Microsoft Virtualization Discussions

Get list of all folders and subfolders permissions in a netapp with millions of folders

I need to get a list of all shares and folder/subfolders along NTFS permissions (user and permission) in a netapp with millions of folders. 

 

I know you can use this command and it will return permissions for one folder you specify

vserver security file-directory show -path /marketing -expand-mask true

 

But I need to do a report of a netapp that has 1 million of folders/subfolders so traversing folders and invoking this command folder by folder will take so many hours.

 

By now i have been doing this with standard windows APIs to list folders and subfolders and get-acl permission per folder but  as i said it is too slow.

 

Is there any file where this info is stored or a way to query security file-directory to report all subfolders ? or other way like in windows you can use ntfs walker/journal or similar to query ntfs metada and get all file names/dir in the filesystem more efficient and quickly.

2 REPLIES 2

Re: Get list of all folders and subfolders permissions in a netapp with millions of folders

Hi,

 

I'm not aware of a good way except of these two interfaces (perhaps also the same command via ZAPI/new ONTAP API).

The other things I would have try are:

1. to robocopy the folder-structure-only into a VM and try to run it locally (to avoid network latencies on the queries)

2. be sure to have small latency to AD and enough processing capacity on it as well

3. use filters on the get-acl to only include non-inherited permissions - so again you'll fewer queries to AD.

4. try to use another method to query the SMB. Maybe also try without translating the SIDs and doing it later based on your own index https://www.reddit.com/r/PowerShell/comments/69181h/getacl_is_looking_up_sids/

 

There's of-course commercial tools that generate folders audit and allow you to act on it. you can consider using their tools instead of developing your own. I also mentioned it as for my experience, Varonis for example do their scan via SMB, and it can take a day or two for a 10TB share to get scanned (on an AFF).

 

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

Re: Get list of all folders and subfolders permissions in a netapp with millions of folders

ONTAP does not store this information in a file. You'd have to query it via Powershell or via icacls.

View solution in original post

Cloud Volumes ONTAP
Review Banner
All Community Forums
Public