Windows 2003; Find folders with non-inherited/changed permissions

The question: I'm looking for a good way to audit/search a directory structure (Windows 2003) and locate any folders that either don't inherit permissions from their parent -or- have additional users/groups added.

The Back Story

We're migrating an old Windows 2003 file server to a 2008 R2 box. This old server was migrated from NT4. Most of the current folders use the old (deprecated?) Domain\Administrators and Domain\Users groups. These are groups that, while still in AD, I can't use for permissions in 2008 R2 permissions.

So, before I robocopy over all the shared data from old server to new I first need to "modernize" the permissions on the old shares. However, I know that over the past decades some [undocumented] folders have had their permissions modified to either not inherit from parent or to add additional users. Thus my quest for a way to find 'em!


Solution 1:

I would recommend to use Powershell (for Win2003: http://support.microsoft.com/kb/968929/en-us) and a additional add-on module also for this ( http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 ).

This will help you first to get the inheritance for a folder structure with (when running from your startfolder) eg.

get-childitem -Recurse | get-inheritance | export-CSV C:\Inheritance.csv -NoTypeInformation

You will get all files and folders in a csv which can then be filter in Excel or other DBs if you need.

Additional benefit of the NTFSSecurity Modul is that you can change the inheritance or the ACLs also during migration with a similar Powershell script.

e.g. you can completly remove inheritance in a folder (your start folder) with:

get-childitem | Disable-Inheritance

or add the -recurse switch again for all subfolders / files again.

Hope this help Cheers

Solution 2:

This is pretty easy with SetACL. Run it like this:

SetACL -on "some path" -ot file -actn list -lst f:csv -rec cont

That command instructs SetACL to print permissions from those objects only that have explicit permissions, either because ACEs were added to a directory with inheritance enabled or because inheritance was disabled and new ACEs were set.

SetACL processes paths longer than 260 characters and lists ACEs from any directory regardless of current permissions, i.e. even if you do not even have read access SetACL shows you what is there and prints the permissions (admin rights required).