Background Information
Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure is five levels deep. All shared folder access is granted on per user basis and no groups are defined, causing the folder access control list (ACL) to become exhausted.
The file server is part of one domain and since they have acquired another company, we have to grant the second company's users (another domain) appropriate rights to the file server data. The domain level trust is already in place.
The problem:
For many folders, administrators don’t have even read access and can’t even check folder ACL. They are unable to see the folder owner and are unable to access the folder as well and hence they are unable to handle file server access.
For example:
I went to folder properties, and it shows me that folder is empty, when in reality the folder is not empty, but I don’t have permission to view folder size.
I don’t have access to view the folder NTFS permissions, but I am able to view share permissions, and share permissions are full control for everyone.
I am even unable to see folder owner:
The administrator can take folder ownership forcefully with the replace permissions option, but this will destroy existing file server permissions, which is not desirable.
If I click here Yes now, all existing permissions will be destroyed by granting me full control (in addition to ownership) which is not the objective here. I have to click on No by force. I immediately got the following warning messages:
Unless I get folder ownership, I can’t add or modify anybody or myself on the folder access control list.
The root cause of this problem is that multiple users have Full Control NTFS permissions on the root folder. Some smart users have removed the built-in administrators group from the access control list and from the owners tab. The Creator Owner group is listed on the ACL of folders, as a fact the person \ user who creates files and folders automatically becomes the owner of those files and folders. The permissions model became complicated. User level access is granted instead of groups, which is difficult to track.
NTFS Folder ownership
- Every object has an owner, whether the object is in an NTFS volume or in Active Directory Domain Services (AD DS). The owners can controls how permissions are set on the object and to whom permissions are granted.
- An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file if he does not have already.
- By default, the owner is the entity that created the object. The owner can always change permissions on an object, even when the owner is denied all access to the object.
Ownership can be taken by
- By default, the Administrators group is granted the Take ownership of files or other objects user right.
- Any user or group who has the Take Ownership permission on the object.
- A user who has the Restore files and directories user right.
Ownership can be transferred in the following ways:
- The current owner can grant the Take Ownership permission to another user. The user must actually take ownership to complete the transfer.
- A member of local administrators group can take ownership.
- A user who has the Restore files and directories user right can double-click Other users and groups and choose any user or group to assign ownership to.
CREATOR OWNER
If you look at above diagram, there is special group called CREATOR OWNER. This group is getting inherited from drive root and because of this group, the person who creates files and folders is automatically assigned ownership of those files and folders as long as this group is listed on the ACL.
I have shared folders with size from 10GB to 250GB; I need some method to take ownership of all folders without destroying existing folder permissions.
There are TWO options left:
Either I take folder ownership from top to bottom without destroying existing permissions
OR
I need some user who already has got full control permissions on folder who can grant my admin account access to folder and from there I can take it ahead. There are multiple free tools available on the internet to accomplish this. Membership in the server local administrator group is the minimum prerequisite to use any tool.
Takeown – Built-in tool available in Windows-based systems for managing folder ownership
Takeown has its own limitations and can destroy existing NTFS permissions in addition to take folder ownership. In order to take ownership with the Takeown utility without destroying existing permissions, you must have read permissions at least on folder and files; otherwise you cannot take ownership. So the verdict is until you get ownership of all sub folders and files you have to run below TWO commands one by one again and again.
takeown /f <directory path> /r /a
where
/f stands for file \ folder
/r stands for recursive
/a stands for administrators group
AND
Icacls <Directory Path> /grant administrators:f /t
/t switch will take care of sub folders and files
f stands for full control permission
Example:
takeown /f C:\TFolders /r /a
Icacls C:\Tfolders /grant administrators:f /t
In above example Takeown has assigned ownership of the "C:\TFolders" folder root to only the administrators group, even you specify /r switch for recursive ownership because you do not have read permissions to subfolders and files. If you press Y in above command when prompted, all folder permissions will be destroyed and only your admin account would granted full control permissions. You can specify additional /D switch with Y OR N parameter to suppress every permission replacement prompt. You have only ownership of root folder; you still don’t have any ownership of subfolders, nor any permission on the root folder or subfolders.
This is the same case when you try to take folder ownership from the GUI in recursive mode:
In the above snapshot, if you select yes, it will destroy existing folder permissions by granting you full control in addition to ownership.
Now that you have ownership of root folder, you need to run below command with the Icacls Windows built-in utility to grant administrators full control. This utility will grant administrators full control on root folder only because you don't have ownership of rest of subfolders and files yet.
Again you have to run Takeown utility to take ownership of further subfiles and subfolders since you have access to the root folder.
Once you have ownership of further folders, again you need to assign permissions with the Icacls utility as shown below.
In above diagram still there is one access denied error.You need to run both commands multiple times until you get ownership and access of entire folder. Then you can manage all aspects of that folder.
Subinacl – Free utility available from Microsoft
SetACL and Subinacl are very powerful tools and can do much more than Takeown. I prefer these tools over Takeown utility. The major advantage of these tools is that they can take ownership of entire folder, including subfolders and files regardless of access permissions in one shot without destroying existing permissions, even if you don’t have read permissions on the folder root, subfolders and files.
