We use an internally developed tool that dumps NTFS and share permissions formatted as command line arguments for “net share” and “icacls.”
We are in the processes of writing PowerShell scripts to accomplish the same thing. Peter Boyles BIS Engineering Analyst PepsiCo Inc. | Global End User Services | GEUS Deploy From: [email protected] [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Friday, July 10, 2015 10:41 AM To: [email protected] Subject: [NTSysADM] RE: SubinACL help I wasn’t actually trying to script it so much as use the output to document an existing environment. Dump the file, turn it into something I can use to build a grid. With a macro editor it isn’t bad for smallish things, but I’ve got some shares that end up with 2.5 million lines of stuff to manipulate. ☹ I am pretty much to the point of flush it all and start over, but that’s going to be hard to sell. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Boyles, Peter J {BIS} Sent: Friday, July 10, 2015 10:48 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: SubinACL help I rely on the behavior of /grant, /grant:r and the /remove behaviors to ensure the rights for specific IDs/SIDs are as required. I explicitly add, replace or delete rights by the ID/SID. 99+% of the time this is all I need. If I need a specific set of rights on a directory or file no matter what is already there (rare) I create the rights, save them and apply as needed. There are just too many possibilities to address in a script for editing on the fly. This is a good way to take a directory with dozens of users individually granted rights and cleanup to a desired end state. (cleaning up old messes is fun ;-) ) Peter Boyles BIS Engineering Analyst PepsiCo Inc. | Global End User Services | GEUS Deploy From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Friday, July 10, 2015 8:55 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: SubinACL help Speaking of icacls, is there a way to control the output format to make it more usable? While it’s easy enough to read, trying to manipulate it to do anything with it is ugly if you want to do anything beyond restore the existing rights, etc. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Boyles, Peter J {BIS} Sent: Thursday, July 9, 2015 11:45 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: SubinACL help Use the actual share path not the DFS reference. I recommend moving to “icacls” now. There are new attributes for file security and icacls handles these while the older tools are not aware of these newer security attributes. Even though some of the file share sources may not support the newer security attributes, going to icacls and using a single tool will mean any shares on Server 2008 forward will get file and directory permissions correctly applied. Peter Boyles BIS Engineering Analyst PepsiCo Inc. | Global End User Services | GEUS Deploy SM: Issues: GEUS DEVICE L2 SUPPORT Requests: MIGRATION AND DISTRIBUTION Office: (972) 963-6578 | E-Mail: [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Thursday, July 9, 2015 10:06 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] SubinACL help We will be migrating some file shares from one domain to another. No trust allowed ( don’t ask). The plan is to export the NTFS permissions using subinacl, tweak the output, and then apply new permissions replaying the modified file. Problem I’m running into is with EMC and NetApp devices. The source is all windows file servers, no issues. The new destination will be storage appliances, specifically NetApp. In my testing so far with SubinACL, I’m getting this: \\NETAPPDEVICE.ACME.COM\share1\test1\file1.txt<file:///\\NETAPPDEVICE.ACME.COM\share1\test1\file1.txt> - DfsPath is not supported I have seen this: http://network-appliance-toasters.10978.n7.nabble.com/Using-Subinacl-for-CIFS-ACL-changes-td3646.html And made sure that my account has Administrative rights on the filer. The version of SubinACL I’m using is: SubInAcl version 5.2.3790.1180 Anyone run into this before? Thanks Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
