows explorer (manually editing the NTFS settings).
2. SubinACL?
3. XCACLS?
4. ScriptLogic Security Explorer
(http://www.scriptlogic.com/products/security-explorer/). How pricey is it?

Also, during a NTFS setting change of a large amount of files and folders,
is there much of an impact on the server (ie: will users notice while they
are accessing files?). We do plan to perform the changes on Friday evenings
and over the weekends of course. =)

I realize that no matter what option(s) we go with that this is a daunting
task that will take some time to complete, as such we have broken it up into
phases.
I appreciate any feedback or advice on this matter from those who have
experience in this area.

 

[Pegasus [MVP]]

"Barkley Bees" wrote in message
news:uza%23XgdNKHA.5128@TK2MSFTNGP02.phx.gbl...
> We are planning to rework our NTFS permissions for one of our large file
> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
> somewhat complex permission changes of nested folders and files many
> levels deep. At the top level things are well structured but it turns into
> a nightmarish spider-web the deeper down. Regardless of that we have
> mapped out the necessary NTFS and share setting changes for this project.
>
> The question that remains, however, is what is the best way to do this?
> Possible options:
>
> 1. Windows explorer (manually editing the NTFS settings).
> 2. SubinACL?
> 3. XCACLS?
> 4. ScriptLogic Security Explorer
> (http://www.scriptlogic.com/products/security-explorer/). How pricey is
> it?
>
> Also, during a NTFS setting change of a large amount of files and folders,
> is there much of an impact on the server (ie: will users notice while they
> are accessing files?). We do plan to perform the changes on Friday
> evenings and over the weekends of course. =)
>
> I realize that no matter what option(s) we go with that this is a daunting
> task that will take some time to complete, as such we have broken it up
> into phases.
> I appreciate any feedback or advice on this matter from those who have
> experience in this area.

I would use cacls.exe. Its /T switch lets you process whole folder trees and
the /C switch lets you continue if errors occur. You should pipe its output
to a text file so that you can check for errors, e.g. like so:

cacls d:\UserFiles /t /e /c /g JSmith:F ABarkley:R /r APeters /d JBrown
1>c:\cacls.txt 2>&1

This is a disk-intensive operation and users may notice a sluggish response.
Check your command on a small folder before going ahead.

 

[DaveMo]

On Sep 15, 12:42 am, "Barkley Bees" wrote:
> We are planning to rework our NTFS permissions for one of our large file
> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
> somewhat complex permission changes of nested folders and files many levels
> deep. At the top level things are well structured but it turns into a
> nightmarish spider-web the deeper down. Regardless of that we have mapped
> out the necessary NTFS and share setting changes for this project.
>
> The question that remains, however, is what is the best way to do this?
> Possible options:
>
> 1. Windows explorer (manually editing the NTFS settings).
> 2. SubinACL?
> 3. XCACLS?
> 4. ScriptLogic Security Explorer
> (http://www.scriptlogic.com/products/security-explorer/). How pricey is it?
>
> Also, during a NTFS setting change of a large amount of files and folders,
> is there much of an impact on the server (ie: will users notice while they
> are accessing files?). We do plan to perform the changes on Friday evenings
> and over the weekends of course. =)
>
> I realize that no matter what option(s) we go with that this is a daunting
> task that will take some time to complete, as such we have broken it up into
> phases.
> I appreciate any feedback or advice on this matter from those who have
> experience in this area.

Hi Barkley,

Since you mentioned other products in your query, I hope it's not too
much of a breech of protocol to mention that my company has a product
that likely meets your requirements as well. We are still running an
introductory special that would allow you to use the product for less
then $1000. A bargain if you calculate the number of hours you'll
likely spend with scripts and such.

Find out more at www.securitay.com/products.html.

Good luck with your project whichever way you go.

