Windows File Permissions Mapping

scottws

Senior member
Oct 29, 2002
468
0
0
I've been tasked with mapping the file permissions for all the folders on our fileserver for migration to a new fileserver.

We're talking a huge hierarchy of folders, and some are indeed customized with special group and file permissions. I've already spent an hour on it and barely scratched the surface.

Is there some program or built-in Windows service that will give me a report of all the user and group permissions for the folders?

Thanks.
 

NogginBoink

Diamond Member
Feb 17, 2002
5,322
0
0
Originally posted by: scottws
I've been tasked with mapping the file permissions for all the folders on our fileserver for migration to a new fileserver.

We're talking a huge hierarchy of folders, and some are indeed customized with special group and file permissions. I've already spent an hour on it and barely scratched the surface.

Is there some program or built-in Windows service that will give me a report of all the user and group permissions for the folders?

Thanks.

Fire up ntbackup.

Back up all files you want to migrate to a backup file on another server.

Build new server you're migrating the files to.

Restore the backup to the new server. Permissions are restored with the files.
 

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
First, Nogginboink is absolutly right. That's a surefire way to get things moved.

Tell us more about what you are trying to do.
Is it a migration or upgrade?
Source and target OSs the same?
What does the source and target storage look like?
Any splitting of data TO multiple drives? Any consolidation FROM multiple drives?
What sort of shares are attaching to the data?

Depending on what you are doing it might make no sense at all to "map" what the permissions look like. More than likely you want to "just do it" rather than map it out. It kinda sounds like some project manager rather than an IT manager drove such a thing :p The plan may be as simple as:
1. Make a backup.
2. Do the sh1t :)

Tools for such things:
Robocopy
xcacls
xcopy (later versions that support /O switch and such).
Server migration toolkit: http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx
 

scottws

Senior member
Oct 29, 2002
468
0
0
Originally posted by: Smilin
First, Nogginboink is absolutly right. That's a surefire way to get things moved.

Tell us more about what you are trying to do.
Is it a migration or upgrade?
Source and target OSs the same?
What does the source and target storage look like?
Any splitting of data TO multiple drives? Any consolidation FROM multiple drives?
What sort of shares are attaching to the data?
Is it a migration or upgrade?

It is a migration.

Source and target OSs the same?

Yes and no (mostly yes). Moving from Windows 2000 Server to Windows Server 2003.

What does the source and target storage look like?

I'm not quite sure what you mean here. Basically we have a D: drive on the fileserver with folders for the four locations, a folder for all locations, the users$ folder that contains the personal network home folders for all the users, and a few other things. This is a real estate property management company, so there are tons of sites, and like each site has invoices and reciepts and contracts and letters and aerial photos, etc. It's crazy. Our Atlanta folder alone has almost 3000 folders, and that's just one of them.

Any splitting of data TO multiple drives?

Yes and no. I'm not positive, but I think it will just be a big RAID 5 volume.

Any consolidation FROM multiple drives?

Not that I know of.

What sort of shares are attaching to the data?

Not sure what you mean here either. Almost every folder is shared to the users. Some scanners connect to various folders as well for scan-to-network-folder functionality.

I agree about the backup/restore process pretty much doing what we want. But my manager wants the permissions map as backup. Basically she wants me to inspect all users and groups assigned or denied persmissions on every folder on that server and make note. We're talking like 10,000 folders. It's ridiculous. But I'm just a co-op so I have pretty much zero pull.
 

NogginBoink

Diamond Member
Feb 17, 2002
5,322
0
0
It's time for you to learn some programming. :)

Although, sadly, the authz API's are some of the most difficult Windows API's to work with.

Are there any local user accounts, or are they all domain accounts?

There are third-party products out there that can do this. I havent' used any of 'em but I've heard of 'em. I don't know which is more expensive: one of these tools or your salary.
 

scottws

Senior member
Oct 29, 2002
468
0
0
I ended up finding a trial version of some program. It's only for fifteen days, and it won't allow you to print the reports it generates. You can export them, but only the first 10 records (useless).

I let it rip. It took a huge amount of time because I mistakenly included the terminal services profile folder, so it was checking all the cached data from everyone's Internet Explorers.

The report is kind of wierd, but I think I figured it out and so far it has saved me a ton of time.
 

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
ok, it sounds like you are mostly doing a drive to drive copy and want to keep permissions intact.

The backup/restore method would certainly do that. You may want to try just a robocopy or xcopy instead. The catch is if someone has set permissions on folders so that you don't have access it will stumble at this point. This is good and bad. It gives you a chance to fix this undesired condition then resume the copy.

Your boss sounds paranoid. Use cacles with the /T switch and pipe the output to a file. This will create a record of how things were. If you actually have to use this information it's going to be a pain in the butt, however it is unlikely you will ever need to reference this. This should satisfy her requirement.

Check out the server migration tool I linked to earlier.

The file copy stuff is really easy. Just preserve ownership and permissions using the proper command line switches.

The tougher part will be getting the shares right. Get started by running a "net share" to see how many shares you have to deal with. If it's only a few, just rebuild them by hand. If more than that you can look into automation (copying parts of the lanmanserver reg key or something)