What do you do to fix corrupted or blocked permissions on company file shares?

Lately I have been working with one of our storage guys on a project that has involved some scrutiny of big file shares that have been used by the company for years. Frequently, we run into directories or files that are inaccessible to us (with domain admin account) for one or more of the following reasons:

  • corrupted ACLs
  • access has been revoked or denied for the Administrators group (or SYSTEM user)
  • file name + path too long (beyond MAX_PATH)

There are a handful of tools that can help in these situations, from Microsoft (e.g. TAKEOWN.EXE and ICALCS.EXE) or third parties (e.g. SETACL.EXE). Sometimes other tricks are needed such as running one of the commands under the SYSTEM account with PSEXEC.EXE. Even just figuring out what steps to do and in what order is a challenge...

For example, I would like to be able to troubleshoot it with a flow like this:

  1. Is the path too long? If so, build a path with the \\?\ prefix, then test again.
  2. Is the ACL corrupted? If so, re-order the ACEs properly and remove any unknowns, then test again.
  3. Is the Administrators group denied access? If so, take ownership, add back permissions for the Administrators group and SYSTEM account, then test again.
  4. Is it still failing? If so, delete all the ACEs and apply inherited permissions only, then check again. (This is kind of a last resort, since frequently it opens up permissions that were meant to be more restrictive.)
  5. Is it a directory? If so, then the process needs to continue recursively for the files inside...

Doing the above steps manually is a pain, and unreasonable when we have hundreds of directories to fix. I have tried writing scripts to assist with these, but find that it's hard to make the script "smart" about the decisions it makes, and thus it's often easier to do a gross repair method like restoring the inherited permissions only.

Can anyone recommend other software and/or scripts that would help in this process? Or, how do you go about fixing permissions issues like these?


Solution 1:

I'd recommend using fileacl - it is capable of setting ACLs with the SeBackupPrivelege, thus not requiring that the user you are running the command under will have the permissions to change ACLs on a given object. Furthermore, it natively supports post-NTFS-5 inheritance functionality and is easily scripted, so with some wrapping scripting logic it should do what you want.