Honestly, I think I would be using PowerShell’s Get-Acl and Set-Acl. Get-Acl
returns object including SDDL strings that are far more easily manipulated than
the output of subinacl (IMO) and it understands UNCs.
E.g.:
PS C:\> Get-Acl \\win2008r2ex2010\c$ | fl
Path : Microsoft.PowerShell.Core\FileSystem::\\win2008r2ex2010\c$
Owner : NT SERVICE\TrustedInstaller
Group : NT SERVICE\TrustedInstaller
Access : CREATOR OWNER Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
BUILTIN\Users Allow ReadAndExecute, Synchronize
Audit :
Sddl :
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-185
3292631-2271478464D:PAI(A;OICIIO;GA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;CI;LC;;;BU)(A;CIIO;DC;;;BU)(A;OICI
;0x1200a9;;;BU)
From: [email protected] [mailto:[email protected]] On
Behalf Of Christopher Bodnar
Sent: Thursday, July 9, 2015 5:12 PM
To: [email protected]
Subject: [NTSysADM] RE: SubinACL help
So far I have been able to work around the UNC path issue by mapping a drive.
Not ideal, but it does work.
Thanks
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Christopher Bodnar
Sent: Thursday, July 09, 2015 11:06 AM
To: [email protected]<mailto:[email protected]>
Subject: [NTSysADM] SubinACL help
We will be migrating some file shares from one domain to another. No trust
allowed ( don’t ask). The plan is to export the NTFS permissions using
subinacl, tweak the output, and then apply new permissions replaying the
modified file. Problem I’m running into is with EMC and NetApp devices. The
source is all windows file servers, no issues. The new destination will be
storage appliances, specifically NetApp. In my testing so far with SubinACL,
I’m getting this:
\\NETAPPDEVICE.ACME.COM\share1\test1\file1.txt<file:///\\NETAPPDEVICE.ACME.COM\share1\test1\file1.txt>
- DfsPath is not supported
I have seen this:
http://network-appliance-toasters.10978.n7.nabble.com/Using-Subinacl-for-CIFS-ACL-changes-td3646.html
And made sure that my account has Administrative rights on the filer. The
version of SubinACL I’m using is:
SubInAcl version 5.2.3790.1180
Anyone run into this before?
Thanks
Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture
and Engineering Services
Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
[email protected]<mailto:>
[cid:[email protected]]
The Guardian Life Insurance Company of America
www.guardianlife.com<http://www.guardianlife.com/>
________________________________
----------------------------------------- This message, and any attachments to
it, may contain information that is privileged, confidential, and exempt from
disclosure under applicable law. If the reader of this message is not the
intended recipient, you are notified that any use, dissemination, distribution,
copying, or communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by return
e-mail and delete the message and any attachments. Thank you.
________________________________
----------------------------------------- This message, and any attachments to
it, may contain information that is privileged, confidential, and exempt from
disclosure under applicable law. If the reader of this message is not the
intended recipient, you are notified that any use, dissemination, distribution,
copying, or communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by return
e-mail and delete the message and any attachments. Thank you.
