Command Line tools for NTFS Permissions
Hi everyone,
This started off as an attempt to migrate 200 user folders from one server to the other. In the future, I'll use a tape backup to copy all the ownership/ACL information with them. However that wouldn't help you if you were changing domain names and so the following might be relevant to you. XCOPY only copies acl/ownership info if you are staying on the same partition - useless.
xcacls/cacls This tool works fast for changing permissions on folders and subdirectories, but has the nasty side effect of giving an error message if you try to look at said permissions using the gui afterwards. The error message says something about the order that the permissions are in, and you can still view change them, but it annoying. The other shortcomming is that this tool cannot change file ownership
xcaclsfolder_name /T /E /G dom\username:F
xcacls.vbs A much improved tool that fixes everything that xcacls.exe was missing. You can change ownership and it doesn't give the error about the order of the permissions in the gui afterwards. However, if you run this tool from the 2003 server where the file share is, it will not let you change the owner. The error says "This user cannot be set as the owner" or something to that effect. But, if you run the same command from a remote computer using the unc path, it works just fine. Sadly, running it remotely takes a really, really long time compared to locally and really isn't a good solution. I also had it quit after about 3 hours of running saying that the RCP service was no longer available. Startting the command again from the middle resumed without trouble so I don't know why the RCP service glitched in the middle.
Note that you must pipe the output of xcacls.vbs through cscript of you won't get output as shown below.
cscript xcacls.vbs\\serv\share\folder_name /T /E /G dec\username:F /O dom\username
subinacl.exe Does everything xcacls.vbs does and runs as an executable. It's very fast and has more options that any of the before mentioned tools. You must get the most current version from microsoft because the one packaged with the 2000 resource kit doesn't work. It'll accept the command, give you no errors, and then do nothing. The one from 2004 works and is fast, but the /subdirectories option doesn't seem to work. It will only change permissions/ownership on the initial folder/file you specify.
subinacl /subdirec folder_name /setowner=dom\username /grant=dom\username=F
So in the end, there is no great way to do this. Because I had to get the shares up fast, I used xcacls to fix the permissions and am now waiting for xcacls.vbs to slowly chug through fixing the ownership and correct the error about permission order. The ownership isimportant for us because we have quota manager turned on.
December 4th, 2007 7:19pm
So that xcacls.vbs script is stillfixing the file ownership on my filesand after 100,000 files or so, it started giving "out of memory" errors. So I'm guessing that there is a problem with this tool that continuously sucks up memory until it dies. I was able control-break out of the script file and restart it where it left off. I'm guessing I'll have to do that a few more times before all my user files are done.
This might only be an issue with remote excecution of the tool. As I mentioned previously, you must change ownership remotely or it won't work. If all you have to do is file permissions, run this script locally and it'll go much faster and probably not run out of memory.
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2007 8:33pm
I was able to manually set the file permissions/ownership faster than xcacls.vbs, so I went that route.
I then tried doing just the file permissions using xcacls.vbs, this time locally and it was fasterIt still takes 1 second for 2 files sothis script simply runs too slow to be useful. I tried to compile it using a 3rd party tool, but that doesn't work because of it's dependency on cscript. I can't get any output.
I understand that MS is putting most of their resources into Vista and Server 2008, but this a serious flaw in their migration tools. Why do we still not have a solid tool for administrating NTFS permissions? I'm going to have to use 3rd party tools in the future.
December 4th, 2007 10:46pm
So I found out that Microsoft released icacls.exe with server 2003 sp2. It replaces all the other utilities mentioned above. It's unfortunate that I had to download 300MB just to get this file, but I was able to get it out of the service pack.
Icacls is fast and supports /setowner now. However I always get an access denied error message whenever I try to use /setowner. I did not actually install the service pack so perhaps it'll work right when that happens. Other forums confirm this issue, even after sp2 has been installed so again, another buggy tool that doesn't help. One other user said that they released an update to this version of icacls in vista sp1. I can't confirm this because I don't know where he obtained a beta release of vista sp1. If anyone knows where I can get the vista sp1 version of icacls, please let me know.
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2007 9:43pm
Update : There currently is a bug in iCACLS.exe supplied in SP2 for Windows Server 2003:- This issue arises when attempting to use the /setowner switch, which returns an Access is denyed. message.Currently, (as of March 2008) MS has a limited release hotfix to resolve this issue wiht iCACLS.exe on Windows Server 2003. (See KB Article 947870) http://support.microsoft.com/kb/947870- Note that this bug is NOT present on the iCACLS.exeversion inVista SP1 or Windows Server 2008.
May 3rd, 2008 8:04am
But I do see the same problem with the icacls that comes with Vista 32 bit.-Eric
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2009 7:35pm