Active IQ Unified Manager Discussions

Creating a report of NTFS permissions based on a CIFS Share

TBknowledge
7,200 Views

I want to make a report which will get all DACL *Specific permission based on root CIFS shares.

* Specific permissions: Take Ownership and Change Permissions

 

I'm using NetApp Powershell module.

1. So, first step is to get all CIFS Shares:

Get-NcCifsShare -InformationVariable ShareName | Select Sharename

 

2. For each CIFS Share we need to check if there is a Group/User with DACL Permissions to Take Ownership and Change Permissions

 

Example:

With this NetApp CLI command I can get all DACL permissions:

vserver security file-directory show -vserver svm_server1 -path /TEST_DATA -expand-mask true

 

It will return very long output, but the part which I'm interesting to is:

So here we can see "Everyone" and they have: Write Owner and  Write DAC permissions.

Write Owner = Change Permissions (In Windows NTFS) 

DAC permissions = Write DAC(In Windows NTFS)

*************************************************************************

DACL - ACEs
ALLOW-Everyone-0x1f01ff-OI|CI
0... .... .... .... .... .... .... .... = Generic Read
.0.. .... .... .... .... .... .... .... = Generic Write
..0. .... .... .... .... .... .... .... = Generic Execute
...0 .... .... .... .... .... .... .... = Generic All
.... ...0 .... .... .... .... .... .... = System Security
.... .... ...1 .... .... .... .... .... = Synchronize
.... .... .... 1... .... .... .... .... = Write Owner
.... .... .... .1.. .... .... .... .... = Write DAC
.... .... .... ..1. .... .... .... .... = Read Control
.... .... .... ...1 .... .... .... .... = Delete
.... .... .... .... .... ...1 .... .... = Write Attributes
.... .... .... .... .... .... 1... .... = Read Attributes
.... .... .... .... .... .... .1.. .... = Delete Child
.... .... .... .... .... .... ..1. .... = Execute
.... .... .... .... .... .... ...1 .... = Write EA
.... .... .... .... .... .... .... 1... = Read EA
.... .... .... .... .... .... .... .1.. = Append
.... .... .... .... .... .... .... ..1. = Write
.... .... .... .... .... .... .... ...1 = Read

*************************************************************************

 

 

I'm not able to find a way to complete this. I do not see a way with PS NetApp toolkit to generate this.

 

Can you help me?

 

Thanks in advance!

1 ACCEPTED SOLUTION

GidonMarcus
6,911 Views

Oh.

Sorry i missed that the output was CLI and not PS. in PS you can use the following:

$MyAcl = Get-NcCifsShare -ShareName SecurityAudit* -Controller $MyArray | select path,Vserver,NcController| Get-NcFileDirectorySecurity -ExpandMask | select -ExpandProperty acls

Had to use the select on the middle as without it the pipe appends the volume name to the path twice ....

the sad thing is that you still going to just have it as a string rather properly formatted array... so need to work on parsing the string

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

4 REPLIES 4

GidonMarcus
6,930 Views

sorry, the question is not clear to me. to complete what ? i see both Write Owner and Write DAC.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

TBknowledge
6,926 Views

Hello Gidon,

thanks for the reply.

 

Imagine you have 100 root CIFS Shares. Each one of them have different NTFS Permissions applied on Group and/or User level.

I want to built a report, which will display specific advanced permissions applied on Group and/or User level for each root CIFS share.

 

Specific advanced permissions are: "WriteOwner", "FullAccess"

 

I was able to generate this with Powershell from Windows side, but not able to find a way to perform this from NetApp PS Tool Kit.

Two folders in the example test: TEST1 and TEST2. 

 

Example of the output: 

<<<<<<<<<<<<< Permissions for C:\TEST1 >>>>>>>>>>>>>>>>
BUILTIN\Administrators

FullAccess
WriteOwner
--------------------------------------------------
NT AUTHORITY\SYSTEM
WriteOwner


<<<<<<<<<<<<< Permissions for C:\TEST2 >>>>>>>>>>>>>>>>
BUILTIN\Users
FullAccess
WriteOwner
--------------------------------------------------

 

Thanks!

GidonMarcus
6,912 Views

Oh.

Sorry i missed that the output was CLI and not PS. in PS you can use the following:

$MyAcl = Get-NcCifsShare -ShareName SecurityAudit* -Controller $MyArray | select path,Vserver,NcController| Get-NcFileDirectorySecurity -ExpandMask | select -ExpandProperty acls

Had to use the select on the middle as without it the pipe appends the volume name to the path twice ....

the sad thing is that you still going to just have it as a string rather properly formatted array... so need to work on parsing the string

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

TBknowledge
6,839 Views

Thanks so much for the help Gidon!

Output is the same as security from CLI. Only need to format data as you mentioned.

 

Thanks again!

Public