You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just adding ACE may not be sufficient anyway.


I don't know whether they did anything explicitly.  Unfortunately it doesn't let us see any permissions or settings.  My account is a domain admin and I'm also in the administrators group on the filers.   

 

I could not find explicit statement, but fsecurity appears to replace existing DACL. I suppose one possibility would be

 

-          Dump existing DACLs using somesing like “icacl /save”

-          Convert result into valid fsecurity job definition

-          Add necessary ACEs

-          Apply

We looked into this, but not having permissions to a variety of sub-directories the icacl command doesn't see into these directories.  We could try to force permissions down the trees, but even if it works, we're potentially adding or removing access to groups currently being hidden.  We're reluctant to blindly do this. 

 

But it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.


Would you elaborate on this?  Where would this job run from and how would it end up with access?  

Thanks,

Jeff

 

 

C-Mode looks better as it allows editing individual ACEs.

 

 

---

With best regards

 

Andrei Borzenkov

Senior system engineer

FTS WEMEAI RUC RU SC TMS FOS

cid:image001.gif@01CBF835.B3FEDA90

FUJITSU

Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation

Tel.: +7 495 730 62 20 ( reception)

Mob.: +7 916 678 7208

Fax: +7 495 730 62 14

E-mail: Andrei.Borzenkov@ts.fujitsu.com

Web: ru.fujitsu.com

Company details: ts.fujitsu.com/imprint

This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.

Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

 

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Jeff Cleverley
Sent: Tuesday, September 15, 2015 2:10 AM
To: <Toasters@teaparty.net>
Subject: Cifs administrative access push to the entire qtree

 

Greetings,

 

I inherited a group of filer that are heavily cifs.  There are multiple clusters of different hardware and different OS levels.  All are 7-mode.

 

What the managers found is that people have changed directory permissions and excluded administrators or people with full control.  When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.

 

We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.  

 

Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control?  The managers already have full control at the share level.  

 

Thanks,

 

Jeff

 

--

Jeff Cleverley
IT Engineer

4380 Ziegler Road

Building 1, Dock 1
Fort Collins, Colorado 80525
970-288-4611




--
Jeff Cleverley
IT Engineer
4380 Ziegler Road
Building 1, Dock 1
Fort Collins, Colorado 80525
970-288-4611