Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Applying NTFS Permissions is Slow

1,055 views
Skip to first unread message

Jacob AT

unread,
Nov 18, 2008, 3:18:01 AM11/18/08
to
Hi all,
Migrating several large volumes from Novell to Microsoft and I've run into
some issues applying security rights. We have a script that turns the
volumes_trustee file into a set of icacls.exe commands. Trouble is when
setting a permissions on a folder that is high up in a directory tree that is
very deep the permissions take a VERY long time to apply.

This is most obvious when setting permissions on a root level folder such as
D:\Shared. Adding a single ACE on a root level folder is taking several hours
to complete.

This is too slow. Are there any solutions to this issue?
--
**********************
Jacob

Jacob AT

unread,
Nov 19, 2008, 9:42:36 AM11/19/08
to
Any takers??

"Jacob" <jacob(AT)hfws.net.nospam> wrote in message
news:41D12D83-75DC-41A0...@microsoft.com...

DaveMo

unread,
Nov 19, 2008, 11:30:31 AM11/19/08
to
> > Jacob- Hide quoted text -
>
> - Show quoted text -

NTFS ACLS are optimized in many cases. Changing a root ACL could cause
the system to have to change the ACL on every folder and file under
that root object. How many objects are in those folders are we talking
about?

Dave

Jacob AT

unread,
Nov 19, 2008, 6:37:45 PM11/19/08
to
There would be thousands of them. There must be a way to apply acls to a
root level folder quicker than this. Is there a way to add a number of acls
before applying them.

"DaveMo" <david....@gmail.com> wrote in message
news:f8fa66d2-2b54-4047...@w24g2000prd.googlegroups.com...

DaveMo

unread,
Nov 21, 2008, 10:03:25 AM11/21/08
to
On Nov 19, 3:37 pm, "Jacob" <jacob(AT)hfws.net.nospam> wrote:
> There would be thousands of them. There must be a way to apply acls to a
> root level folder quicker than this. Is there a way to add a number of acls
> before applying them.
>
> "DaveMo" <david.mow...@gmail.com> wrote in message
> > Dave- Hide quoted text -

>
> - Show quoted text -

One thought is that the set of commands you are generating may be
causing multiple iterations through the entire directory structure. I
kind of suspect this is the case. The fix would be to create a set of
commands that minimize the number of iterations. Breaking inheritance
first, for example, might cause things to stop propagating by
themselves. But then you'd have to consider how permissions would get
applied.

As a developer, my approach would be to write my own utility that
would start at the leaf nodes and work my way back to the top. At the
appropriate points I would break inheritance and then apply all of the
needed changes on each object in a single operation.

You might be able to do the same thing with pre-built utilities by
doing in effect the same thing: break inheritance, set the desired
permissions, and then re-enable permissions. This might cause the OS
to propagate all the permissions in a single pass. It might be worth a
try.

HTH,
Dave

Jacob AT

unread,
Nov 23, 2008, 8:52:56 PM11/23/08
to
I can see great benefit in starting at leaf nodes and working my way in. I'm
wondering how this would be done though??
Ideally I'd like to apply multiple acls and tell windows not to propagate
rights until I'm done. I don't suppose such a think exists???


"DaveMo" <david....@gmail.com> wrote in message

news:34be6b9e-aaff-4a98...@w24g2000prd.googlegroups.com...

0 new messages