From 9d9575c9efe3fbf767ef2b4e8c1a45d44d2ed55a Mon Sep 17 00:00:00 2001 From: Meik Date: Wed, 18 Mar 2026 15:54:42 +0100 Subject: [PATCH] Skip NTFS ensure and traverse on share roots --- LiamNtfs/C4IT.LIAM.Ntfs.cs | 16 ++++++++++++++++ LiamNtfs/C4IT_IAM_SET/DataArea_FileSystem.cs | 17 +++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/LiamNtfs/C4IT.LIAM.Ntfs.cs b/LiamNtfs/C4IT.LIAM.Ntfs.cs index 937c97a..59bd96f 100644 --- a/LiamNtfs/C4IT.LIAM.Ntfs.cs +++ b/LiamNtfs/C4IT.LIAM.Ntfs.cs @@ -648,6 +648,15 @@ namespace C4IT.LIAM bool ensureTraverseGroups = false, bool whatIf = false) { + if (!IsPermissionManagedFolderPath(folderPath)) + { + return Task.FromResult(new ResultToken(System.Reflection.MethodBase.GetCurrentMethod().ToString()) + { + resultErrorId = 30008, + resultMessage = $"NTFS permission ensure is only supported for folder paths. Shares, DFS namespaces and server roots are skipped: {folderPath}" + }); + } + var parentPath = Directory.GetParent(folderPath)?.FullName; var engine = CreateFilesystemEngine( folderPath, @@ -704,6 +713,7 @@ namespace C4IT.LIAM groupTraverseTag = GetRequiredCustomTag("Filesystem_GroupTraverseTag"), groupDLTag = requiresDomainLocalTag ? GetRequiredCustomTag("Filesystem_GroupDomainLocalTag") : string.Empty, groupGTag = GetRequiredCustomTag("Filesystem_GroupGlobalTag"), + CanManagePermissionsForPath = IsPermissionManagedFolderPath, forceStrictAdGroupNames = IsAdditionalConfigurationEnabled("ForceStrictAdGroupNames") }; @@ -726,6 +736,12 @@ namespace C4IT.LIAM || rawValue.Equals("yes", StringComparison.OrdinalIgnoreCase); } + public bool IsPermissionManagedFolderPath(string path) + { + var classification = ClassifyPath(path); + return classification != null && classification.Kind == eNtfsPathKind.Folder; + } + private IEnumerable BuildSecurityGroupTemplates() { var templates = new List(); diff --git a/LiamNtfs/C4IT_IAM_SET/DataArea_FileSystem.cs b/LiamNtfs/C4IT_IAM_SET/DataArea_FileSystem.cs index a9b6a55..9ac3272 100644 --- a/LiamNtfs/C4IT_IAM_SET/DataArea_FileSystem.cs +++ b/LiamNtfs/C4IT_IAM_SET/DataArea_FileSystem.cs @@ -52,6 +52,7 @@ namespace C4IT_IAM_SET public ICollection ownerUserSids; public ICollection readerUserSids; public ICollection writerUserSids; + public Func CanManagePermissionsForPath; public bool forceStrictAdGroupNames; public bool WhatIf; @@ -481,6 +482,22 @@ namespace C4IT_IAM_SET break; } + if (CanManagePermissionsForPath != null && !CanManagePermissionsForPath(parent.FullName)) + { + DefaultLogger.LogEntry(LogLevels.Debug, $"Überspringe Traverse-Verarbeitung für nicht verwaltbaren NTFS-Pfad: {parent.FullName}"); + parent = parent.Parent; + if (parent != null) + { + lvl = DataArea.GetRelativePath(parent.FullName, baseFolder).Count(n => n == Path.DirectorySeparatorChar); + DefaultLogger.LogEntry(LogLevels.Debug, $"Neue Ebene (lvl) nach Überspringen: {lvl}"); + } + else + { + DefaultLogger.LogEntry(LogLevels.Debug, "Parent nach Überspringen ist null."); + } + continue; + } + DefaultLogger.LogEntry(LogLevels.Debug, $"Hole ACL für Ordner: {parent.FullName}"); AuthorizationRuleCollection ACLs = null; try