Home directory permissions issues.
Found: How to display the security permissions of a file from the filer which mentions the fsecurity command. Also found the white paper Bulk Security Quick Start Guide. Information about the Security Descriptor Definition Language SDDL at MSDN. From a comment on that page, I found Mark Minasi’s newsletter describing the SDDL syntax.
After poking at a few things with SubInACL.exe, I used the secedit utility from NetApp to create a security job file.
I created a new file, added a locationâ€/vol/testvolâ€, then added the BUILTIN\Administrator user with Full Control. This generated a file containing the following:
cb56f6f4
1,0,"/vol/testvol",0,"D:(A;CIOI;0x1200a9;;;Everyone)(A;CIOI;0x1f01ff;;;builtin\administrators)"
The instruction are specific that you can’t remove the “Everyone†ACE, which is exactly what I wanted to do. So I edited the generated text file to remove that ACE, resulting in the following:
cb56f6f4
1,0,"/vol/testvol",0,"D:(A;CIOI;0x1f01ff;;;BUILTIN\Administrators)"
The command fsecurity apply /vol/path/to/file appears to have corrected the permissions just fine. I edited the file’s location to another affect volume and that worked as well.
