Best practices for mass editing of NTFS settings on file server?

microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late! 

Subject Author Date Best practices for mass editing of NTFS settings on file server? Barkley Bees 09-15-2009  Re: Best practices for mass editing of NTFS settin... Pegasus [MVP] 09-15-2009  Re: Best practices for mass editing of NTFS settin... Dusko Savatovic 09-15-2009  Re: Best practices for mass editing of NTFS settin... DaveMo 09-16-2009  Re: Best practices for mass editing of NTFS settin... DaveMills 09-16-2009  RE: Best practices for mass editing of NTFS settin... Ant 09-21-2009  Re: Best practices for mass editing of NTFS settin... DaveMills 09-21-2009

Posted by Barkley Bees on September 15, 2009, 3:42 am Please log in for more thread options We are planning to rework our NTFS permissions for one of our large file servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve somewhat complex permission changes of nested folders and files many levels deep. At the top level things are well structured but it turns into a nightmarish spider-web the deeper down. Regardless of that we have mapped out the necessary NTFS and share setting changes for this project. The question that remains, however, is what is the best way to do this? Possible options: 1. Windows explorer (manually editing the NTFS settings). 2. SubinACL? 3. XCACLS? 4. ScriptLogic Security Explorer (http://www.scriptlogic.com/products/security-explorer/). How pricey is it? Also, during a NTFS setting change of a large amount of files and folders, is there much of an impact on the server (ie: will users notice while they are accessing files?). We do plan to perform the changes on Friday evenings and over the weekends of course. =) I realize that no matter what option(s) we go with that this is a daunting task that will take some time to complete, as such we have broken it up into phases. I appreciate any feedback or advice on this matter from those who have experience in this area. Posted by Pegasus [MVP] on September 15, 2009, 4:14 am Please log in for more thread options show/hide quoted text > We are planning to rework our NTFS permissions for one of our large file > servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve > somewhat complex permission changes of nested folders and files many > levels deep. At the top level things are well structured but it turns into > a nightmarish spider-web the deeper down. Regardless of that we have > mapped out the necessary NTFS and share setting changes for this project. > The question that remains, however, is what is the best way to do this? > Possible options: > 1. Windows explorer (manually editing the NTFS settings). > 2. SubinACL? > 3. XCACLS? > 4. ScriptLogic Security Explorer > (http://www.scriptlogic.com/products/security-explorer/). How pricey is > it? > Also, during a NTFS setting change of a large amount of files and folders, > is there much of an impact on the server (ie: will users notice while they > are accessing files?). We do plan to perform the changes on Friday > evenings and over the weekends of course. =) > I realize that no matter what option(s) we go with that this is a daunting > task that will take some time to complete, as such we have broken it up > into phases. > I appreciate any feedback or advice on this matter from those who have > experience in this area. I would use cacls.exe. Its /T switch lets you process whole folder trees and the /C switch lets you continue if errors occur. You should pipe its output to a text file so that you can check for errors, e.g. like so: cacls d:\UserFiles /t /e /c /g JSmith:F ABarkley:R /r APeters /d JBrown show/hide quoted text 1>c:\cacls.txt 2>&1 This is a disk-intensive operation and users may notice a sluggish response. Check your command on a small folder before going ahead. Posted by Dusko Savatovic on September 15, 2009, 5:00 am Please log in for more thread options Apart from "mechanics" (scripts, command line tools, group policy etc), you should apply organization strategy. The organization strategy recommended by Microsoft is A-G-DL-P strategy and variants, like A-G-U-DL-P, A-G-G-DL-P, A-G-L-P A-G-DL-P and A-G-L-P Put accounts (A) into Global Groups (G). Put Global Groups (G) into Domain Local Groups (DL) if the resources reside on Domain Controllers. Or, put Global Groups (G) into Local Groups (L) if the resources reside on Member Servers. Assign permissions on resources to DL or L IOW, Use Global groups for grouping user accounts. Use DL and L groups to assign permissions to on the resource. A-G-G-DL-P, A-G-U-DL-P This is group nesting, available on Domain functional level "Windows 2000 native" and later. G-G means that one Global Group is a member of another Global Group G-U means that a Global Group is a member of Universal Group. Universal Groups are usualy used when you have more than one domain, but SBS and Exchange also use Universal groups a lot. Example: You have domains Contoso and Adatum You create groups: U_Enterprise_Managment G_Contoso_Management G_Adatum_Management DL_Management_Documentation_FullControl Alice is a manager in Adatum, make her a member of G_Adatum_Management. Bob is a manager in Contoso, make him a member of G_Contoso_Management. You nest groups: U_Enterprise_Managent contains members: G_Contoso_Management G_Adatum_Management DL_Management_Documentation_FullControl contains members U_Enterprise_Managment You share a folder for 'Management Documentation' Set permissions: Remove "Everyone", "Authenticated Users" and others Add DL_Management_Documentation_FullControl - Full Control permissions You may add read permissions for backup service. You would procede with the same logic for, let's say 'xyz team members' who would have read permissions and so on. It is also a good practice to adopt naming convention similar to the above example. show/hide quoted text >> We are planning to rework our NTFS permissions for one of our large file >> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve >> somewhat complex permission changes of nested folders and files many >> levels deep. At the top level things are well structured but it turns >> into a nightmarish spider-web the deeper down. Regardless of that we have >> mapped out the necessary NTFS and share setting changes for this project. >> The question that remains, however, is what is the best way to do this? >> Possible options: >> 1. Windows explorer (manually editing the NTFS settings). >> 2. SubinACL? >> 3. XCACLS? >> 4. ScriptLogic Security Explorer >> (http://www.scriptlogic.com/products/security-explorer/). How pricey is >> it? >> Also, during a NTFS setting change of a large amount of files and >> folders, is there much of an impact on the server (ie: will users notice >> while they are accessing files?). We do plan to perform the changes on >> Friday evenings and over the weekends of course. =) >> I realize that no matter what option(s) we go with that this is a >> daunting task that will take some time to complete, as such we have >> broken it up into phases. >> I appreciate any feedback or advice on this matter from those who have >> experience in this area. > I would use cacls.exe. Its /T switch lets you process whole folder trees > and the /C switch lets you continue if errors occur. You should pipe its > output to a text file so that you can check for errors, e.g. like so: > cacls d:\UserFiles /t /e /c /g JSmith:F ABarkley:R /r APeters /d JBrown > 1>c:\cacls.txt 2>&1 > This is a disk-intensive operation and users may notice a sluggish > response. Check your command on a small folder before going ahead. > Posted by DaveMo on September 16, 2009, 2:04 pm Please log in for more thread options show/hide quoted text > We are planning to rework our NTFS permissions for one of our large file > servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve > somewhat complex permission changes of nested folders and files many leve= ls show/hide quoted text > deep. At the top level things are well structured but it turns into a > nightmarish spider-web the deeper down. Regardless of that we have mapped > out the necessary NTFS and share setting changes for this project. > The question that remains, however, is what is the best way to do this? > Possible options: > 1. Windows explorer (manually editing the NTFS settings). > 2. SubinACL? > 3. XCACLS? > 4. ScriptLogic Security Explorer > (http://www.scriptlogic.com/products/security-explorer/). How pricey is i= t? show/hide quoted text > Also, during a NTFS setting change of a large amount of files and folders= , show/hide quoted text > is there much of an impact on the server (ie: will users notice while the= y show/hide quoted text > are accessing files?). We do plan to perform the changes on Friday evenin= gs show/hide quoted text > and over the weekends of course. =3D) > I realize that no matter what option(s) we go with that this is a dauntin= g show/hide quoted text > task that will take some time to complete, as such we have broken it up i= nto show/hide quoted text > phases. > I appreciate any feedback or advice on this matter from those who have > experience in this area. Hi Barkley, Since you mentioned other products in your query, I hope it's not too much of a breech of protocol to mention that my company has a product that likely meets your requirements as well. We are still running an introductory special that would allow you to use the product for less then $1000. A bargain if you calculate the number of hours you'll likely spend with scripts and such. Find out more at www.securitay.com/products.html. Good luck with your project whichever way you go. Dave Posted by DaveMills on September 16, 2009, 3:53 pm Please log in for more thread options show/hide quoted text >We are planning to rework our NTFS permissions for one of our large file >servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve >somewhat complex permission changes of nested folders and files many levels >deep. At the top level things are well structured but it turns into a >nightmarish spider-web the deeper down. Regardless of that we have mapped >out the necessary NTFS and share setting changes for this project. >The question that remains, however, is what is the best way to do this? >Possible options: >1. Windows explorer (manually editing the NTFS settings). >2. SubinACL? >3. XCACLS? >4. ScriptLogic Security Explorer Check out icacls from W2003 - supports inherited acls show/hide quoted text >(http://www.scriptlogic.com/products/security-explorer/). How pricey is it? >Also, during a NTFS setting change of a large amount of files and folders, >is there much of an impact on the server (ie: will users notice while they >are accessing files?). We do plan to perform the changes on Friday evenings >and over the weekends of course. =) >I realize that no matter what option(s) we go with that this is a daunting >task that will take some time to complete, as such we have broken it up into >phases. >I appreciate any feedback or advice on this matter from those who have >experience in this area. -- Dave Mills There are 10 types of people, those that understand binary and those that don't. Similar Threads Posted File Server Permissions - Best Practices August 10, 2006, 4:56 am Looking for best practices for setting up secure user home directory file structure October 6, 2006, 8:47 pm Security Best Practices; combining server roles (long) February 19, 2007, 10:02 am mass change passwords on tasks October 17, 2006, 10:23 pm Copy / Move File within NTFS February 7, 2009, 12:20 pm File move within NTFS partition March 2, 2009, 1:27 pm Editing Basic Contraints / Certificate Policies October 6, 2008, 3:44 am Extract ACL's from Windows NTFS file system July 14, 2005, 9:07 pm adding folder to wim file offline and effects on NTFS? January 21, 2009, 6:05 pm Security settings for forcing user to see only one directory at the server February 25, 2007, 9:30 am