Here in this chapter we are going to learn File permission
One of the biggest pains when performing an entire file server migration or simply moving a few file shares around is permissions. File permissions have always been a black box to most IT admins. What seems like an easy task when setting basic permissions can soon turn into a nightmare when attempting to transfer them to another location. Visions of Security Descriptor Definition Language (SDDL) strings, propagation and inheritance values soon turn an admin's day into a nightmare. Let's try to prevent that as much as possible by building a small script that will at least make your day dealing with file system permissions a little bit better.
When setting an ACL for a file or folder, you're most likely familiar with the typical Security tab on every file and folder in Windows.
From this box, permissions can be manipulated, but there's no way to save them. This becomes a problem when needing just to take a backup of the ACLs of when performing a file migration. Fortunately, we have a few different options. If using PowerShell, you can use Get-Acl command. This command allows you read any number of files or folders and if you're smart enough, you could even save the results of this command but not without a lot of headaches.
Even though I'm a Microsoft PowerShell MVP, I don't even choose this approach. Instead, I use the traditional icacls utility. Why? Because this little utility has the native ability to save file system ACLs in their native SDDL format. This means all permissions for all files inside of a hierarchy of folders can be dumped to a text file and then easily applied to another folder somewhere else.
Icacls is a native utility to all computers since Windows XP so chances are, you've already got it on your machine. In this case, it's just a matter of knowing which parameters to pass to it. To see all of the parameters available, use the /? parameter. This will display all of the numerous possibilities.
To perform the task, we're here for today only requires a few of these possibilities. To view all permissions on a single folder or file, you would just specify the element.
However, since we need to grab all permissions on all folders and files inside of a folder we have to use /t parameter. This will recursively look through each of the files and folders inside of that folder and pull their permissions.
Once we've confirmed that icacls can view the permissions we can now force it to save them to a file. That can be done with the /save parameter and specifying a file path argument.
icacls C:\Folder /save “C:\permissions.txt" /t
Above, I'm telling icacls to save all of the permissions for the C:Folder folder along with all files and folders inside to a file called C:permissions.txt. If you then look inside of the text file, you'll see what I mean about SDDL.
Lucky for us, though, icacls understands this and can reapply these permissions to another folder, if necessary.
One final parameter I use is the /c parameter. This parameter allows icacls to continue if it receives an error. This sometimes happens when it can't access a file or folder. This makes the final command line:
icacls C:\Folder /save “C:\permissions.txt" /t /c
Using this command allows you to save all file and folder permissions for everything inside of C:Folder. This is a simple method to dump all permissions quickly.