I have a new project and wanted to ping the community first before I got started. Looking for ideas on how best I can approach this problem.
I have a client that has a Quantum StorNext storage solution in the entertainment industry. This client has PCs and Macs that have an agent on their computers that allows them to talk to this device. This storage device has nearly 2TB of data on it with hundreds of thousands of folders and millions of files. Whenever a Mac creates or moves a file from one folder to another it removes the permissions on the file. They have a very simple requirement; have one account as the owner on ALL folders and files and the exact same permissions on everything.
Ultimately, they just need around 20 "root" folders to have a certain permission and owner and then set everything under that to inherit those permissions. The Macs are breaking that and explicitly setting their own. They've talked with the vendor and it's not possible to fix this so a workaround has to be put in place. As an interim fix, they've got a script that runs every night that trawls through all of those folders files and ensures they're all set to inherit from the parent folder. It takes WAY too long. They've brought me in to do a better job of that.
The goal is to ensure every file and folder in these set of "root" folders is set to inherit permissions from the parent in the shortest time possible.
Here are my thoughts as of now:
1. Setup a bunch of permanent WMI event consumers to monitor folders for new files and then trigger an ACL change. First of all, I don't know if this is possible because the files are located on the SAN and not on a NTFS volume.
2. Create a script that either runs background runspaces, jobs or some other parallel means that crawls through the files and checks. This would be similar to the script they're running now but it would be much faster since I'll be introducing asychronisity (is that a word?) to it.
3. I'm out of ideas...
Anyone have any thoughts of how to approach this problem?
How about setting the permissions on the share and/or NTFS permissions so that the account does not have the rights to change permissions. That is assuming, of course, that the MACs are accessing the Data via SMB and not NFS or AFS. Setting the share permissions so that Read and Write are allowed, but not Full Control should prevent the MACs from changing the permission sets. If they are using NFS, then stop that and start using SMB.
I knew I liked this forum for a reason. 🙂 I never considered just trying to limit anything from modifying the permissions to begin with. Duh. That makes complete sense and needs to be the way to go. I'm assuming they are accessing the shares by SMB but I'll confirm.
Thanks, Curtis! The problem now is I can't design some sophisticated script to change them. 🙂
Ya, sorry about that, but you can be their hero!
You must be logged in to reply to this topic.