Microsoft Virtualization Discussions

Get list of all folders and subfolders permissions in a netapp with millions of folders


I need to get a list of all shares and folder/subfolders along NTFS permissions (user and permission) in a netapp with millions of folders. 


I know you can use this command and it will return permissions for one folder you specify

vserver security file-directory show -path /marketing -expand-mask true


But I need to do a report of a netapp that has 1 million of folders/subfolders so traversing folders and invoking this command folder by folder will take so many hours.


By now i have been doing this with standard windows APIs to list folders and subfolders and get-acl permission per folder but  as i said it is too slow.


Is there any file where this info is stored or a way to query security file-directory to report all subfolders ? or other way like in windows you can use ntfs walker/journal or similar to query ntfs metada and get all file names/dir in the filesystem more efficient and quickly.



ONTAP does not store this information in a file. You'd have to query it via Powershell or via icacls.

View solution in original post



ONTAP does not store this information in a file. You'd have to query it via Powershell or via icacls.

View solution in original post


But in large systems with millions of folders and files walking through all shares and subfolder is very slow process and difficult to keep in sync. Also you need a user than can browse all shares and folders and files that is quite difficult case.


Would be great if you can provide an api or file to get all through ontap.






If you trying to copy with NTFS permissions, have you looked into XCP?




I'm not aware of a good way except of these two interfaces (perhaps also the same command via ZAPI/new ONTAP API).

The other things I would have try are:

1. to robocopy the folder-structure-only into a VM and try to run it locally (to avoid network latencies on the queries)

2. be sure to have small latency to AD and enough processing capacity on it as well

3. use filters on the get-acl to only include non-inherited permissions - so again you'll fewer queries to AD.

4. try to use another method to query the SMB. Maybe also try without translating the SIDs and doing it later based on your own index


There's of-course commercial tools that generate folders audit and allow you to act on it. you can consider using their tools instead of developing your own. I also mentioned it as for my experience, Varonis for example do their scan via SMB, and it can take a day or two for a 10TB share to get scanned (on an AFF).



Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner