In my environment, I have several projects that involve running NTFS ACL audit reports and various ACL cleanup activities on a number of file servers. There are two main reasons why I cannot perform these activities locally on the servers:

1) I do not have local access to the servers as they are actually owned and administered by another company.

2) They are SNAP NAS servers which run a modified Linux OS (called GuardianOS) so even if I could get local access, I’m not sure of the availability of tools to perform the operations I need.

With that out of the way, I ended up rolling my own ACL audit reporting tool that would recurse down the filesystem starting at a specified top-level path and would spit out an HTML report on all the groups/users it encountered on the ACLs as well as showing the changes in permissions as it descended the tree. While developing this tool, I found out that the network overhead was the worst part of doing these operations and by multi-threading the process, I could achieve substantially greater performance.

However, I’m still stuck for finding a good tool to perform the ACL modifications and cleanup. Your standard out of the box tools (cacls, xcacls, Explorer) seem to be single-threaded and suffer significant performance penalty when going across the network. I’ve looked at rolling my own ACL setting program that is multithreaded but the only API I’m familiar with is the .NET FileSystemAccessRule stuff and the problem is that if I set the permissions at a folder, it automatically wants to “flow” the permissions down. This causes a problem because I want to do the “flowing” myself using multi-threading.

I know NTFS “allows” inherited permissions to be inconsistent because I’ve seen it where a folder/file gets moved on the same volume between two parent folders with different inherited permissions and it keeps the old permissions as “inherited”.

The Questions

1) Is there a way to set an ACL that applies to the current folder and all children (your standard “Applies to files, folders, and subfolders” ACL) but not have it automatically flow down to the child objects? Basically, I want to be able to tell Windows that “Yes, this ACL should be applied to the child objects but for now, just set it directly on this object”.

Just to be crystal clear, I know about the ACL options for applying to “this folder only” but then I lose inheritance which is a requirement so that option is not valid for my use case.

2) Anyone know of any good algorithms or methodologies for performing ACL modifications in a multithreaded manner? My gut feeling is that any recursive traversal of the filesystem should work in theory especially if you’re just defining a new ACL on a top-level folder and just want to “clean up” all the subfolders. You’d stamp the new ACL on the top-level and then recurse down removing any explicit ACEs and then “flowing” the inherited permissions down.

(FYI, this question is partially duplicated from ServerFault since it’s really both a sysadmin and a programming problem. On the other question, I was asking if anyone knows of any tools that can do fast ACL setting over the network.)