I have a huge directory on an NTFS file-system (i.e. a top-level directory containing tens or hundreds of millions of descendant nodes with the file nodes probably on average about three levels deep) that I need to change permissions for. In particular, I need to give a new user (or group) read-only access to absolutely everything in the directory tree.
The most obvious place to do this is in Windows Explorer by right-clicking the top-level directory and going to the security tab of the directory properties window. However, when trying the obvious things there Windows Explorer seems excited to recursively traverse the whole directory tree and try to modify something or other about the permissions of each node in the tree. This is extremely inefficient for such a large directory!
Can anyone offer any tips for changing permissions without this recursive descent? Do I need to click something particular in the GUI? Do I need to use command-line tools? Could this potentially be the result of a previous sysadmin doing something weird to the permissions in this directory?
I also need to enable network sharing and let the user/group mount the directory over the network. Haven't tried that yet, so I don't know if there will be a similar can of worms when I try to enable sharing.
This is on Windows 2008 Server if it matters.
EDIT: People are right that it probably makes more sense to give permission to a domain group rather than a particular account, so I've made note of this above (That's what I was doing anyway. I don't know why I specifically asked about adding a user in the original question. Sorry for the sloppiness). But of course adding a group to a folder's permissions list isn't any faster than adding a user (None of the existing groups are assigned read-only permissions).
If you want the user to have read permission on a folder and all sub-folders, then the permissions of the sub-folders must be changed as well. It sounds like inheritance is already set and you just don't want to wait for this inheritance to propagate to all of the child objects. The only thing you can do besides wait is add the user to an existing group that has the appropriate permissions, assuming such a group exists.
There is no quick way to do this. Explorer will happily trundle off for hours (days?) applying the new permission to every file and folder (if inheritance is set).
Enabling a share is much easier, the user just needs at least read permissions on the share. The underlying NTFS permissions will determine what the user can actually do. Note that if the share permission is read-only, then that is the maximum access even if the NTFS security is set to modify (r/w).
In this case, there's no need to mess with the NTFS permissions.
Just create a Share to the top-level directory and add the users or groups to the share with Read-Only (or if you want Write) permission.
Even if Everyone has Full Control NTFS permissions on the top-level directory, the most restrictive permission (Share or NTFS) will be used.
You really should consider creating a Local or Domain Group and set it's permissions on the top-level directory, then you just add users to the Group as needed.
Depending on your use case, in an emergency you may be able to set the permissions and then cancel.
I needed to add specific permission to a high level directory containing millions of files and it was going to take a while. In my particular case, there is one specific directory deeper down into the structure that I needed permissions added to ASAP, and waiting a long time would not have been an acceptable option. I was able to overcome this by first adding the specific permissions to the needed folder, and even though that was also going to take a long time to propagate, I simply clicked "Cancel" right after it started. Doing this warns you that you'll leave the permissions in an inconsistent state, but it did leave the one directory I needed with the proper permissions. Then I went to the higher level directory and set the permissions there and let it go...
The trick is that "Cancel" doesn't undo what it already did, it just stops the propagation.