Calling the NTFS permission wizards

[Mal1ce]

Hi folks

I've been tasked with looking at securing the permissions of a new W2K12 R2 file server for a client. The old file server permissions are in truth somewhat of a disaster, with staff having access to create/edit/delete files & folders where they should not. So, a new root folder and structure beneath that are desired, with users only being allowed to create/edit/delete files & folders that exist at the end of the structure.

Excuse the quick MS Paint mockup... the actual structure has quite a few more tiers and subfolders... this is just a quick example...

Basically, the RED area on the left is the structure, which SERVER\Administrators group should have "full control" and user groups should have "read/list/traverse", the BLUE area on the right is where the user groups are to be allowed "modify"... basically able to create/edit/delete folders & files on a whim.

Getting the data into the correct folders is going to be painful enough sifting through all folders & files on the old server :/

Before I get started with this, I first wanted to ask if a.) it is possible using NTFS permissions? and b.) does anyone to have an example to share or can point me in the direction of an application that can achieve this?


Everything would have to inherit from the root D:\Projects folder, there are hundreds of project directories, no way am I going through and setting permissions folder by folder.


Many thanks!

 

[WAslayer]

This is supposed to be possible using the advanced permissions option under the security tab and you will not be able to do this from the parent directory alone, since you need the write and create etc permissions on the lowest leg folder at the least.. at the very least you can create two groups, one with full access and one with limited access.. that will at least avoid the pain of doing this per user..

As for an app that can do this, i cant help you there buddy.. even thinking about how to start googling that is hurting my brain..

 

[Mal1ce]

There are nearly 50,000 folders at the various "lowest legs" on the desired structure.. if I do succeed it will be via some form of automated script to create the structure and apply the necessary permissions.

However despite much searching on Google is looking like this cannot be achieved - if the users were limited to files only (ie: creating CAD drawings or Word documents or copying photos off a memory card onto the server) ir would be possible to allow users "Modify" to Files only and deny "Delete" to This Folder & Subfolders... this would somewhat solve the issue but as soon as you give permissions to the user group to create/modify/delete folders it all goes pear shaped.

Stumped.

 

[gfmalan]

There are nearly 50,000 folders at the various "lowest legs" on the desired structure.. if I do succeed it will be via some form of automated script to create the structure and apply the necessary permissions.

However despite much searching on Google is looking like this cannot be achieved - if the users were limited to files only (ie: creating CAD drawings or Word documents or copying photos off a memory card onto the server) ir would be possible to allow users "Modify" to Files only and deny "Delete" to This Folder & Subfolders... this would somewhat solve the issue but as soon as you give permissions to the user group to create/modify/delete folders it all goes pear shaped.

Stumped.

I like a challenge like this, I would use Excel to make myself a batch file.

1) get the current structure with dir > filename.txt
2) insert txt into xls file (each row represent folder with path)
3) use icacls command and formulas to create the command for each folder.
4) save to filename.bat and run in cmd

 

[HavocXphere]

eh I'm in finance not IT, but I'm 80% sure you've got it back to front.

Permissions should copy 1:1 if you copy a folder so if you set up a folder and just duplicate it the you should have your permissions 100%. So you'd just need a script to rename each copy of the master structure & then sort all that ka.k into the right subfolders which you should be able to do in a programming language of your choice.

cool?

 

[access]

ive still seen permission issues even after advanced security edits, done correctly too.

another way round it is to copy to external media without permissions, create the new folders with permissions on the server, copy data to correct locations. ive found the least amount of weird file and application access problems this way.

long winded but sometimes needed.


im not sure if i understand completely what you want to do.

not give access to those folders but give access to those file types?

doesnt the file server resource manager do something like this?

 

[Mal1ce]

Basically don't want users to be able to create files or folders anywhere but the last leg of the structure.

So they can create descriptive folders or add files under the D:\Projects\ProjectA\Photos\ directory but have zero ability to create anything under D:\Projects, D:\ProjectA and so forth.

EDIT: And obviously not let them move/rename/delete D:\Projects, D:\Projects\ProjectsA, D:\Projects\ProjectA\Photos.

 

[access]

Basically don't want users to be able to create files or folders anywhere but the last leg of the structure.

So they can create descriptive folders or add files under the D:\Projects\ProjectA\Photos\ directory but have zero ability to create anything under D:\Projects, D:\ProjectA and so forth.

EDIT: And obviously not let them move/rename/delete D:\Projects, D:\Projects\ProjectsA, D:\Projects\ProjectA\Photos.

im not sure if you have the correct server roles installed, but it should be pretty straight forward to set user or group rights to specific folders.

 

[WAslayer]

im not sure if you have the correct server roles installed, but it should be pretty straight forward to set user or group rights to specific folders.

one would think so.. but there are no server roles available that provide better permission controls over and above what windows already offers under the properties of the folder.. the only way i suspect that this may work is by disabling inheritance to the child folders from the parent folder and then explicitly using the special permissions to assign the required deny/granted permissions for the respective groups to each subfolder..