Dave

 

[DaveMills]

On Tue, 15 Sep 2009 16:42:33 +0900, "Barkley Bees" wrote:

>We are planning to rework our NTFS permissions for one of our large file
>servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
>somewhat complex permission changes of nested folders and files many levels
>deep. At the top level things are well structured but it turns into a
>nightmarish spider-web the deeper down. Regardless of that we have mapped
>out the necessary NTFS and share setting changes for this project.
>
>The question that remains, however, is what is the best way to do this?
>Possible options:
>
>1. Windows explorer (manually editing the NTFS settings).
>2. SubinACL?
>3. XCACLS?
>4. ScriptLogic Security Explorer

Check out icacls from W2003 - supports inherited acls

>(http://www.scriptlogic.com/products/security-explorer/). How pricey is it?
>
>Also, during a NTFS setting change of a large amount of files and folders,
>is there much of an impact on the server (ie: will users notice while they
>are accessing files?). We do plan to perform the changes on Friday evenings
>and over the weekends of course. =)
>
>I realize that no matter what option(s) we go with that this is a daunting
>task that will take some time to complete, as such we have broken it up into
>phases.
>I appreciate any feedback or advice on this matter from those who have
>experience in this area.
>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

 

[Anteaus]

Worth a look at this third-party tool:

http://setacl.sourceforge.net/

I've only tested it briefly but it seems to overcome that old chestnut
whereby if the admin doesn't have rights, the admin can't change the
permissions, and the process jams-up at that point.

"Barkley Bees" wrote:

> We are planning to rework our NTFS permissions for one of our large file
> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
> somewhat complex permission changes of nested folders and files many levels
> deep. At the top level things are well structured but it turns into a
> nightmarish spider-web the deeper down. Regardless of that we have mapped
> out the necessary NTFS and share setting changes for this project.
>
> The question that remains, however, is what is the best way to do this?
> Possible options:
>
> 1. Windows explorer (manually editing the NTFS settings).
> 2. SubinACL?
> 3. XCACLS?
> 4. ScriptLogic Security Explorer
> (http://www.scriptlogic.com/products/security-explorer/). How pricey is it?
>
> Also, during a NTFS setting change of a large amount of files and folders,
> is there much of an impact on the server (ie: will users notice while they
> are accessing files?). We do plan to perform the changes on Friday evenings
> and over the weekends of course. =)
>
> I realize that no matter what option(s) we go with that this is a daunting
> task that will take some time to complete, as such we have broken it up into
> phases.
> I appreciate any feedback or advice on this matter from those who have
> experience in this area.
>
>
>
>

 

[DaveMills]

On Mon, 21 Sep 2009 02:57:01 -0700, Anteaus
wrote:

>
>Worth a look at this third-party tool:
>
>http://setacl.sourceforge.net/
>
>I've only tested it briefly but it seems to overcome that old chestnut
>whereby if the admin doesn't have rights, the admin can't change the
>permissions, and the process jams-up at that point.

I would hope it cannot do that unless it is implemented as a service running
under admin/system privilege and accepting commands from the user agent.
>
>"Barkley Bees" wrote:
>
>> We are planning to rework our NTFS permissions for one of our large file
>> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
>> somewhat complex permission changes of nested folders and files many levels
>> deep. At the top level things are well structured but it turns into a
>> nightmarish spider-web the deeper down. Regardless of that we have mapped
>> out the necessary NTFS and share setting changes for this project.
>>
>> The question that remains, however, is what is the best way to do this?
>> Possible options:
>>
>> 1. Windows explorer (manually editing the NTFS settings).
>> 2. SubinACL?
>> 3. XCACLS?
>> 4. ScriptLogic Security Explorer
>> (http://www.scriptlogic.com/products/security-explorer/). How pricey is it?
>>
>> Also, during a NTFS setting change of a large amount of files and folders,
>> is there much of an impact on the server (ie: will users notice while they
>> are accessing files?). We do plan to perform the changes on Friday evenings
>> and over the weekends of course. =)
>>
>> I realize that no matter what option(s) we go with that this is a daunting
>> task that will take some time to complete, as such we have broken it up into
>> phases.
>> I appreciate any feedback or advice on this matter from those who have
>> experience in this area.
>>
>>
>>
>>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.