Re: Determining Permission Inheritaance
- From: "Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Oct 2007 00:23:39 -0600
"Kevin Sinclair" <Kevin Sinclair@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E70128E2-729F-45A9-8354-45AB21A3FEEA@xxxxxxxxxxxxxxxx
I have a very large shared folder, 68GB - 10,000 sub-folders - 115,000
files.
For the past few years permissions on this share have been controlled by
the
share owner. Needless to say the permissions are a mess, there were no
groups
created so users have been added directly to folders at various levels. I
have been tasked with cleaning up the mess with very minimal impact to the
users.
I feel your pain...
I tried writing a script to determine permissions using <see below> but,
due
to the size of the share, the script isn't practical. I need to write a
script that can look at inheritance and output a list of permissions that
are
not being inherited from the parent. Basically something that shows me
where
permissions are explicitly granted. Is this possible or am I stuck with an
impossible task?
No, just a difficult one that may not be doable without some pain for your
users.
But first, consider this: the existing permissions are a mess; but do they
represent *exactly* the share owner's intent? he might like to think so, but
I seriously doubt it.
A more rational approach might be to involve the owner in a discussion about
who needs what type access to which folders. If he can do this generically,
then you could apply a whole new and structured permissions layout, and
forget about the mess that is there now.
Of course, the permissions will have been inherited and changed by moving
folders around indiscriminately, so it might also be good to have the owner
consider a more rational folder hierarchy that is simpler to apply
permissions to.
You might then even have the luxury of identifying folders of interest,
moving them to a completely new location, and permitting them as required.
Yes, this will impact users whose shortcuts will break. But in the long run
they will benefit from a more manageable setup.
I am currently facing a similar problem, but on a much smaller scale.
Fortunately, most permissions are to groups, but the structure is messy.
Each folder may be permitted to up to 15 different groups, each of which
have permissions on many other folders as well. Makes it very hard to add
one new person to one folder without inadvertently giving them access
elsewhere.
I could convert this mechanically to the model I normally use: one-to-one
relationship between folders and "resource permission" groups, and then
populate these groups with the same groups currently having direct
permissions. I hesitate, because I suspect the result would only be a
simpler model of an unrealistic combination of permissions.
And, before you as, no, I have not developed a script to help me analyze the
current structure. The reason is that the current structure is a mess, and
not likely as it should be. So I basically use cacls.exe on selected groups
of folders to see what is currently what.
/Al
SE_DACL_PRESENT = &h4
ACCESS_ALLOWED_ACE_TYPE = &h0
ACCESS_DENIED_ACE_TYPE = &h1
FILE_DELETE = &h010000
FILE_READ_CONTROL = &h020000
FILE_WRITE_DAC = &h040000
FOLDER_ADD_FILE = &h000002
Thanks in Advance.
Kevin
.
- Prev by Date: Re: Export Active Directory
- Next by Date: copy a file to a location for all PCs in dommain
- Previous by thread: Re: TR Align Stopped Working
- Next by thread: copy a file to a location for all PCs in dommain
- Index(es):
Relevant Pages
|
|
