Windows 2003; Find folders with non-inherited/changed permissions

ntfs file-sharing permissions windows-server-2003 migration

The question: I'm looking for a good way to audit/search a directory structure (Windows 2003) and locate any folders that either don't inherit permissions from their parent -or- have additional users/groups added.

The Back Story

We're migrating an old Windows 2003 file server to a 2008 R2 box. This old server was migrated from NT4. Most of the current folders use the old (deprecated?) Domain\Administrators and Domain\Users groups. These are groups that, while still in AD, I can't use for permissions in 2008 R2 permissions.

So, before I robocopy over all the shared data from old server to new I first need to "modernize" the permissions on the old shares. However, I know that over the past decades some [undocumented] folders have had their permissions modified to either not inherit from parent or to add additional users. Thus my quest for a way to find 'em!


Solution 1:

I would recommend to use Powershell (for Win2003: http://support.microsoft.com/kb/968929/en-us) and a additional add-on module also for this ( http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 ).

This will help you first to get the inheritance for a folder structure with (when running from your startfolder) eg.

get-childitem -Recurse | get-inheritance | export-CSV C:\Inheritance.csv -NoTypeInformation

You will get all files and folders in a csv which can then be filter in Excel or other DBs if you need.

Additional benefit of the NTFSSecurity Modul is that you can change the inheritance or the ACLs also during migration with a similar Powershell script.

e.g. you can completly remove inheritance in a folder (your start folder) with:

get-childitem | Disable-Inheritance

or add the -recurse switch again for all subfolders / files again.

Hope this help Cheers

Solution 2:

This is pretty easy with SetACL. Run it like this:

SetACL -on "some path" -ot file -actn list -lst f:csv -rec cont

That command instructs SetACL to print permissions from those objects only that have explicit permissions, either because ACEs were added to a directory with inheritance enabled or because inheritance was disabled and new ACEs were set.

SetACL processes paths longer than 260 characters and lists ACEs from any directory regardless of current permissions, i.e. even if you do not even have read access SetACL shows you what is there and prints the permissions (admin rights required).

Related

Do I need to renew the keys which I deposited at my domain provider?
Use scp to copy a file to different servers
Diagnosing permission problems with Cobian Backup to network share
bash tab completion only works for root
max_binlog_size & log-bin size
What is the difference between *:80 and _default_:80 in Apache2?
How to prevent slow responding Tomcat from making Apache slow to respond?
What's eating my drive space when normal files + hidden + system doesn't equal total drive space used
Is there any way to undo after clearing a log on Windows 2008 server?
Which firewall ports do I need to open in order for a domain trust to work?
Risks of Kerberos Delegation
CentOS - semanage - Delete range of ports