Keith Brown wrote:
i converted qtree with user dirs from unix to ntfs.
if i look at a users home dir with secure share tool it says no acl.
Right. You should find that the switch of the qtree to NTFS will initialize the root directory with an "Everyone - Full Control" ACL, but we won't plough down through the pre-existing data and initialize a bunch of ACLs on everything by "second-guessing" ACL contents from the available UNIX permission sets. There's really no objectively correct way to do that, so the filer steps out of the way and leaves it to the administrator to initialize *exactly* what security they need from a client.
i look at the ntfs security perms and it says the user has full,full and that everyone has rx,rx. i understand this is coming from the unix perms that were there.
On the files and directories that are below the root of the qtree, yes, that's likely what you would see. These aren't real ACLs, they are just "mocked up" display ACLs.
i give domain admins full control over that dir, subdirs and files.
Which would have the effect of initializing "proper" ACLs onto all those subdirs and files. Now everything should be in full NTFS mode, and all the normal rules of NTFS security will apply for this data.
i look at it with secure share and it says root is owner [but greyed out] and there is an acl. i look at the dir and sub dirs with the nt security tab and i see domain admins full, the user full, and everyone rx,rx.
Now it's starting to sound a little wrong. You didn't say explicitely how you were initializing the ACLs, but if you were using the Windows Explorer and its "Replace permissions on subdirectories" and "Replace permissions on existing files" options, you should get exactly the ACL that you specified on every subdirectory and file.
yes i used the Windows Explorer and its "Replace permissions on subdirectories" and "Replace permissions on existing files" options. i got the domain admins full perm that i put in that way. the question i have is whether the "mocked up" display acls for the user and everyone should still be there???
i get the same result whether i use windows explorer or cmd line tools that i also have and hoped to use to eventually get the acls the way i want them. but i can't get there if i don't understand what is going on.
What was there before should not matter
(i.e. the new information is not overlayed onto the clients view of what the pre-existing security looked like). If you are using some other mechanism that perhaps works differently to the Windows Explorer, therein might lie the problem?
Keith