If you tell enough stories, perhaps the moral will show up.

2006-05-23

Time for SubInACL

Do we script because we are old enough to remember when the command line was all there was? Or are we so old that we don't feel that there's time to muck about any more?

Either way, I've been trying to find a way to make bulk changes in file server permissions. These are typically volumes of a few hundred GB with something like one to ten million objects. I need to apply Chinese Walls (a term of art, not an architectural reference), apply them now, and the helpdesk is only halfway through the permissioning process implementation that would have let me do this properly.

Well, it's time to use the dreaded Deny permission. Easy to say, but tougher to apply to millions of objects past unpredictable inheritance, Creator Owner permissions and distinctly dodgy admin permissions. I've tried a good many approaches:

  • It's obviously got to be a script.
  • To convince the auditors, the permissions have to go on to the filesystem roots of "all" servers, and adjust the denied groups on the way down. A file of UNCs and allowed business units is being prepared as I write.
  • I don't like that hourglass up for hour after hour. I like it even less, knowing that the changes I'm making will be silently abandoned every time it encounters a break in inheritance
  • I already have alldisks.pl to enumerate the UNC of every disk on every (matching) server from a domain or a list, and run a command against it....
  • And ultimately, I'll want to take it off, once we have the permissioning process up and running properly and honestly

I can't find a perl module that lets me do this. Win32 Security looks good, but I'm too stupid to make it work -- it boggles without builtin admin/Full. Filesystem Object is not really my area, but it seems to completely lack DACLs

The obvious tool is is [X]CACLS, except that I can't make it go past inheritance breaks, so the script has to chase it down the tree, testing each layer to see if the applied ACE has got there. And that's no joke when the output is SDDL.

SubInACL is about editing ACLs, not adding new ACEs. Isn't it? Oh.

Yes. SubInACL has grown up. The latest version (and believe me, you really need the latest version -- the one in the 2K3 resource kit doesn't even work) provides a robust, tree-oriented structure to report, grant or deny permissions at 100,000 objects per hour on any remote or local server where you are a local admin. Sure, the command language is a bit bonkers, the report output needs serious digestion to be useful for people, and the management of the ACL inherit flag preserves that same maddening ambiguity. But that's why we have Perl, and I can live with it all, just for the sake of knowing that my changes will be applied the way I write them. The fact that I can fix some stupid global admin access control, and do it for free in the same pass as my deny permissioning is just a huge bonus.

Almost for certain, SubInACL will do what you want, and if it won't, I'll bet that what you want isn't legitimate. If you couple it with Win32::NetAdmin for remote management of local groups, you can be in a better place for scripted permissioning than you would ever have believed.

2 comments:

Anonymous said...

SubInACL suffers from a major inheritence bug. It defies belief how this hasn't been picked up upon in the past. Try it:

subinacl /file c:\program files\common files /accountmigration=SOURCE\user=TARGET\user

I bet you that TARGET\user permissions do not apply more than 1 level deep even though SOURCE\user permissions did.

Furthermore, what in the world possessed MS to produce a tool which outputs in UNICODE.

MS have cacls, xcacls, icacls, ntsec, subinacl - Truth is none of them are script friendly and totally bug free. This is a shame as file permissioning tools are one of the most important to have in the tool kit.

Doc Watson said...

Hi ,

This is Denny, the creator of this free automated employee
provisioning/termination app-- Z-hire. I wrote this app for the TechNet community a year ago.

Since you run a very informative blog, I would like your help
spread the word. Since my application is free, i need supporters from the
community. It would means a lot if you can help.

Here is a link to my app
http://www.zohno.com


Thanks
Denny