Syntax of command:
Syntax:
Subinacl /noverbose /Subdirectories <Directory Path> <action parameter>
Ex:
To take ownership of folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /setowner=administrators
To take ownership of all sub folders and files underneath root folder:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /setowner=administrators
If folder name having spaces in name:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /setowner=administrators
To grant administrators full control on folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120 /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data" /grant=administrators=f
To grant administrators full control on all subfolders and files underneath folder root:
Subinacl /noverbose /Subdirectories F:\Projects\1016120\ /grant=administrators=f
If folder name contains spaces:
Subinacl /noverbose /Subdirectories "F:\Projects\My IMP Data\*" /grant=administrators=f
The example below shows how to take folder ownership and access with Subinacl tool. The tool can take ownership of all subfolders and files including root folder and can grant full control access to the built-in administrators group without destroying any existing permissions.
The Subinacl utility gives you one additional facility that allows you to back up NTFS security along with ownership on entire folder before making any chnages. In case you make a mistake during taking folder ownership or modifying folder access control list, you can restore entire NTFS access control list.
Syntax of command:
Subinacl /noverbose <action parameter> /subdirectories <Directory path>
To backup NTFS permissions of root folder:
Subinacl /noverbose /output=C:\TFolders_Root.txt /subdirectories C:\TFolders
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Root.txt /subdirectories "C:\My Data"
To backup NTFS permissions of all sub folders and files underneath root folder:
Subinacl /noverbose /output=C:\TFolders_Child.txt /subdirectories C:\TFolders\
If folder contain spaces:
Subinacl /noverbose /output=C:\MyData_Child.txt /subdirectories "C:\My Data\*"
To restore NTFS permissions on folder root:
Subinacl /noverbose /playfile C:\TFolders_Root.txt
To restore NTFS permissions on sub folders:
Subinacl /noverbose /playfile C:\TFolders_Child.txt
The 1st command will restore security on root folder (C:\TFolders)
The 2nd command will restore security on all subfolders and files underneath folder root (C:\TFolders\*)
For example:
The Subinacl command line reference help file is attached here subinacl.zip
SetACL
The command line version is freeware. There is no need to install as it is a standalone .exe file. Download it, and use it from elevated command prompt. This utility also works great like Subinacl, capable of taking folder ownership and granting folder access without destroying existing folder permissions.
Syntax of command:
SetAcl -on <Directory Path> -ot <object type> -actn <parameter> -rec cont_obj -silent
Where
-on stands for "object name",the name of directory
-ot stands for "Object type"
-actn stands for action to be performed, setting up owner (setowner) in our case
-rec stands for recursive action, to be carried out on all sub folders and files (cont_obj)
-silent no output will be printed on screen.
Ex:
To set owner on entire folder:
SetAcl -on C:\TFolders -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn setowner -ownr n:administrators -rec cont_obj -silent
To grant administrators group full control on entire folder:
SetAcl -on C:\TFolders -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
If folder name contain spaces:
SetAcl -on "C:\My Imp Data" -ot file -actn ace -ace "n:administrators;p:full" -rec cont_obj -silent
For example:
The above command will assign entire folder ownership to the built-in administrators group and will grant full control access permissions without destroying any existing folder permissions. You can refer SetAcl online command reference for more information: https://helgeklein.com/set
Some best practices about setting up standard share folders to minimize management efforts:
- Always share folder with everyone full control share permissions.
- Control user access over NTFS access control list.
- In order to control user access over NTFS permissions, disable inheritance from advanced NTFS security page on the root share folder.
- Avoid granting users full control NTFS permissions on root shares and subfolders unless absolutely necessary.
- Ensure that the server local administrators group has full control NTFS permissions on the root share and has root folder ownership as well. Never grant individual administrator full control NTFS permissions.
- Remove the Creator owner group from root share. This is the main culprit that can cause most of folder ownership and access issues. This will ensure that individual users never get subfolder and files ownership.
- Try to avoid granting deny permissions to users or groups on the NTFS access control list.
- Avoid granting permissions to individual users on shared folder access control list as far as possible.
- Instead of adding individual users on access control list, create global security groups and add required users to them, and grant these security groups appropriate rights on access control list.
- The process to setup roaming profiles is bit different than above; by default these folders are not accessible to administrators. However you can apply group policies in advance on the server where you want to store roaming profiles so that built-in administrators group can have access to roaming profile folders if necessary. The GPO setting "Add the administrator’s security group to roaming user profiles" can be found under Computer configuration => Administrative templates => System => User profiles. A great article is already published on the TechNet blog to set up Roaming Profiles \ home directories: http://blogs.technet.com/b
/askds/arc hive/2008/ 06/30/auto matic-crea tion-of-us er-folders -for-home- roaming-pr ofile-and- redirected -folders.a spx - Another option is to take complete roaming profile share ownership with SetACL OR Subinacl without destroying existing ACL, and then add the administrators group to the roaming profile root share. That will eventually be inherited by subsequent profile folders.