7

We're adding a lot of new groups to the permissions on our companies shared drives. Some of the folder trees can contain millions of files and TBs of data. As is, changing the ACLs on these folders can anywhere from seconds to hours, depending on how many files are in the current tree.

We would like to be able to make these changes during the work day, but only if it is safe.

A few questions,

  • If you change the permissions on a folder whose children inherit permissions, is consistency maintained if a file is created in the tree during the ACL change?
  • Does any additional care need to be taken for open files, assuming you're never removing access, only adding new groups to the ACL?
  • Does the Set-ACL Powershell commandlet behave in the same way as the Properties > Security > Advanced page?

For example, if there is a tree with 20,000 files and say that that takes ten minutes to change all the NTFS permissions... What happens if a user creates a file in a sub folder during this window? Could the permissions on this file be missing the new group we are granting access to?

Thank you for any advice or suggestions!

Caesar Kabalan
  • 348
  • 1
  • 4
  • 12

2 Answers2

0

If you change the permissions on a folder whose children inherit permissions, is consistency maintained if a file is created in the tree during the ACL change?

It is my understanding that this operation is not transactional meaning that the permissions are changed serially. In this way, if you start the update, the root directory will have inconsistent permissions with its descendants, and during this time they will behave differently. I've. Consistency is not maintained.

Does any additional care need to be taken for open files, assuming you're never removing access, only adding new groups to the ACL?

I don't think, especially if you're only adding permissions.

Does the Set-ACL Powershell commandlet behave in the same way as the Properties > Security > Advanced page?

Again, it is my understanding that they will behave the same.

eejai42
  • 111
  • 2
0

It will probably be fine. Inheritance flows downward. First the directory is updated with the new ACLs, then the files within it are updated.

When a user goes to create the file, if the directory has already inherited the new ACL then the file will be created with that new ACL. If the directory has not inherited yet, then the file will be automatically updated once the inheritance reaches that folder.

This doesn't account for any bugs or quirks in Microsoft's software. I haven't redone ACLs frequently enough to be confident that it will work perfectly every time.

DoubleD
  • 141
  • 4