NTFS Permissions and DrivePool

[Shane]

Spend long enough working with Windows and you may become familiar with NTFS permissions. As an operating system intended to handle multiple users, Windows maintains records that describe which user owns each file and folder and how much access each user has to those files and folders. These records are kept on the same volumes as those files and folders. Unfortunately, in the course of moving or copying folders and files around, Windows may fail to properly update these settings for a variety of reasons (e.g. bugs, bit errors, power interruptions, failing hardware).

This can mean files and folders that you can no longer delete, access or even have ownership of anymore, sometimes for no obvious reason when you check via the Security tab of the file/folder's Properties (they can look fine but actually be broken inside).

So, first up, here’s what the default permissions for a pool drive should look like:

And now here’s what the default permissions for the hidden poolpart folder on any drive added to the pool should look like:

The above are taken from a freshly created pool using a previously unformatted drive, on a computer named CASTLE that is using Windows 10 Professional. I believe it should be the same for all supported versions of Windows so far.

• Any entries that are marked Deny override entries that are marked Allow. There are limited exceptions for SYSTEM.
• It is optional for a hidden poolpart folder to Inherit its permissions from its parent drive.
• It is recommended that the Administrators account have Full control of all poolpart folders, subfolders and files.
• It is necessary that the SYSTEM account have Full control of all poolpart folders, subfolders and files.
• The permissions of files and folders in a pool drive are the permissions of those files and folders in the constituent poolpart folders.
• Caveat: duplicates are expected to have identical permissions (because in normal practice, only DrivePool should be creating them).

My next post in this thread will describe how I go about fixing these permissions when they go bad.

[Shane]

Edit: https://wiki.covecube.com/StableBit_DrivePool_Q5510455 is the normal, Stablebit-approved method to reset NTFS permissions. It should suffice in most cases, and it's easier to do than my method, so try it first.

To fix these broken NTFS permissions I now use a freeware program called SetACL because - at least in my experience - it properly supports both long paths and unicode and can fix damaged security records that Windows builtin tab and utilities like takeown and icacls can’t (for reasons that personally I boil down to “unicode and long paths were added to Windows partly via the programming equivalent of lots of duct tape”). If you're a sysadmin I recommend checking out the rest of the site too!

The following is a quick guide to how I use SetACL to reset my pool permissions on my own machines (this does not include resetting the System Volume Information folder, dealing with that is the next post). Your mileage may vary; you should always have backups of anything you don't want to lose.

Note: if you have customised your pool's security permissions (e.g. for multiple users with different access rights) be aware that you may need to customise the following commands (particularly the fourth) in this post to suit your changes, or adjust the permissions subsequently.

I download the SetACL for Administrators (not the Studio) from here. It's freeware (as is the Studio version if you want a GUI). Open the zip file and copy SetACL.exe from the 32bit or 64bit folder (as appropriate) to wherever you want to keep it so long as that location is OUTSIDE of your pools.

Open a command prompt as an Administrator and enter the following commands in order (where X:\ is the location of SetACL.exe and P:\ is the location of your pool drive - and that's very important, do not get confused, do not put in the wrong drive letters):

Net stop "stablebit drivepool service"

X:\SetACL.exe -on P:\ -ot file -actn setowner -ownr "n:Administrators" -rec cont_obj -fltr "System Volume Information" -fltr "$RECYCLE.BIN"

X:\SetACL.exe -on P:\ -ot file -actn clear -clr "dacl,sacl" -actn rstchldrn -rst "dacl,sacl" -fltr "System Volume Information" -fltr "$RECYCLE.BIN"

X:\SetACL.exe -on P:\ -ot file -actn ace -ace "n:Authenticated Users;p:change" -ace "n:SYSTEM;p:full" -ace "n:Administrators;p:full" -ace "n:Users;p:read_ex" -fltr "System Volume Information" -fltr "$RECYCLE.BIN"

Net start "stablebit drivepool service"

The first and last commands stop and start DrivePool respectively; the second command takes ownership (since you need to have ownership before you can alter any permissions that would otherwise prevent you from altering permissions), the third resets all existing permissions and enables inheritance of new permissions, and the fourth grants new permissions (I’ve used the Windows 10 defaults that should be compatible with all versions of Windows that are compatible with DrivePool); the special folders used for System Volume Information and Recycle Bin have been excluded as a precaution.

