[NTSysADM] RE: SubinACL help

[Melvin Backus]

I wasn’t actually trying to script it so much as use the output to document an 
existing environment.  Dump the file, turn it into something I can use to build 
a grid.  With a macro editor it isn’t bad for smallish things, but I’ve got 
some shares that end up with 2.5 million lines of stuff to manipulate.  ☹  I am 
pretty much to the point of flush it all and start over, but that’s going to be 
hard to sell.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Boyles, Peter J {BIS}
Sent: Friday, July 10, 2015 10:48 AM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: SubinACL help

I rely on the behavior of /grant, /grant:r and the /remove behaviors to ensure 
the rights for specific IDs/SIDs are as required.  I explicitly add, replace or 
delete rights by the ID/SID.  99+% of the time this is all I need.

If I need a specific set of rights on a directory or file no matter what is 
already there (rare) I create the rights, save them and apply as needed.  There 
are just too many possibilities to address in a script for editing on the fly.  
This is a good way to take a directory with dozens of users individually 
granted rights and cleanup to a desired end state.   (cleaning up old messes is 
fun ;-) )


Peter Boyles
BIS Engineering Analyst
PepsiCo Inc. | Global End User Services | GEUS Deploy

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Friday, July 10, 2015 8:55 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: SubinACL help

Speaking of icacls, is there a way to control the output format to make it more 
usable?  While it’s easy enough to read, trying to manipulate it to do anything 
with it is ugly if you want to do anything beyond restore the existing rights, 
etc.


--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Boyles, Peter J {BIS}
Sent: Thursday, July 9, 2015 11:45 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: SubinACL help

Use the actual share path not the DFS reference.

I recommend moving to “icacls” now.  There are new attributes for file security 
and icacls handles these while the older tools are not aware of these newer 
security attributes.

Even though some of the file share sources may not support the newer security 
attributes, going to icacls and using a single tool will mean any shares on 
Server 2008 forward will get file and directory permissions correctly applied.


Peter Boyles
BIS Engineering Analyst
PepsiCo Inc. | Global End User Services | GEUS Deploy
SM:  Issues:  GEUS DEVICE L2 SUPPORT
          Requests:  MIGRATION AND DISTRIBUTION
Office: (972) 963-6578 | E-Mail:  
peter.j.boy...@pepsico.com<mailto:peter.j.boy...@pepsico.com>

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Christopher Bodnar
Sent: Thursday, July 9, 2015 10:06 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] SubinACL help

We will be migrating some file shares from one domain to another. No trust 
allowed ( don’t ask). The plan is to export the NTFS permissions using 
subinacl, tweak the output, and then apply new permissions replaying the 
modified file. Problem I’m running into is with EMC and NetApp devices. The 
source is all windows file servers, no issues. The new destination will be 
storage appliances, specifically NetApp. In my testing so far with SubinACL, 
I’m getting this:

\\NETAPPDEVICE.ACME.COM\share1\test1\file1.txt<file:///\\NETAPPDEVICE.ACME.COM\share1\test1\file1.txt>
 - DfsPath is not supported

I have seen this:

http://network-appliance-toasters.10978.n7.nabble.com/Using-Subinacl-for-CIFS-ACL-changes-td3646.html

And made sure that my account has Administrative rights on the filer. The 
version of SubinACL I’m using is:

SubInAcl version 5.2.3790.1180

Anyone run into this before?

Thanks


Christopher Bodnar
Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:>

[cid:image001.png@01D0BB05.3C5246C0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>



________________________________
----------------------------------------- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.