Quickly changing Windows permissions for a huge directory tree?

windows windows-server-2008 permissions ntfs
50,768

Solution 1

In this case, there's no need to mess with the NTFS permissions.

Just create a Share to the top-level directory and add the users or groups to the share with Read-Only (or if you want Write) permission.

Even if Everyone has Full Control NTFS permissions on the top-level directory, the most restrictive permission (Share or NTFS) will be used.

Solution 2

If you want the user to have read permission on a folder and all sub-folders, then the permissions of the sub-folders must be changed as well. It sounds like inheritance is already set and you just don't want to wait for this inheritance to propagate to all of the child objects. The only thing you can do besides wait is add the user to an existing group that has the appropriate permissions, assuming such a group exists.

Solution 3

There is no quick way to do this. Explorer will happily trundle off for hours (days?) applying the new permission to every file and folder (if inheritance is set).

Enabling a share is much easier, the user just needs at least read permissions on the share. The underlying NTFS permissions will determine what the user can actually do. Note that if the share permission is read-only, then that is the maximum access even if the NTFS security is set to modify (r/w).

Share:
50,768

Related videos on Youtube

Chris
Author by

Chris

Updated on September 17, 2022

Comments

  • Chris
    Chris over 1 year

    I have a huge directory on an NTFS file-system (i.e. a top-level directory containing tens or hundreds of millions of descendant nodes with the file nodes probably on average about three levels deep) that I need to change permissions for. In particular, I need to give a new user (or group) read-only access to absolutely everything in the directory tree.

    The most obvious place to do this is in Windows Explorer by right-clicking the top-level directory and going to the security tab of the directory properties window. However, when trying the obvious things there Windows Explorer seems excited to recursively traverse the whole directory tree and try to modify something or other about the permissions of each node in the tree. This is extremely inefficient for such a large directory!

    Can anyone offer any tips for changing permissions without this recursive descent? Do I need to click something particular in the GUI? Do I need to use command-line tools? Could this potentially be the result of a previous sysadmin doing something weird to the permissions in this directory?

    I also need to enable network sharing and let the user/group mount the directory over the network. Haven't tried that yet, so I don't know if there will be a similar can of worms when I try to enable sharing.

    This is on Windows 2008 Server if it matters.

    EDIT: People are right that it probably makes more sense to give permission to a domain group rather than a particular account, so I've made note of this above (That's what I was doing anyway. I don't know why I specifically asked about adding a user in the original question. Sorry for the sloppiness). But of course adding a group to a folder's permissions list isn't any faster than adding a user (None of the existing groups are assigned read-only permissions).

  • MrGigu
    MrGigu almost 15 years
    I just did the same thing today on a folder with about 10,000 items (not 10 million) and I just set it and went away to do something else. When you start putting millions of items in folders, that's when a file system starts to buckle...
  • Chris
    Chris almost 15 years
    But if an appropriate group (eg Everyone) does not have permissions at the NTFS level he will still need to add those permissions, regardless of the share permissions.
  • Chris
    Chris almost 15 years
    How will that speed up applying permissions? That group will still need to be applied to every file and folder.
  • Gordon Bell
    Gordon Bell almost 15 years
    Yes, but just once.
  • Gordon Bell
    Gordon Bell almost 15 years
    It's a simple option in small networks. I do normally set NTFS permissions, but for groups only. The problem he stated is giving "new user read-only access to absolutely everything in the directory tree."
  • Daniel
    Daniel over 7 years
    Even in small networks one should apply proper business management practices.
  • Gordon Bell
    Gordon Bell over 7 years
    Well you can blame Microsoft for bringing Share Permissions into the mix then. Also, this question has changed since I originally answered it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting Windows ACLs to allow sub-subdirectory access
How to change NTFS ACLs on linux?
Can't write on ntfs partition shared with Windows 10
Mounting NTFS as read-only
Mounting a Windows folder with writing permissions in Ubuntu
How to change permissions on a folder when the owner doesn't have read access and no one else has change permissions enabled?
Setting Deny Permissions with ICACLS on "This Folder"
Access for admins is denied on user profile folders on Windows 7
Is there a solution to replace Account Unknown (S-1-5-21-*) SIDs with existing SID
Full permissions on folder when remoted in, but read only through the network