JSI Tip 10490. How can I enumerate the permissions of specified security principals on my servers?

Using SubInAcl.exe, I have scripted FindAccess.bat to enumerate the permissions of specified security principals on my servers.

The syntax for using FindAccess.bat on a server is:

FindAccess Drive Report Who1 [Who2 Who3 ... WhoN]

Where:

Drive  is a drive letter that you want to enumerate.Report is the location of the CSV output report. If Report exists, it will be updated. The format is:       "Security Principal","Computer Name","File System Object","Allow/Deny","Permissions","Owner"WhoX   are the security principals you wish to report upon.

NOTE: If Owner is a specified security principal it will be reported.

Sample Usage:

If you wanted to report on "JSIINCDomain Sales" and "JSIINCDomain Marketing" on Server1, which has drive D: and E: with shared data, and Server2, which only has Drive C: with shared data:

Run on Server1:FindAccess D: \YourWorkstationYourShareFindAccess.txt "JSIINCDomain Sales" "JSIINCDomain Marketing" When finished, run on Server1:FindAccess E: \YourWorkstationYourShareFindAccess.txt "JSIINCDomain Sales" "JSIINCDomain Marketing" When finished, run on Server2:FindAccess C: \YourWorkstationYourShareFindAccess.txt "JSIINCDomain Sales" "JSIINCDomain Marketing"

FindAccess.bat contains:

@echo offif {%3}

{} @echo Syntax: FindAccess Drive Report Who1 [Who2 Who3 ... WhoN]&goto :EOFsetlocal EnableDelayedExpansionset RepVar=#@echo +File>"%TEMP%ZS.tmp"@echo /owner>>"%TEMP%ZS.tmp"@echo /pace>>"%TEMP%ZS.tmp"@echo Special acccess :>>"%TEMP%ZS.tmp"set work=%1set work=%work:"=%set drv=%work:~0,1%:set obj=%drv%if exist "%TEMP%FindAccess.tmp" del /q "%TEMP%FindAccess.tmp"set out=%2:loopif {%3}

{} goto fndset perm=%3shiftset perm=%perm:"=%@echo %perm%>>"%TEMP%FindAccess.tmp"goto loop:fndSubInAcl /outputlog="%TEMP%Z1.tmp" /nostatistic /file %obj% /display=Owner /display=DACLSubInAcl /outputlog="%TEMP%Z2.tmp" /nostatistic /subdirectories=DirectoriesOnly %obj% /display=Owner /display=DACLtype "%TEMP%Z1.tmp">"%TEMP%Z3.tmp"type "%TEMP%Z2.tmp">>"%TEMP%Z3.tmp"del /q "%TEMP%Z1.tmp"del /q "%TEMP%Z2.tmp"findstr /I /G:"%TEMP%ZS.tmp" "%TEMP%Z3.tmp">"%TEMP%Z4.tmp"del /q "%TEMP%ZS.tmp"del /q "%TEMP%Z3.tmp"set Prev=Noneif exist "%TEMP%Z5.tmp" del /q "%TEMP%Z5.tmp"@echo.dim fso, readfile, contents, objArguments, oShell>"%TEMP%FindAccess.vbs"@echo.dim FullFileName, object, work>>"%TEMP%FindAccess.vbs"@echo.dim OutFileName, writefile>>"%TEMP%FindAccess.vbs"@echo.Set oShell = CreateObject( "WScript.Shell" )>>"%TEMP%FindAccess.vbs"@echo.comp=oShell.ExpandEnvironmentStrings("%ComputerName%")>>"%TEMP%FindAccess.vbs"@echo.Set objArguments = Wscript.Arguments>>"%TEMP%FindAccess.vbs"@echo.set fso = CreateObject("Scripting.FileSystemObject")>>"%TEMP%FindAccess.vbs"@echo.FullFileName=objArguments(0)>>"%TEMP%FindAccess.vbs"@echo.OutFileName=objArguments(1)>>"%TEMP%FindAccess.vbs"@echo.set readfile = fso.OpenTextFile(FullFileName, 1, false)>>"%TEMP%FindAccess.vbs"@echo.set writefile = fso.CreateTextFile(OutFileName, 2)>>"%TEMP%FindAccess.vbs"@echo prev = "NONE">>"%TEMP%FindAccess.vbs"@echo.Do until readfile.AtEndOfStream = True>>"%TEMP%FindAccess.vbs"@echo. contents = readfile.ReadLine>>"%TEMP%FindAccess.vbs"@echo. contents = Replace(contents, vbTab, " ") ^& " ">>"%TEMP%FindAccess.vbs"@echo. contents = Replace(contents, "   ", "")>>"%TEMP%FindAccess.vbs"@echo. contents = Replace(contents, "  ", "")>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "+File") Then>>"%TEMP%FindAccess.vbs"@echo. object = Replace(contents, "+File ", "")>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "/owner") Then>>"%TEMP%FindAccess.vbs"@echo. owner = Replace(contents, "/owner ", "")>>"%TEMP%FindAccess.vbs"@echo. owner = Replace(owner, "  ", "")>>"%TEMP%FindAccess.vbs"@echo. owner = Replace(owner, "=", "")>>"%TEMP%FindAccess.vbs"@echo.   user = "">>"%TEMP%FindAccess.vbs"@echo.   perm = "">>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "/pace") Then>>"%TEMP%FindAccess.vbs"@echo. user = Replace(contents, "/pace ", "")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "=", "")>>"%TEMP%FindAccess.vbs"@echo.   user = "#" ^& user ^& "#">>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "   ", "")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "  ", "")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "# ", "#")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, " #", "#")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "#", "")>>"%TEMP%FindAccess.vbs"@echo.   if InStr(user, "ACCESS_ALLOWED_ACE_TYPE-0x0") Then>>"%TEMP%FindAccess.vbs"@echo.     ptype = "Allow">>"%TEMP%FindAccess.vbs"@echo.     user = Replace(user, "ACCESS_ALLOWED_ACE_TYPE-0x0", "")>>"%TEMP%FindAccess.vbs"@echo.   End If>>"%TEMP%FindAccess.vbs"@echo.   if InStr(user, "ACCESS_DENIED_ACE_TYPE-0x1") Then>>"%TEMP%FindAccess.vbs"@echo.     ptype = "Deny">>"%TEMP%FindAccess.vbs"@echo.     user = Replace(user, "ACCESS_DENIED_ACE_TYPE-0x1", "")>>"%TEMP%FindAccess.vbs"@echo.   End If>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "Special acccess :") Then>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(contents, "Special acccess :", "")>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(perm, "  ", "")>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(perm, " -", "-")>>"%TEMP%FindAccess.vbs"@echo.   if perm = " " Then>>"%TEMP%FindAccess.vbs"@echo.     perm = Replace(perm, " ", "")>>"%TEMP%FindAccess.vbs"@echo.   End If>>"%TEMP%FindAccess.vbs"@echo.   if perm ^ nul Then>>"%TEMP%FindAccess.vbs"@echo.     wrk1 = 