If you are still getting permission errors even after running all five commands in order, you can try running them directly on each of the individual poolpart folders. So for example if "E:" was one of the drives you'd added to your pool "T:", then you'd use E:\PoolPart.guidstring instead of T:\ in the above commands to run it on that poolpart folder (tip: when you're using the command prompt, pressing the tab key after you've typed PoolPart into the command prompt should fill in the correct guidstring for you). Note: poolpart folders contain a ".covefs" folder; do not apply non-default permissions to that folder unless you know exactly what you are doing.

If your pool contains a lot of files (the size of each file doesn't matter), these commands may take a while to complete (my primary pool, with ~600k files, takes a couple of hours).

[Shane]

The special System Volume Information folder is normally generated by the Windows operating system on every NTFS volume (amongst others). It is owned by the Administrators group and it does not inherit permissions from any parent. Its own permissions for the folder, subfolders and files consists only of Full Control for the SYSTEM account and nothing else, however in practice subfolders and files may be owned by and have permissions for other users and/or groups. It can thus be difficult to repair even with SetACL.

Please note that the following methods have not been extensively tested (in fact the word "barely" might be more applicable) and the same rules and warnings as for my post above apply.

On very rare occasions this folder can become damaged. If you're not too unlucky it's only Microsoft's WPSettings.dat file that broke (insert rant here) and you might try the following via an Administrator command prompt:

net stop "stablebit drivepool service"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn setowner -ownr "n:Administrators"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn clear -clr "dacl,sacl"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn ace -ace "n:SYSTEM;p:full" -ace "n:Administrators;p:full"

X:\SetACL.exe -on "P:\System Volume Information\WPSettings.dat" -ot file -actn setowner -ownr "n:Administrators"

X:\SetACL.exe -on "P:\System Volume Information\WPSettings.dat" -ot file -actn clear -clr "dacl,sacl"

X:\SetACL.exe -on "P:\System Volume Information\WPSettings.dat" -ot file -actn ace -ace "n:SYSTEM;p:full" -ace "n:Administrators;p:full"

del "P:\System Volume Information\WPSettings.dat"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn clear -clr "dacl,sacl"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn ace -ace "n:SYSTEM;p:full"

net start "stablebit drivepool service"

But if you're more unlucky and that doesn't work and/or more than that broke then... well... this is how you'd give up and delete the whole folder so that Windows regenerates it, again via an Administrator command prompt:

net stop "stablebit drivepool service"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn setowner -ownr "n:Administrators" -rec cont_obj

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn clear -clr "dacl,sacl" -actn rstchldrn -rst "dacl,sacl"

X:\SetACL.exe -on "P:\System Volume Information" -ot file -actn ace -ace "n:SYSTEM;p:full" -ace "n:Administrators;p:full"

rmdir /Q "P:\System Volume Information"

net start "stablebit drivepool service"

If even that doesn't work then I'd suggest manually evacuating / removing the problem drive from the pool. Keep your backups handy.

[Christopher (Drashna)]

(also: https://wiki.covecube.com/StableBit_DrivePool_Q5510455 )

[Shane]

I've occasionally had problems with using Windows own built-in security tab to fix pools where (very) long paths are involved and/or where the permissions have broken in a way that isn't repaired by the tab. And when the usual power combo of takeown+icacls didn't fix them either (and wow finding out "why not?" was a trip down a rabbit hole), that's when I went hunting and thankfully found SetACL (which is why I've finally gotten around to creating this thread). I have however now edited my second post above to mention the wiki article at the top.

[Christopher (Drashna)]

Valid point.  I think there is a powershell command for this stuff, as well. And that should handle things much better than the older commands.  I'll do some digging on that. 

[TripleR]

Chris,  your link (StableBit DrivePool Q5510455) is awesome.  I was changing servers and due to my past experience, I was dreading connecting it to the pool.  I followed the directions and it appears to have worked.  My only suggestion for the inexperienced like myself would be to be more specific right in the beginning where it states to "Right Click on the drive".  That's where I stumbled a bit and then decided it meant "DrivePool".  I hope that was correct because like I said earlier, everything seems to be working. :-)

[jamesbk11218]

I know this is old but just wanted to say thank you. The steps in the second post fixed this issue for me. Even though I was not sure whether "p" meant the drive where the drivepool program is installed or the individual DP Drive letters (I have 4 Pools). Thanks again!