使用Python重置NTFS文件夹的继承权限

Question

I have quite a few folders on an NTFS partition (on Windows 2008) which are not inheriting their permissions from their parents.

I'd like to reset that so they do include those parent permissions (equivalent to checking the "Include inheritable permissions from this object's parent" checkbox under the Advanced Security Settings area).

Since we use Python for some other system management tasks here, I'd like to do it in Python if possible (I know how I can do it in VBScript, but this isn't going to be a one off script, but run regularly, so should integrate with the rest of our codebase).

I've been using the excellent pywin32 extensions and examples from http://timgolden.me.uk/python/win32_how_do_i.html and Google to get started, but I don't see any way to simply say "inherit permissions from parent."

Using AddAccessAllowedAceEx, I can even fake inheritance of something by adding the INHERITED_ACE flag in something like, whether it really is coming from the parent or not:

dacl.AddAccessAllowedAceEx( \
  win32security.ACL_REVISION_DS \
, win32security.OBJECT_INHERIT_ACE | win32security.CONTAINER_INHERIT_ACE | win32security.INHERITED_ACE \
, ntsecuritycon.FILE_GENERIC_READ | ntsecuritycon.FILE_GENERIC_EXECUTE \
, some_sid_here \
)

But how in the world do I know which things to inherit unless I walk the entire path from the root folder and build the inheritance all the way down?

Answer 1

OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE need to be set on the root folder's ACEs. You'll probably also want to clear any permissions set directly on each subfolder and file. (Those would be the ones that don't include INHERITED_ACE in their ACE flags).