@OP, have a peruse at this.. they seem to want to achieve more or less the same as you do and you may get some pointers here..

https://technet.microsoft.com/en-us/library/2009.07.geekofalltrades.aspx

 

[access]

maybe this is what the OP is after:

a common NTFS folder requirement in many organizations is to set permissions such that users can create, update, delete and rename files, but not delete or rename folders or sub-folders.

https://blogs.technet.microsoft.com...o-ntfs-shared-folders-in-windows-server-2012/

 

[WAslayer]

maybe this is what the OP is after:

that is exactly what he is after and exactly what i said would need to happen.. inheritance needs to be disabled and explicit special permissions granted/denied on each sub folder.. trouble is, there is many thousands of these subfolders.. so an automated solution is needed.. this is why i linked this https://technet.microsoft.com/en-us/library/2009.07.geekofalltrades.aspx which should help in getting this automated..

 

[DMNknight]

Mal1ce,

I've been through this a few times and there are a few points that I feel is important you take care of before you even begin this.

Standards
Define the standards and implmentations thereof. For example, specify that no directory structures below 3 levels is allowed to have non-iheritence set, or allow deviations from the permissions parent. Keeping the permissions structure only 3 deep reduces the complexity required to administer permissions from top down.
Set out how many shares there need to be and their function. Specificy decommissioning and Commissioning processes for each.
(Example, Projects could be a base level share with managers, project managers and engineers assigned to it. Each new project gets a new Share with the appropriate number of security groups and once the project is completed, it is backed up... written to media and then all the data and supporting structures get removed)

BuyIn
You need senior management to buy into this plan of yours simply because operating this in the long term is only going to be enforced, when supported by the rules & regs of the company.
This will be very important if you have something like a Quota system where you need to "charge" departements for the space they use. Drive Arrays are a big cost and data storage space is a premium cost in IT departements. If you're going to use Quota's to charge back costs to the projects or departments, buy in is very important.
Also, You will need to explain that noone, including the CEO gets access to all the data unless they are Administrators. This won't be a famous or well liked standard, but it really reduces your exposure to attacks like Encrypted Malware.

Access Management
Be sure to have a plan laid out that outlines how people get access to the data. Outline the long term strategy and the processes and procedures to go through to get access.
Typically you should only have 3 Security Groups defined:
1) The Data Owner (Typically the Manager or Director of the Department - they are also typically the people who know best who needs access to what data)
2) Editors - The people who work with the data and need to read/write to it
3) Visitors - Only require Read Access

Additionally, you will need to have a Security Group that Manages access to these groups that is divorced from the groups you create above. Creator/Owners should only be able to accept or deny membership to a security group, but they should never do the editing themselves. That should go through an audit-able process. Even the Data Administrators (the Server default drive permissions) should not have access to modify any security groups.

Default Permissions
Do NOT remove or modify the permissions of the NTFS folders. Very specifically, CREATOR/OWNER, SYSTEM and Administrators. This will be important to maintain your access to all files at all times (for backups/admin purposes)

Robocopy, the DIR command and some excel skills is all you need to make sense of the data.

As a last resort, you can create the whole data/file structure (as empty) and then show them what if will look like and populating the whole structure with the required permissions structure.
Then ask each Department to move THEIR own data into the waiting folders with all the permissions set.

 

[Cray]

I like a challenge like this, I would use Excel to make myself a batch file.

1) get the current structure with dir > filename.txt
2) insert txt into xls file (each row represent folder with path)
3) use icacls command and formulas to create the command for each folder.
4) save to filename.bat and run in cmd

+1, have done this a few times, works like a charm.

 

[Mal1ce]

Thankfully there are no requirements for visitors... however the data will stay on the server for many years to come. No quota system either, it's nigh on impossible to predict how large each individual project folder may grow.

Permission will only be two levels, Administrators with full control and a specific project group of users.with Read/Traverse/List & finally Modify.

@WAslayer is on the right track, @access is a bit off in that I DO want users to be able to create folders, but only at the end of the various sub-directories... if it was just files this would be somewhat easy.


Plan so far is to follow @WAslayer idea of disabling inheritance on the last leg of the structure and setting permissions manually - busy with some scripts that will do the permissions for me, including the creation of new project folders as well as setting permissions on existing ones.

Just waiting for all the users to move the data into the correct folders on the old server, will then Robocopy (using the /MIR /COPYALL switches) the entire projects directory to the new server and begin testing the scripts.

 

[access]

that is exactly what he is after and exactly what i said would need to happen.. inheritance needs to be disabled and explicit special permissions granted/denied on each sub folder.. trouble is, there is many thousands of these subfolders.. so an automated solution is needed.. this is why i linked this https://technet.microsoft.com/en-us/library/2009.07.geekofalltrades.aspx which should help in getting this automated..

yeah alright, my bad. i was getting ahead of myself.

there are some NTFS permission management tools around that can help with multiple directory structures too.

 

[DMNknight]

Thankfully there are no requirements for visitors... however the data will stay on the server for many years to come. No quota system either, it's nigh on impossible to predict how large each individual project folder may grow.

Permission will only be two levels, Administrators with full control and a specific project group of users.with Read/Traverse/List & finally Modify.

@WAslayer is on the right track, @access is a bit off in that I DO want users to be able to create folders, but only at the end of the various sub-directories... if it was just files this would be somewhat easy.


Plan so far is to follow @WAslayer idea of disabling inheritance on the last leg of the structure and setting permissions manually - busy with some scripts that will do the permissions for me, including the creation of new project folders as well as setting permissions on existing ones.

Just waiting for all the users to move the data into the correct folders on the old server, will then Robocopy (using the /MIR /COPYALL switches) the entire projects directory to the new server and begin testing the scripts.

Yup. That's what I thought when I did the first one and had to be redone a few years later.