Apr 20, 2012

Windows 2003; Find folders with non-inherited/changed permissions


The question: I’m looking for a good way to audit/search a directory structure (Windows 2003) and locate any folders that either don’t inherit permissions from their parent -or- have additional users/groups added.

The Back Story

We’re migrating an old Windows 2003 file server to a 2008 R2 box. This old server was migrated from NT4. Most of the current folders use the old (deprecated?) Domain\Administrators and Domain\Users groups. These are groups that, while still in AD, I can’t use for permissions in 2008 R2 permissions.

So, before I robocopy over all the shared data from old server to new I first need to “modernize” the permissions on the old shares. However, I know that over the past decades some [undocumented] folders have had their permissions modified to either not inherit from parent or to add additional users. Thus my quest for a way to find ’em!

Asked by Chris_K


I would recommend to use Powershell (for Win2003: http://support.microsoft.com/kb/968929/en-us) and a additional add-on module also for this ( http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85 ).

This will help you first to get the inheritance for a folder structure with (when running from your startfolder) eg.

get-childitem -Recurse | get-inheritance | export-CSV C:\Inheritance.csv -NoTypeInformation

You will get all files and folders in a csv which can then be filter in Excel or other DBs if you need.

Additional benefit of the NTFSSecurity Modul is that you can change the inheritance or the ACLs also during migration with a similar Powershell script.

e.g. you can completly remove inheritance in a folder (your start folder) with:

get-childitem | Disable-Inheritance

or add the -recurse switch again for all subfolders / files again.

Hope this help

Answered by Mr.T

Related posts:

  1. Permissions not inherited in Windows 2003 when copying from other folder
  2. Finding files/folders with write/full control permissions for Everyone on Windows 2003
  3. windows server 2008 file permissions
  4. Windows Server 2003 redirected folder permissions cannot be altered
  5. Deny ACE on NTFS Folder indicates permissions are inherited but no ACE on parent

Leave a comment