Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Migrate from Netware 6.5 to Windows 2003 file permissions

- - - - -

  • Please log in to reply
6 replies to this topic

#1
xanth

xanth
  • Member
  • 4 posts
  • Joined 08-February 09
Hello all,

We have had enough of our Novell Netware servers and the lack of support that software vendors give Netware.
Therefore, I am trying to migrate our site from our Novell Netware 6.5 servers to a Windows 2003 servers.

Everything was going well right up until the file system. I have worked out a way of migrating all users and groups, but I hate to admit it, but Netware seems to have a much better way of doing it's file system permissions.

Let me explain.

Say I have a share on a Netware server, (I'll use UNC paths) \\fs1\share and map it to a K: drive.
If I have 3 folders in that share...
K:\Folder1
K:\Folder2
K:\Folder3

Within each of these folders I have 3 other folders, "one","two" and "three".
IE:
K:\Folder1\one
K:\Folder1\two
K:\Folder1\three
K:\Folder2\one
K:\Folder2\two
K:\Folder2\three
K:\Folder3\one
K:\Folder3\two
K:\Folder3\three

Right, now I give userA read/write permissions to "K:\Folder2\two", when that user browses to the K: drive, he can see:
K:\Folder2

no more, no less.

When that user changes into Folder two, then that user can now see
K:\Folder2\two
no more, no less.

Excellent, works perfectly.

BUT windows.......

Same folders same permissions.
Assumption: I have given share rights to the "Domain Users" group.
userA can not see K:\Foler2, in fact, that user can not even net use a K: drive \\fs1\share
So what I do is give folder rights to \\fs1\share, but now the user can see all three folders.
K:\Folder1
K:\Folder2
K:\Folder3

But when they try to change into Folder1 or Folder3, they get a "access denied" but they still see the %#$%ing things. Why should they see them if they have no rights!!!!
Also when userA changes to K:\Folder2, the user once again see's all three folder in the next level:
K:\Folder2\one
K:\Folder2\two
K:\Folder2\three
And once again, access denied to "one" and "three", once again, why still see them if there are no rights.

What the problem is, is the appropriate rights do not flow up such as Netware, only down.

I have found a piece of software that I have installed from MS called "Windows Server 2003 Access-based Enumeration", which hides folder which the users do not have rights to. Great, but it only works at the root of the share and I still have to give the rights higher up. IE: \\fs1\share\Folder2

Please, please, I need a solution to fix this very poor windows based file system permission problem as I am hating netware more and more, (except when it comes to the file system)........ Please help me get rid of Netware. :(


How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
Without ABE, this is not possible. At least not with what ships with Windows - there may be something third party, but I do not know of anything off the top of my head.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
xanth

xanth
  • Member
  • 4 posts
  • Joined 08-February 09

Without ABE, this is not possible. At least not with what ships with Windows - there may be something third party, but I do not know of anything off the top of my head.


Unfortunately, even with ABE, this does not seem possible. (Which I do have installed)
I’ll summarise my issue.
Give permissions to K:\Folder2\two
Still can’t see K:\Folder2
So, to enable browsing to K:\Folder2\two need to give permissions to K:\Folder2 which then flows down to K:\Folder2\one, K:\Folder2\two, and K:\Folder2\three
Which then makes it necessary to go to each of these three folders and uncheck “Allow inheritable permissions from the parent….”

So, we have two problems. We have thousands and thousands of folders to fix to enable the migration and the whole mind set in how backwards this method is…

Surely I am not the first person migrating from Netware to Windows to struggle with this?

TIA.

Edited by xanth, 09 February 2009 - 02:02 PM.


#4
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
I would suggest a support case with Microsoft, because I don't know how else you'd do it. Windows file sharing was never meant to deny access this way, only to have permission-based access. Also, Novell does this differently (mapping permissions into a buffer to handle the ABE) vs how Windows does it (ACL check, disk hit per ABE lookup), so it's inferior in that way as well (although it does work on larger volumes better due to the Novell buffer design). In general, on Windows, you would map a share to the farthest point down the tree a user would use, rather than a root folder like that.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#5
xanth

xanth
  • Member
  • 4 posts
  • Joined 08-February 09
Thanks for your help Cluberti,
You are quite right in what you say about how the two different types of servers handle their file systems.

I think what I'll probably do is rely on the ABE, remove all rights using scripts to run xcacls to the top 3 levels, then run more scripts to assign the rights at the appropriate 3 levels and then most of all, try and educate both the many users and support staff on the differences.
The users on why they are seeing more folders than they used to. And the support staff on how to let users see folders that are not in the root of the drive.

#6
xanth

xanth
  • Member
  • 4 posts
  • Joined 08-February 09
I take it back, my plan was getting way too complicated. I think I'll stick to the standard Microsoft way and try and educate the users.

#7
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
I would think that would be best - ABE can really hammer your server performance too when it gets very busy.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users