Quantcast
Channel: File Services and Storage Forum
Viewing all articles
Browse latest Browse all 1766

Removing an inherited permission from many containers and objects further down the file system

$
0
0

We have a large file system with a huge number of folders and files.

At the top of the folder structure an "Admin Group" has a permission that now needs to be removed. It applies to "This folders, subfolders and files" (OI)(CI) Full Control. This must have been applied some time after the subfolder structure started to be populated, or some folders have had the permission manually removed, as not all subfolders are affected, most are.

The structure is such:

TOP FOLDER - ACL2: Admin Group:F (OI)(CI)(ID)
----- SUB FOLDER 1:ACL1: User or Group:C (OI)(CI) <not inherited> +ACL2: Admin Group:F (OI)(CI)(ID) <inherited from 'Top Folder'>
----- etc...

What we need is a quick and effective way of removing the ACL2 inherited permission from all folders and files in the subtree.

There was a couple of differing opinions on how this could be achieved, we're not quite sure if all are actually valid:

  1. Remove the ACL2 permission at the TOP FOLDER as it's no longer required. However this then propogates that change to the thousands of folders and files below; with CACLS or SetACL this will take hours to complete.
  2. Change the ACLs on each SUB FOLDER to NOT "Include inheritable permissions from the object's parent". This is an explicit change on one folder, any folders below the SUB FOLDER utilise inheritance so do not need to be changed (or do they?). Not sure if this is possible, but it would mean we could make a single ACL change on a few hundred folders just at the first SUB FOLDER level.

I guess this all hinges on how ACLS and inheritance functions. If the a folder inherits permissions from the parent, it can either mean when queried it references the parent object for inherited permissions or inherited permissions are actually written to each and every object further down the tree.

Any help and guidance would be much appreciated. 


Viewing all articles
Browse latest Browse all 1766

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>