18

I have a huge directory on an NTFS file-system (i.e. a top-level directory containing tens or hundreds of millions of descendant nodes with the file nodes probably on average about three levels deep) that I need to change permissions for. In particular, I need to give a new user (or group) read-only access to absolutely everything in the directory tree.

The most obvious place to do this is in Windows Explorer by right-clicking the top-level directory and going to the security tab of the directory properties window. However, when trying the obvious things there Windows Explorer seems excited to recursively traverse the whole directory tree and try to modify something or other about the permissions of each node in the tree. This is extremely inefficient for such a large directory!

Can anyone offer any tips for changing permissions without this recursive descent? Do I need to click something particular in the GUI? Do I need to use command-line tools? Could this potentially be the result of a previous sysadmin doing something weird to the permissions in this directory?

I also need to enable network sharing and let the user/group mount the directory over the network. Haven't tried that yet, so I don't know if there will be a similar can of worms when I try to enable sharing.

This is on Windows 2008 Server if it matters.

EDIT: People are right that it probably makes more sense to give permission to a domain group rather than a particular account, so I've made note of this above (That's what I was doing anyway. I don't know why I specifically asked about adding a user in the original question. Sorry for the sloppiness). But of course adding a group to a folder's permissions list isn't any faster than adding a user (None of the existing groups are assigned read-only permissions).

user692942
  • 113
  • 10
Chris
  • 1,063
  • 4
  • 12
  • 18

5 Answers5

8

If you want the user to have read permission on a folder and all sub-folders, then the permissions of the sub-folders must be changed as well. It sounds like inheritance is already set and you just don't want to wait for this inheritance to propagate to all of the child objects. The only thing you can do besides wait is add the user to an existing group that has the appropriate permissions, assuming such a group exists.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • I just did the same thing today on a folder with about 10,000 items (not 10 million) and I just set it and went away to do something else. When you start putting millions of items in folders, that's when a file system starts to buckle... – Mark Henderson Aug 07 '09 at 00:32
3

There is no quick way to do this. Explorer will happily trundle off for hours (days?) applying the new permission to every file and folder (if inheritance is set).

Enabling a share is much easier, the user just needs at least read permissions on the share. The underlying NTFS permissions will determine what the user can actually do. Note that if the share permission is read-only, then that is the maximum access even if the NTFS security is set to modify (r/w).

PowerApp101
  • 2,604
  • 1
  • 20
  • 28
2

In this case, there's no need to mess with the NTFS permissions.

Just create a Share to the top-level directory and add the users or groups to the share with Read-Only (or if you want Write) permission.

Even if Everyone has Full Control NTFS permissions on the top-level directory, the most restrictive permission (Share or NTFS) will be used.

Gordon Bell
  • 338
  • 2
  • 12
  • 1
    But if an appropriate group (eg Everyone) does not have permissions at the NTFS level he will still need to add those permissions, regardless of the share permissions. – PowerApp101 Aug 07 '09 at 04:06
  • 5
    That's a pretty poor way of managing a file server. Most likely this user is not the only one that needs access and NTFS permissions are far more granular than Share permissions. Traverse Directory comes to mind as a big miss if you go strictly with Share permissions – MDMarra Aug 07 '09 at 04:40
  • It's a simple option in small networks. I do normally set NTFS permissions, but for groups only. The problem he stated is giving "new user read-only access to absolutely everything in the directory tree." – Gordon Bell Aug 07 '09 at 04:59
  • Even in small networks one should apply proper business management practices. – Daniel Dec 06 '16 at 09:02
  • Well you can blame Microsoft for bringing Share Permissions into the mix then. Also, this question has changed since I originally answered it. – Gordon Bell Dec 06 '16 at 15:36
0

Depending on your use case, in an emergency you may be able to set the permissions and then cancel.

I needed to add specific permission to a high level directory containing millions of files and it was going to take a while. In my particular case, there is one specific directory deeper down into the structure that I needed permissions added to ASAP, and waiting a long time would not have been an acceptable option. I was able to overcome this by first adding the specific permissions to the needed folder, and even though that was also going to take a long time to propagate, I simply clicked "Cancel" right after it started. Doing this warns you that you'll leave the permissions in an inconsistent state, but it did leave the one directory I needed with the proper permissions. Then I went to the higher level directory and set the permissions there and let it go...

The trick is that "Cancel" doesn't undo what it already did, it just stops the propagation.

TTT
  • 726
  • 4
  • 10
0

You really should consider creating a Local or Domain Group and set it's permissions on the top-level directory, then you just add users to the Group as needed.

Gordon Bell
  • 338
  • 2
  • 12