JSI Tip 10490. How can I enumerate the permissions of specified security principals on my servers?
Jerold Schulman
May 15, 2006
3 Min Read
Using SubInAcl.exe, I have scripted FindAccess.bat to enumerate the permissions of specified security principals on my servers.
The syntax for using FindAccess.bat on a server is:
FindAccess Drive Report Who1 [Who2 Who3 ... WhoN]
Where:
Drive is a drive letter that you want to enumerate.Report is the location of the CSV output report. If Report exists, it will be updated. The format is: "Security Principal","Computer Name","File System Object","Allow/Deny","Permissions","Owner"WhoX are the security principals you wish to report upon.
NOTE: If Owner is a specified security principal it will be reported.
Sample Usage:
If you wanted to report on "JSIINCDomain Sales" and "JSIINCDomain Marketing" on Server1, which has drive D: and E: with shared data, and Server2, which only has Drive C: with shared data:
Run on Server1:FindAccess D: \YourWorkstationYourShareFindAccess.txt "JSIINCDomain Sales" "JSIINCDomain Marketing" When finished, run on Server1:FindAccess E: \YourWorkstationYourShareFindAccess.txt "JSIINCDomain Sales" "JSIINCDomain Marketing" When finished, run on Server2:FindAccess C: \YourWorkstationYourShareFindAccess.txt "JSIINCDomain Sales" "JSIINCDomain Marketing"
FindAccess.bat contains:
@echo offif {%3}
{} @echo Syntax: FindAccess Drive Report Who1 [Who2 Who3 ... WhoN]&goto :EOFsetlocal EnableDelayedExpansionset RepVar=#@echo +File>"%TEMP%ZS.tmp"@echo /owner>>"%TEMP%ZS.tmp"@echo /pace>>"%TEMP%ZS.tmp"@echo Special acccess :>>"%TEMP%ZS.tmp"set work=%1set work=%work:"=%set drv=%work:~0,1%:set obj=%drv%if exist "%TEMP%FindAccess.tmp" del /q "%TEMP%FindAccess.tmp"set out=%2:loopif {%3}
{} goto fndset perm=%3shiftset perm=%perm:"=%@echo %perm%>>"%TEMP%FindAccess.tmp"goto loop:fndSubInAcl /outputlog="%TEMP%Z1.tmp" /nostatistic /file %obj% /display=Owner /display=DACLSubInAcl /outputlog="%TEMP%Z2.tmp" /nostatistic /subdirectories=DirectoriesOnly %obj% /display=Owner /display=DACLtype "%TEMP%Z1.tmp">"%TEMP%Z3.tmp"type "%TEMP%Z2.tmp">>"%TEMP%Z3.tmp"del /q "%TEMP%Z1.tmp"del /q "%TEMP%Z2.tmp"findstr /I /G:"%TEMP%ZS.tmp" "%TEMP%Z3.tmp">"%TEMP%Z4.tmp"del /q "%TEMP%ZS.tmp"del /q "%TEMP%Z3.tmp"set Prev=Noneif exist "%TEMP%Z5.tmp" del /q "%TEMP%Z5.tmp"@echo.dim fso, readfile, contents, objArguments, oShell>"%TEMP%FindAccess.vbs"@echo.dim FullFileName, object, work>>"%TEMP%FindAccess.vbs"@echo.dim OutFileName, writefile>>"%TEMP%FindAccess.vbs"@echo.Set oShell = CreateObject( "WScript.Shell" )>>"%TEMP%FindAccess.vbs"@echo.comp=oShell.ExpandEnvironmentStrings("%ComputerName%")>>"%TEMP%FindAccess.vbs"@echo.Set objArguments = Wscript.Arguments>>"%TEMP%FindAccess.vbs"@echo.set fso = CreateObject("Scripting.FileSystemObject")>>"%TEMP%FindAccess.vbs"@echo.FullFileName=objArguments(0)>>"%TEMP%FindAccess.vbs"@echo.OutFileName=objArguments(1)>>"%TEMP%FindAccess.vbs"@echo.set readfile = fso.OpenTextFile(FullFileName, 1, false)>>"%TEMP%FindAccess.vbs"@echo.set writefile = fso.CreateTextFile(OutFileName, 2)>>"%TEMP%FindAccess.vbs"@echo prev = "NONE">>"%TEMP%FindAccess.vbs"@echo.Do until readfile.AtEndOfStream = True>>"%TEMP%FindAccess.vbs"@echo. contents = readfile.ReadLine>>"%TEMP%FindAccess.vbs"@echo. contents = Replace(contents, vbTab, " ") ^& " ">>"%TEMP%FindAccess.vbs"@echo. contents = Replace(contents, " ", "")>>"%TEMP%FindAccess.vbs"@echo. contents = Replace(contents, " ", "")>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "+File") Then>>"%TEMP%FindAccess.vbs"@echo. object = Replace(contents, "+File ", "")>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "/owner") Then>>"%TEMP%FindAccess.vbs"@echo. owner = Replace(contents, "/owner ", "")>>"%TEMP%FindAccess.vbs"@echo. owner = Replace(owner, " ", "")>>"%TEMP%FindAccess.vbs"@echo. owner = Replace(owner, "=", "")>>"%TEMP%FindAccess.vbs"@echo. user = "">>"%TEMP%FindAccess.vbs"@echo. perm = "">>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "/pace") Then>>"%TEMP%FindAccess.vbs"@echo. user = Replace(contents, "/pace ", "")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "=", "")>>"%TEMP%FindAccess.vbs"@echo. user = "#" ^& user ^& "#">>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, " ", "")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, " ", "")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "# ", "#")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, " #", "#")>>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "#", "")>>"%TEMP%FindAccess.vbs"@echo. if InStr(user, "ACCESS_ALLOWED_ACE_TYPE-0x0") Then>>"%TEMP%FindAccess.vbs"@echo. ptype = "Allow">>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "ACCESS_ALLOWED_ACE_TYPE-0x0", "")>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. if InStr(user, "ACCESS_DENIED_ACE_TYPE-0x1") Then>>"%TEMP%FindAccess.vbs"@echo. ptype = "Deny">>"%TEMP%FindAccess.vbs"@echo. user = Replace(user, "ACCESS_DENIED_ACE_TYPE-0x1", "")>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. If InStr(contents, "Special acccess :") Then>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(contents, "Special acccess :", "")>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(perm, " ", "")>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(perm, " -", "-")>>"%TEMP%FindAccess.vbs"@echo. if perm = " " Then>>"%TEMP%FindAccess.vbs"@echo. perm = Replace(perm, " ", "")>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. if perm ^ nul Then>>"%TEMP%FindAccess.vbs"@echo. wrk1 =
" ^& user ^&
,
^& comp ^&
,
^& object ^&
,
^& ptype ^&
,
^& perm ^&
,
^& owner ^&
">>"%TEMP%FindAccess.vbs"@echo wrk2 = Replace(wrk1, "
,
")>>"%TEMP%FindAccess.vbs"@echo wrk3 = Replace(wrk2, "
,
")>>"%TEMP%FindAccess.vbs"@echo. if wrk3 ^ prev Then>>"%TEMP%FindAccess.vbs"@echo. writefile.writeLine wrk3>>"%TEMP%FindAccess.vbs"@echo. prev = wrk3>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo. End If>>"%TEMP%FindAccess.vbs"@echo.loop>>"%TEMP%FindAccess.vbs"@echo.readfile.close>>"%TEMP%FindAccess.vbs"@echo.writefile.close>>"%TEMP%FindAccess.vbs"cscript //nologo "%TEMP%FindAccess.vbs" "%TEMP%Z4.tmp" "%TEMP%Z5.tmp"del /q "%TEMP%Z4.tmp"if exist "%TEMP%Z6.tmp" del /q "%TEMP%Z6.tmp"if exist "%TEMP%Z7.tmp" del /q "%TEMP%Z7.tmp"findstr /L /I /G:"%TEMP%FindAccess.tmp" "%TEMP%Z5.tmp">"%TEMP%Z6.tmp"del /q "%TEMP%Z5.tmp"del /q "%TEMP%FindAccess.tmp"del /q "%TEMP%FindAccess.vbs"if exist %out% call :quiet1>nul 2>&1if not exist %out% call :quiet2>nul 2>&1 sort "%TEMP%Z7.tmp" /O %out%del /q "%TEMP%Z7.tmp"endlocalgoto :EOF:quiet1copy %out%+"%TEMP%Z6.tmp" "%TEMP%Z7.tmp"del /q "%TEMP%Z6.tmp"del /q %out%goto :EOF:quiet2copy "%TEMP%Z6.tmp" "%TEMP%Z7.tmp"del /q "%TEMP%Z6.tmp"
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like