Ping a Specific Port

Question

Andreas

Asked: 2020-01-03 02:53:23 +0800 CST2020-01-03 02:53:23 +0800 CST 2020-01-03 02:53:23 +0800 CST

Windows: How to fix broken permission-inheritance?

772

On our network-shares, we have all kinds of broken permission-inheritance.

Just one example: The folder "D:\Shares\PublicRelations" has full access for the groups "PublicRelations" and "HR" (both with full inheritance set). But the folder "D:\Shares\PublicRelations\SomeTopic" lacks the inherited permissions for the group "HR", even though inheritance is active.

This probably happened, when someone added "HR" to the top-folder and the propagation failed for some reason.

Is there any tool to fix this kind of issue automatically?

Ideally, I would just call it with the parameter "D:\Shares". It will then traverse all directories and fix all inherited permissions where necessary.

3 Answers

Voted

Lenniey · Answer 1 · 2020-01-03T03:01:25+08:00

Lenniey

2020-01-03T03:01:25+08:002020-01-03T03:01:25+08:00

icacls <folder> /t /reset will reset all permissions with the default inheritable ones.

Technet reference

1

Andreas · Answer 2 · 2020-01-31T09:35:11+08:00

Andreas

2020-01-31T09:35:11+08:002020-01-31T09:35:11+08:00

I ended up coding it in C#:

Get SeBackupPrivilege and SeRestorePrivilege (allows the user to read and write everywhere).
Rewrite the path to make Windows handle long filenames (for local paths: prefix @"\\?\")
Traverse the directory-tree
For each element load the ACL
Add an explicit rule and remove it again. This tricks the library into thinking that the ACL was changed.
Write the ACL
The IO-library will fix the inheritance-issues while writing the unchanged ACL.

I also implemented a check if a fix is necessary at all. But it took some work to get it working reliably:

You need to interprete the propagation- and inheritance-flags correctly.
Sometimes, permissions are merged on the way down, sometimes they are not. In the end, I just checked if they mean the same.
Deal with the special permissions "GENERIC_(READ|WRITE|EXECUTE|ALL)"

It found and fixed about 40.000 errors on a 1-million-files-share.

1

Thomas Gruber · Answer 3 · 2021-05-18T04:48:07+08:00

Thomas Gruber

2021-05-18T04:48:07+08:002021-05-18T04:48:07+08:00

we just had such a case. We made 1 small change in the permissions of the top level folder (added a user account which was later removed again), and that made the system propagate all permissions down the hierarchy again. Not exactly a clean way, but reasonably simple. And this obviously didn't corrupt any permissions given explicitly further down in the folder hierarchy. Thomas

0

Windows: How to fix broken permission-inheritance?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?