Microsoft Virtualization Discussions

Get list of all folders and subfolders permissions in a netapp with millions of folders

AlbertoGonzalez
5,385 Views

I need to get a list of all shares and folder/subfolders along NTFS permissions (user and permission) in a netapp with millions of folders. 

 

I know you can use this command and it will return permissions for one folder you specify

vserver security file-directory show -path /marketing -expand-mask true

 

But I need to do a report of a netapp that has 1 million of folders/subfolders so traversing folders and invoking this command folder by folder will take so many hours.

 

By now i have been doing this with standard windows APIs to list folders and subfolders and get-acl permission per folder but  as i said it is too slow.

 

Is there any file where this info is stored or a way to query security file-directory to report all subfolders ? or other way like in windows you can use ntfs walker/journal or similar to query ntfs metada and get all file names/dir in the filesystem more efficient and quickly.

1 ACCEPTED SOLUTION

parisi
5,353 Views

ONTAP does not store this information in a file. You'd have to query it via Powershell or via icacls.

View solution in original post

4 REPLIES 4

GidonMarcus
5,362 Views

Hi,

 

I'm not aware of a good way except of these two interfaces (perhaps also the same command via ZAPI/new ONTAP API).

The other things I would have try are:

1. to robocopy the folder-structure-only into a VM and try to run it locally (to avoid network latencies on the queries)

2. be sure to have small latency to AD and enough processing capacity on it as well

3. use filters on the get-acl to only include non-inherited permissions - so again you'll fewer queries to AD.

4. try to use another method to query the SMB. Maybe also try without translating the SIDs and doing it later based on your own index https://www.reddit.com/r/PowerShell/comments/69181h/getacl_is_looking_up_sids/

 

There's of-course commercial tools that generate folders audit and allow you to act on it. you can consider using their tools instead of developing your own. I also mentioned it as for my experience, Varonis for example do their scan via SMB, and it can take a day or two for a 10TB share to get scanned (on an AFF).

 

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

parisi
5,354 Views

ONTAP does not store this information in a file. You'd have to query it via Powershell or via icacls.

AlbertoGonzalez
4,841 Views

But in large systems with millions of folders and files walking through all shares and subfolder is very slow process and difficult to keep in sync. Also you need a user than can browse all shares and folders and files that is quite difficult case.

 

Would be great if you can provide an api or file to get all through ontap.

 

 

 

 

Thoppay
4,713 Views

If you trying to copy with NTFS permissions, have you looked into XCP?

 

https://xcp.netapp.com/

Public