Quick follow-up, I was using icacls for another issue today and noticed it has a /L option that "indicates that this operation is performed on a symbolic link itself versus its target". I was so close!
-B From: Miller Bonnie L. [mailto:[email protected]] Sent: Thursday, March 14, 2013 10:28 AM To: NT System Admin Issues Subject: Set security on a symbolic link Does anyone know of a command-line utility or other method for setting the NTFS security on a symbolic link to a file, and not what the link points to? Situation: Windows Server 2008 R2 SP1 Hyper-V failover cluster, using CSVs for all storage (under C:\ClusterStorage) on our Equallogic SANs. Had a single virtual machine fail during live migration today, but rather than failing back to the original location, it attempted to fail to all allowed servers in the list, and then quit trying and stayed failed. After investigating, I saw the machine configuration was failed and wouldn't come online, and of course the vm would not show up using Hyper-V on any of the Host servers that I would move it to. After not seeing any cluster validation issues or other obvious anomalies, I did some digging and found this: http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/135d1385-4b75-4737-80de-f8c517c25f8d/ And sure enough, the symbolic link for that VM was missing from C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines. I used the mklink command to successfully create the link, but the VM still wouldn't come online. I noticed the link I had created had a security lock symbol and the others didn't, so I started comparing the security of that link to the security of the links of other machines that were working. On the one I had created, it was missing the virtual machine account, which shows up as the GUID of the VM. Using icacls, I saw that it was in a format of "NT VIRTUAL MACHINE\GUID-ID-NUMBER". The actual configuration file that the link pointed to under c:\clusterstorage DID have the correct virtual machine GUID listed on the security tab. So, I tried to use the explorer GUI to add the account, but no matter what format I used nor how I filtered, I couldn't get it to work. Finally, I used icacls to add it, which was successful, but didn't get rid of the lock. In looking, I found that icacls only added an explicit entry on the ACTUAL .xml file (under C:\ClusterStorage\Volumename\servername\virtual machines\GUID-ID-NUMBER.xml) and did NOT add the security to the symbolic link (under C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines) that I had pointed it to. All of the other machine links that were working have the GUID, so I'm either missing the right syntax to add it using the GUI, or there is another tool out there to add them and I just couldn't find it. Ultimately, I deleted the vm from the cluster, deleted the config, recreated it, and reset the IP. We're up and running, and I think the issue with it not migrating may be related to something with this machine, but am still investigating that. But, I'd really like to know if there is a correct method for doing this, as I suspect setting the security on the link may have resolved the issue. Thanks for any ideas! Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
