1

On our network-shares, we have all kinds of broken permission-inheritance.

Just one example: The folder "D:\Shares\PublicRelations" has full access for the groups "PublicRelations" and "HR" (both with full inheritance set). But the folder "D:\Shares\PublicRelations\SomeTopic" lacks the inherited permissions for the group "HR", even though inheritance is active.

This probably happened, when someone added "HR" to the top-folder and the propagation failed for some reason.

Is there any tool to fix this kind of issue automatically?

Ideally, I would just call it with the parameter "D:\Shares". It will then traverse all directories and fix all inherited permissions where necessary.

Andreas
  • 393
  • 5
  • 11
  • Have you tried making a trivial change at the top level? The process of propagating that change might fix the broken inherited permissions. (I haven't tried this, just a thought.) – Harry Johnston Jan 03 '20 at 03:23
  • ... if that doesn't work, I don't think this would be particularly difficult to do in code, so you might want to Google and see if there are any existing third-party solutions. – Harry Johnston Jan 03 '20 at 03:25
  • 1
    I tried the trivial change first: it failed halfway through with "access denied". My solution: get BackupPrivilege and RestorePrivilege, traverse the directories, determine the permissions that should be there and trick C# into rewriting the unchanged permissions where necessary (the inherited ones are rewritten as well then). Fixed about 10k errors on our 1.1 million files on the network-shares. – Andreas Jan 06 '20 at 06:13

2 Answers2

1

I ended up coding it in C#:

  • Get SeBackupPrivilege and SeRestorePrivilege (allows the user to read and write everywhere).
  • Rewrite the path to make Windows handle long filenames (for local paths: prefix @"\\?\")
  • Traverse the directory-tree
  • For each element load the ACL
  • Add an explicit rule and remove it again. This tricks the library into thinking that the ACL was changed.
  • Write the ACL
  • The IO-library will fix the inheritance-issues while writing the unchanged ACL.

I also implemented a check if a fix is necessary at all. But it took some work to get it working reliably:

  • You need to interprete the propagation- and inheritance-flags correctly.
  • Sometimes, permissions are merged on the way down, sometimes they are not. In the end, I just checked if they mean the same.
  • Deal with the special permissions "GENERIC_(READ|WRITE|EXECUTE|ALL)"

It found and fixed about 40.000 errors on a 1-million-files-share.

Andreas
  • 393
  • 5
  • 11
1

icacls <folder> /t /reset will reset all permissions with the default inheritable ones.

Technet reference

Lenniey
  • 5,220
  • 2
  • 18
  • 29
  • But this removes the permissions that are set explicitly for a subfolder. E.g.: If there was a group "Finance" with full access only to the folder "D:\Shares\PublicRelations\SomeTopic", this will be gone after application of "icacls /reset". – Andreas Jan 02 '20 at 11:08
  • 1
    True, but that's not in the scope of your question (I think?). If you need explicit permissions to be kept, you need to extract these into an ACLfile, reset and reapply the file, for example. You somehow _have_ to know which permissions should be kept, inherited, or set etc. – Lenniey Jan 02 '20 at 11:15
  • 1
    All the information about what should be kept is in the file-system. The only issue is that the inheritance is not applied correctly to all subfolders. I did some tests with the "save-reset-restore"-process. It seems to do the trick. But even with an elevated cmd, I get "permission denied" for some folders (I guess, I need to take ownership of these folders before). And since the permissions are destroyed temporarily, I have to take the shares offline before. This seems to be a lot of error-prone work just to fix an inconsistency in the file-system. Hence the hope for a ready-to-use tool. – Andreas Jan 02 '20 at 12:24
  • There probably is none. As this is very specific to your use-case, there won't be some magic "All-In-One" application. I'd probably reset permissions and manually start from the beginning. Lot's of work, maybe, but as far as I can tell the only viable solution. – Lenniey Jan 02 '20 at 12:32