Discussion:
Applying NTFS acl is very slow
(too old to reply)
unknown
2008-11-19 15:00:37 UTC
Permalink
I am using the following function:
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com

function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")

trap{
Write-Warning "Something went wrong setting permissions"
Break
}

$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)

# check if given user is Valid, this will break function if not so.

#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])

$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl

}

When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to apply the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.

Thanks,
Jacob
Rob Campbell
2008-11-19 23:32:01 UTC
Permalink
Have you tried setting the permissions via sddl instead?

I believe this would allow you to set all the inheritance flags and
permissions at once in one write operation for a given file or directory.
Post by unknown
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com
function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")
trap{
Write-Warning "Something went wrong setting permissions"
Break
}
$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)
# check if given user is Valid, this will break function if not so.
#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])
$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl
}
When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to apply the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.
Thanks,
Jacob
unknown
2008-11-20 03:34:26 UTC
Permalink
I see what you are saying but I'm not sure how that would work in my
situation.
I am parsing an xml file, Volume_Trustees.xml from a Novell server. The file
contains the rights that each trustee has to the volume. For each directory
that is listed in the xml file I grab the rights, which look something like
this, _RWCEMF_ and convert them to "ListDirectory, Modify, Read,
ReadAndExecute, Write" which I can cast to
[System.Security.AccessControl.FileSystemRights] and apply the permissions
to the folder.

Make sense??
Post by Rob Campbell
Have you tried setting the permissions via sddl instead?
I believe this would allow you to set all the inheritance flags and
permissions at once in one write operation for a given file or directory.
Post by unknown
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com
function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")
trap{
Write-Warning "Something went wrong setting permissions"
Break
}
$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)
# check if given user is Valid, this will break function if not so.
#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])
$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl
}
When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to apply the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.
Thanks,
Jacob
Rob Campbell
2008-11-20 04:03:01 UTC
Permalink
In that case you're probably better off letting the script construct the acl
for you from the xml data.

I think you may still be able to cut down the time it's taking to run by
cutting down on the directory lookups it's doing.

It appears the function is taking a user name and then doing a directory
lookup to resolve it to a sid so it can construct the ace. I suspect it's
spending a lot of time doing repetitive lookups. Since this is being done
within the function the result of that lookup is discarded when the function
exits. Unless you have a very large user database, I think it would speed
things up a lot if you take the lookup out of the function and moved it to
the main script body. From there you can store the result of previous
lookups to a hash table, and only have to look up the sid for each user once,
then pass the sid to the function to set the acl.
Post by unknown
I see what you are saying but I'm not sure how that would work in my
situation.
I am parsing an xml file, Volume_Trustees.xml from a Novell server. The file
contains the rights that each trustee has to the volume. For each directory
that is listed in the xml file I grab the rights, which look something like
this, _RWCEMF_ and convert them to "ListDirectory, Modify, Read,
ReadAndExecute, Write" which I can cast to
[System.Security.AccessControl.FileSystemRights] and apply the permissions
to the folder.
Make sense??
Post by Rob Campbell
Have you tried setting the permissions via sddl instead?
I believe this would allow you to set all the inheritance flags and
permissions at once in one write operation for a given file or directory.
Post by unknown
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com
function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")
trap{
Write-Warning "Something went wrong setting permissions"
Break
}
$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)
# check if given user is Valid, this will break function if not so.
#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])
$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl
}
When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to apply the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.
Thanks,
Jacob
unknown
2008-11-21 00:03:53 UTC
Permalink
Hmm...I don't think the sid lookup is taking that much time. I commented out
the line that actually applies that ACL and that line is definitely the
culprit.
Post by Rob Campbell
In that case you're probably better off letting the script construct the acl
for you from the xml data.
I think you may still be able to cut down the time it's taking to run by
cutting down on the directory lookups it's doing.
It appears the function is taking a user name and then doing a directory
lookup to resolve it to a sid so it can construct the ace. I suspect it's
spending a lot of time doing repetitive lookups. Since this is being done
within the function the result of that lookup is discarded when the function
exits. Unless you have a very large user database, I think it would speed
things up a lot if you take the lookup out of the function and moved it to
the main script body. From there you can store the result of previous
lookups to a hash table, and only have to look up the sid for each user once,
then pass the sid to the function to set the acl.
Post by unknown
I see what you are saying but I'm not sure how that would work in my
situation.
I am parsing an xml file, Volume_Trustees.xml from a Novell server. The file
contains the rights that each trustee has to the volume. For each directory
that is listed in the xml file I grab the rights, which look something like
this, _RWCEMF_ and convert them to "ListDirectory, Modify, Read,
ReadAndExecute, Write" which I can cast to
[System.Security.AccessControl.FileSystemRights] and apply the permissions
to the folder.
Make sense??
Post by Rob Campbell
Have you tried setting the permissions via sddl instead?
I believe this would allow you to set all the inheritance flags and
permissions at once in one write operation for a given file or directory.
Post by unknown
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com
function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")
trap{
Write-Warning "Something went wrong setting permissions"
Break
}
$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)
# check if given user is Valid, this will break function if not so.
#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])
$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl
}
When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to
apply
the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.
Thanks,
Jacob
Rob Campbell
2008-11-21 01:15:01 UTC
Permalink
Do you know how many acl's it's changing per second?

If you've got auditing enabled, the security event logs should have a record.

Is your target drive local or remote?
Post by unknown
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com
function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")
trap{
Write-Warning "Something went wrong setting permissions"
Break
}
$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)
# check if given user is Valid, this will break function if not so.
#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])
$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl
}
When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to apply the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.
Thanks,
Jacob
unknown
2008-11-21 04:49:16 UTC
Permalink
Hehehe, it does 0 per second. All I have to do is add a single acl to a root
folder and that takes about 30min on my test directory.
The drive is local.

I get the same issue when applying an acl via the gui which makes me think
it isn't a powershell thing but an ntfs thing.

I'd suspect that when the ACL is added to the root-level folder that the
system starts to propagate the rights down the tree which takes time. Surely
Microsoft have a better way of doing this. Like allowing you to specify a
number of acls before the system starts calculated/propagating rights down
the tree.
Post by Rob Campbell
Do you know how many acl's it's changing per second?
If you've got auditing enabled, the security event logs should have a record.
Is your target drive local or remote?
Post by unknown
# Add-AclTxt.MSH
# Add's an ACL to a file using text parameters
# Usage Add-Acl "File" "user" "Rights" ("deny")
# /\/\o\/\/ 2006
# http://mow001.blogspot.com
function Add-Acl {
Param ($folder,$user,
[System.Security.AccessControl.FileSystemRights]$Rights,
[System.Security.AccessControl.InheritanceFlags]$Inheritance="ContainerInherit,
ObjectInherit",
[System.Security.AccessControl.PropagationFlags]$Prop="None",
[System.Security.AccessControl.AccessControlType]$Access = "Allow")
trap{
Write-Warning "Something went wrong setting permissions"
Break
}
$ar = New-Object
System.Security.AccessControl.FileSystemAccessRule($user,$Rights,$Inheritance,$Prop,$access)
# check if given user is Valid, this will break function if not so.
#$Sid =
$ar.IdentityReference.Translate([System.Security.Principal.securityidentifier])
$acl = get-acl $folder
$acl.AddAccessRule($ar)
set-acl $folder $acl
}
When I try and set permissions on say D:\Shares and D:\Shares contains a
large amount of sub folders and files it can sometimes to hours to apply the
acl. Is this a powershell issues or ntfs permissions issue?? I'm migrating
rights for Novell land to Microsoft and it is taking far too long.
Thanks,
Jacob
Loading...