Saturday, June 20, 2009
XCACLS over SubInACL: article 200908
FOR THE BUSY (or IMPATIANT): Point of the Story: SubINACL scans every single folder and file unless you tell it not to.
I am working on modifying permissions on up to 3 million folder and file objects on one root drive. In a Microsoft environment. I obviously am scripting this as well as performing the process in stages; right now I am in the testing stage in a non-production environment (see my first posting of “Script the World” series).
The initial command I chose was to use was XCACLS from Microsoft. It is a fairly simple command to view and edit permissions on files and folders. I noticed that it ran a little slow for my tastes and was discussing this with a co-worker who mentioned he used Microsoft's SubInACL. SubInACL can be used for similar purposes but appears to be more robust that XCACLS.
When I tried SubInACL it took much, much, longer than XCACLS to complete and in some of my tests even “hung”. This was very odd as my co-worker had successfully used SubInACL for his tasks. I began researching using Google and Microsoft's ProcMon and realized upon what I would call at best a nuance and at worst a bug.
Let me set the stage: I have a root drive for testing; “H:” and in this root drive I have 10 directories:
Inside each of the directories I have 20,000 folder and file objects. Since I will perform these permission changes in stages when I am working with production folders I only want to a select group of folders at one time; for example
So using scripting and reading from a list (another reference to my Script the World 1 post) I am able to automate these changes; however, as mentioned above, SubInACL seemed to “hang”. I researched this issue on the web and stumbled across a forum posting that had a similar issue; one the posters stated that SubInACL scans all folders and files in the parent directory on which you are making changes, even though you did call it touch those folders. For example using the command to change permissions folder AAA:
C:\>subinacl /subdirectoires h:\AAA /grant=DomainName\GrantGroup:F /revoke=DomainName\RemoveGroup
would result in SubInACL changing those permissions but then going to SCAN, (NOT MODIFY; I WANT TO BE CLEAR. It only performs a read) the remainder of the folders and files in H:
Using Sysinternal's (now Microsoft's) Process Monitor confirms this. I turned on ProcMon, filtered for SUBINACL.EXE and sure enough I see it work on the AAA folder and its files but then it goes on read every other folder and file in the H: drive before finishing the command!
Now there is an “Exclude” switch in SubInACL but it does not work for what I am doing since I am working at the root of the directory. The command would be
C:\>subinacl /subdirectoires h:\AAA /grant=DomainName\GrantGroup:F /revoke=DomainName\RemoveGroup /pathexclude=H:\*.*
Notice that at the end I am trying to exclude (H:\) the very directory I am working in (H:\AAA).
(This is probably how my teenage son feels when I am barking orders at him “DO THIS! DON”T DO THAT!)
Bottom line I am going to stick with XCACLS. I did notice after further testing that tends to run slow at first but given a greater amount of objects it moves along a pretty good pace.
I will post later more about XCACLS and some of findings there as well how I scripted this.