Migrate from Netware 6.5 to Windows 2003 file permissions

[xanth]

Hello all,

We have had enough of our Novell Netware servers and the lack of support that software vendors give Netware.

Therefore, I am trying to migrate our site from our Novell Netware 6.5 servers to a Windows 2003 servers.

Everything was going well right up until the file system. I have worked out a way of migrating all users and groups, but I hate to admit it, but Netware seems to have a much better way of doing it's file system permissions.

Let me explain.

Say I have a share on a Netware server, (I'll use UNC paths) \\fs1\share and map it to a K: drive.

If I have 3 folders in that share...

K:\Folder1

K:\Folder2

K:\Folder3

Within each of these folders I have 3 other folders, "one","two" and "three".

IE:

K:\Folder1\one

K:\Folder1\two

K:\Folder1\three

K:\Folder2\one

K:\Folder2\two

K:\Folder2\three

K:\Folder3\one

K:\Folder3\two

K:\Folder3\three

Right, now I give userA read/write permissions to "K:\Folder2\two", when that user browses to the K: drive, he can see:

K:\Folder2

no more, no less.

When that user changes into Folder two, then that user can now see

K:\Folder2\two

no more, no less.

Excellent, works perfectly.

BUT windows.......

Same folders same permissions.

Assumption: I have given share rights to the "Domain Users" group.

userA can not see K:\Foler2, in fact, that user can not even net use a K: drive \\fs1\share

So what I do is give folder rights to \\fs1\share, but now the user can see all three folders.

K:\Folder1

K:\Folder2

K:\Folder3

But when they try to change into Folder1 or Folder3, they get a "access denied" but they still see the %#$%ing things. Why should they see them if they have no rights!!!!

Also when userA changes to K:\Folder2, the user once again see's all three folder in the next level:

K:\Folder2\one

K:\Folder2\two

K:\Folder2\three

And once again, access denied to "one" and "three", once again, why still see them if there are no rights.

What the problem is, is the appropriate rights do not flow up such as Netware, only down.

I have found a piece of software that I have installed from MS called "Windows Server 2003 Access-based Enumeration", which hides folder which the users do not have rights to. Great, but it only works at the root of the share and I still have to give the rights higher up. IE: \\fs1\share\Folder2

Please, please, I need a solution to fix this very poor windows based file system permission problem as I am hating netware more and more, (except when it comes to the file system)........ Please help me get rid of Netware.

[cluberti]

Without ABE, this is not possible. At least not with what ships with Windows - there may be something third party, but I do not know of anything off the top of my head.

[xanth]

Without ABE, this is not possible. At least not with what ships with Windows - there may be something third party, but I do not know of anything off the top of my head.

Unfortunately, even with ABE, this does not seem possible. (Which I do have installed)

I’ll summarise my issue.

Give permissions to K:\Folder2\two

Still can’t see K:\Folder2

So, to enable browsing to K:\Folder2\two need to give permissions to K:\Folder2 which then flows down to K:\Folder2\one, K:\Folder2\two, and K:\Folder2\three

Which then makes it necessary to go to each of these three folders and uncheck “Allow inheritable permissions from the parent….”

So, we have two problems. We have thousands and thousands of folders to fix to enable the migration and the whole mind set in how backwards this method is…

Surely I am not the first person migrating from Netware to Windows to struggle with this?

TIA.

Edited February 9, 2009 by xanth

[cluberti]

I would suggest a support case with Microsoft, because I don't know how else you'd do it. Windows file sharing was never meant to deny access this way, only to have permission-based access. Also, Novell does this differently (mapping permissions into a buffer to handle the ABE) vs how Windows does it (ACL check, disk hit per ABE lookup), so it's inferior in that way as well (although it does work on larger volumes better due to the Novell buffer design). In general, on Windows, you would map a share to the farthest point down the tree a user would use, rather than a root folder like that.

[xanth]

Thanks for your help Cluberti,

You are quite right in what you say about how the two different types of servers handle their file systems.

I think what I'll probably do is rely on the ABE, remove all rights using scripts to run xcacls to the top 3 levels, then run more scripts to assign the rights at the appropriate 3 levels and then most of all, try and educate both the many users and support staff on the differences.

The users on why they are seeing more folders than they used to. And the support staff on how to let users see folders that are not in the root of the drive.

[xanth]

I take it back, my plan was getting way too complicated. I think I'll stick to the standard Microsoft way and try and educate the users.

[cluberti]

I would think that would be best - ABE can really hammer your server performance too when it gets very busy.