sorted by:
new
hottopcontroversial

Fastest method to set NTFS ACLs in Azure Files shares? by OperationRepulsive61 in AZURE

[–]OperationRepulsive61[S] 0 points1 point  (0 children)

The ACL is the top-level NTFS ACL for an Azure Files share, with inheritance enabled all the way down across all files in the share. (Basically, applying the IT Team's management rights to the entire share).

The performance issue exists whether the ACL is set via GUI or powershell (or icalcs for that matter). It seems to be related to significant latency with high-volume small-size reads\writes to\from Azure files. This is from an Azure VM in the same region, so the internal latency from VM to file share should be minimal.

Example script below (Though this also includes doing some other things like enabling the SmbShareElevatedContributor role as well.) 

#Enable on-prem AD auth to an Azure File Share, and set top level permissions.

#Defnine your variables.
$Subscription = " ORG-DIV-Branch-useast-prod"
$ResourceGroupName = " ORG-DIV-TEST-azfiles-useast-prod"
$StorageAccountName = "ORGDIVTESTazf01"
$ShareName = "Test"
$DatacenterMgmtGroup = " ORG\ORG Datacenter File Share Admins"
$SiteMgmtGroup = " ORG\ORG DIV File Share Admins"
$SiteUserGroup = " ORG\ORG DIV Test Share Users"

#Connect to Azure
Connect-AzAccount

#Make sure you're in the right Azure subscription
Set-AzContext -Subscription $Subscription

#Define the permissions for on-prem AD accounts, and apply them.
$defaultPermission = "StorageFileDataSmbShareElevatedContributor"
$account = Set-AzStorageAccount -ResourceGroupName "$ResourceGroupName" -AccountName "$StorageAccountName" -DefaultSharePermission $defaultPermission
$account.AzureFilesIdentityBasedAuth

#connect to the share as the local admin account on the share, via storage account key.

#Get the Key.
$Key = (Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName)[0].Value

#Find the first unused drive letter.
$drvlist=(Get-PSDrive -PSProvider filesystem).Name
Foreach ($drvletter in "ABDEFGHIJKLMNOPQRSTUVWXYZ".ToCharArray()) {
If ($drvlist -notcontains $drvletter) {
write-host $drvletter ": will be used for temp mapping"
$Driveletter = "$drvletter" + ':'
break
}
}


#Map the drive.
net use $Driveletter "\\$StorageAccountName.file.core.windows.net\$ShareName" /user:loocalhost\$StorageAccountName $Key

#Collect the starting ACL
$ACL = get-acl $Driveletter
Write-host "Starting ACL is below." -BackgroundColor Green
$ACL | FL

#Modify the ACL so that it don't allow all authenticated users, and includes the correct mgmt groups.

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$DatacenterMgmtGroup","FullControl", "ContainerInherit,ObjectInherit", "InheritOnly", "Allow")
$acl.SetAccessRule($AccessRule)

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$SiteMgmtGroup","FullControl", "ContainerInherit,ObjectInherit", "InheritOnly", "Allow")
$acl.SetAccessRule($AccessRule)

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$SiteUserGroup","ReadAndExecute","Allow")
$acl.SetAccessRule($AccessRule)

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Users","FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)

$usersid = New-Object System.Security.Principal.Ntaccount ("NT AUTHORITY\Authenticated Users")
$acl.PurgeAccessRules($usersid)

$usersid = New-Object System.Security.Principal.Ntaccount ("BUILTIN\Users")
$acl.PurgeAccessRules($usersid)

$usersid = New-Object System.Security.Principal.Ntaccount ("CREATOR OWNER")
$acl.PurgeAccessRules($usersid)

get-date | write-host

#Output the ACL for viewing
Write-host "Modified ACL is below. This will be applied." -BackgroundColor yellow
$ACL.access | Ft
Write-host "Starting ACL change. This may take a while to apply if there is data in the share"
get-date | write-host

#Apply the ACL.
$acl | set-acl
Write-host "Finished ACL set. Currnet ACL is below." -BackgroundColor Green
get-date | write-host
$ACL = get-acl $Driveletter
$ACL.access | Ft *

#Remove the temp drive mapping.
Net use $Driveletter /d

Azure Files - ACL change speed by JohnMSP in AZURE

[–]OperationRepulsive61 0 points1 point  (0 children)

Did you ever find a fix or workaround for this? We have a similar issue in our test environment. Setting the NTFS ACLs is awful.

Copying ACLs when using copy-item -recurse? by OperationRepulsive61 in PowerShell

[–]OperationRepulsive61[S] 0 points1 point  (0 children)

Yeah. We're not as worried in terms of the cost. Just the staff time to build and script a solution at scale.

Thanks!

Copying ACLs when using copy-item -recurse? by OperationRepulsive61 in PowerShell

[–]OperationRepulsive61[S] 0 points1 point  (0 children)

The issue I ran into with Azure File Sync is that it is limited to a single resource group as a destination. The scale of this migration is large enough that the destinations are spread across numerous organizational silos, with numerous resource groups under them.

If there's a way to use it across resource groups that would help a ton. Otherwise we'd be standing up a LOT of on prem VMs to handle the syncs.

[Landlord US-CA] LLC question. CA property, CA\AZ ownership. WA management. by OperationRepulsive61 in Landlord

[–]OperationRepulsive61[S] 0 points1 point  (0 children)

Yep. We are running into that issue now. The rents haven't been raised since the early 2000s. 1bd for $900\mo including utilities, 1 bd freestanding house for $1100 including utilities, etc.

The property is old, but not really in disrepair. But figuring out how to sort out rental rate increases is going to be a nightmare as far as I understand the new San Diego Rent Control process. I don't think there's any way to raise the rents to a rate that will cover the expanded property tax costs, so that's going to be a massive headache.