4

In my environment, I have several projects that involve running NTFS ACL audit reports and various ACL cleanup activities on a number of file servers. There are two main reasons why I cannot perform these activities locally on the servers:

1) I do not have local access to the servers as they are actually owned and administered by another company.

2) They are SNAP NAS servers which run a modified Linux OS (called GuardianOS) so even if I could get local access, I'm not sure of the availability of tools to perform the operations I need.

With that out of the way, I ended up rolling my own ACL audit reporting tool that would recurse down the filesystem starting at a specified top-level path and would spit out an HTML report on all the groups/users it encountered on the ACLs as well as showing the changes in permissions as it descended the tree. While developing this tool, I found out that the network overhead was the worst part of doing these operations and by multi-threading the process, I could achieve substantially greater performance.

However, I'm still stuck for finding a good tool to perform the ACL modifications and cleanup. Your standard out of the box tools (cacls, xcacls, Explorer) seem to be single-threaded and suffer significant performance penalty when going across the network.

The Question

Are there any faster tools than Explorer or CACLS for performing NTFS ACL modifications across the network?

David Archer
  • 599
  • 1
  • 6
  • 16
  • I use the FILEACL tool because it works and once you understand the complexities of ACL/ACE, then it's a powerful tool. Can't really comment on how fast it is as I've not got much to compare it against. I've wandered in here as I was asking a question elsewhere about how NTFS inheretence works and why it's sometimes slow – Rob Nicholson Jul 25 '10 at 11:19

3 Answers3

3

Your environment sounds a little strange (NTFS running on Linux?) - however, if you can access and modify ACLs from another Windows box then have you considered using PowerShell? It has simple get-acl and set-acl cmdlets that will do what you want.

Here's an MS article on doing the simple stuff: http://www.microsoft.com/technet/scriptcenter/csc/tips/ps/acl.mspx

The beauty of PowerShell is it's flexibility, so for example you could easily read in a set of desired ACLs, possibly with some rules, and then get PowerShell to go and do it for you...

The only thing will be performance - I'm honestly not sure if it will be faster than running CACLS in a CMD/batch file or not...

Good luck!

François Feugeas
  • 1,413
  • 10
  • 17
Mike McClelland
  • 810
  • 4
  • 10
  • 19
  • Mike, thanks for the answer. I updated the question to clarify the type of servers these are. I didn't think non-Windows NAS devices were uncommon so I'm not sure whats strange about it. It's a SMB/CIFS server running on the machine so not "technically" NTFS but it is supposed to be 100% compatible and supports DACLs. In any case, performance is what is killing me with Explorer and CACLS for these operations. I'm not seeing how PowerShell is going to be any faster so it's a non-starter for me. – David Archer Jun 11 '09 at 05:16
1

You might have a look at SetACL (http://setacl.sourceforge.net/). It's available as an ActiveX control, so you may be able to integrate it with your custom code in a multithreaded fashion.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
1

This is an old post, but for what it's worth, I have found that the powershell Set-ACL is far from a speed demon, and that the VB script alternatives are often faster.

Jean-Claude DuBois
  • 154
  • 2