We worked this saturday to resolve our security descriptor issue.
What we did:
-Backup via backup software
-Snapshot on the san (two better than one!)
-We tagged the cluster partition to dirty with fsutil
-Moved the group to the other cluster node
-Since the disk is dirty, the other node fired up chkdsk in correct mode
-Then we started the MS CorrectSD tool... Well, they do not support it...And it didn't work for us. The tool reported many errors (Skipping SD, fails to change SD).
We stoppped it before the end, since the filed known to be corrected were weird. We could open them (i mean we had access), but the security tab was completely empty (even no system).
We decided to use the FilesMapping text files created by correctSD to restore impacted folders. 80% of the problems where in a single root folder (the roaming profile one).
Guess what ? restoring with the backup software didn't correct the security tab..We decided to remove all impacted folder and then restore. That Worked !
To conclude, interesting things:
-While chkdsk reported Security descriptors errors, it didn't change anything (read only). Our backup software could correctly save the data with the associated good Security descriptors.
Only After the chkdsk in correct mode, all SD were broken.
-We fired up a chkdsk in read only after all, the bug is gone.
Maybe we didn't use correctly the correctSD tool. At least, this tool is great, it read a chkdsk dump file which contains only FilesID (numbers), and then it give you the mapping between the numbers and the file name and path. So you know which files are in troubles.