" ^& user ^&

,

^& comp ^&

,

^& object ^&

,

^& ptype ^&

,

^& perm ^&

,

^& owner ^&

">>"%TEMP%FindAccess.vbs"@echo      wrk2 = Replace(wrk1, " 

,

")>>"%TEMP%FindAccess.vbs"@echo      wrk3 = Replace(wrk2, " 

,

")>>"%TEMP%FindAccess.vbs"@echo.     if wrk3 ^ prev Then>>"%TEMP%FindAccess.vbs"@echo.       writefile.writeLine wrk3>>"%TEMP%FindAccess.vbs"@echo.       prev = wrk3>>"%TEMP%FindAccess.vbs"@echo.     End If>>"%TEMP%FindAccess.vbs"@echo.   End If>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo.loop>>"%TEMP%FindAccess.vbs"@echo.readfile.close>>"%TEMP%FindAccess.vbs"@echo.writefile.close>>"%TEMP%FindAccess.vbs"cscript //nologo "%TEMP%FindAccess.vbs" "%TEMP%Z4.tmp" "%TEMP%Z5.tmp"del /q "%TEMP%Z4.tmp"if exist "%TEMP%Z6.tmp" del /q "%TEMP%Z6.tmp"if exist "%TEMP%Z7.tmp" del /q "%TEMP%Z7.tmp"findstr /L /I /G:"%TEMP%FindAccess.tmp" "%TEMP%Z5.tmp">"%TEMP%Z6.tmp"del /q "%TEMP%Z5.tmp"del /q "%TEMP%FindAccess.tmp"del /q "%TEMP%FindAccess.vbs"if exist %out% call :quiet1>nul 2>&1if not exist %out% call :quiet2>nul 2>&1 sort "%TEMP%Z7.tmp" /O %out%del /q "%TEMP%Z7.tmp"endlocalgoto :EOF:quiet1copy %out%+"%TEMP%Z6.tmp" "%TEMP%Z7.tmp"del /q "%TEMP%Z6.tmp"del /q %out%goto :EOF:quiet2copy "%TEMP%Z6.tmp" "%TEMP%Z7.tmp"del /q "%TEMP%Z6.tmp"