Tuesday, February 12, 2008

Xcacls.vbs directories only and column output truncated

As i mentioned earlier the xcacls.vbs output is truncated so the information is not fully presented, eg. usernames are cut at 24 characters. This got very annoying, so I was happy to find a solution:
Edit xcacls.vbs line 593, Call PrintMsg( strPackString...
Edit xcacls.vbs line 614, Call AddStringToArray(arraystrACLS,

I changed the two lines to:
Call PrintMsg( strPackString("Type", 8, 1, TRUE) & strPackString("Username", 50, 1, TRUE) & strPackString("Permissions", 42, 1, TRUE) & strPackString("Inheritance", 35, 1, TRUE)) For Each objDACL_Member in objSecDescriptor.DACL

Call AddStringToArray(arraystrACLS, strPackString(strAceType, 8, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 50, 1, TRUE) & strPackString(TempSECString, 42, 1, TRUE) & strPackString(strAceFlags, 35, 1, TRUE),-1) Set objtrustee = Nothing

Now the output is more useful.

The next problem is that I can not get Xcacls.vbs to only work on folders when querying subdirectories. The parameters /s /t does work across subdirs, but it includes files, which is not what I want!

This does not seem possible, i can not find a combination of switches that does travel subdirectories, but only displays directory permissions and not files too. I get output like:
**************************************************************************
Directory: d:\data\file.txt

Permissions:
Type Username Permissions Inheritance
...


So I had to make a small wrapper, to only run XCACLS on a predefined list of dirs, without using any /s /t. This is not scalable at all!

What I would rather like is a script to get a remote dirlisting, where we can check if a filehandle is a dir, and if it is a directory then call xcalcs. I dont have that yet :-)

A better solution is much better.

4 comments:

Patrick said...

Did you find an answer to your question?

J said...

No, sorry, I am still using a predefined list of directories that i want to know security settings of, eg:
d:\app\
d:\dat\
d:\dat\Grid
d:\dat\Private
...
Then i parse that file, for each line doing:

XCACLS.vbs %line% /server %remoteserver%

I would be more than happy to see something better :-)

Patrick said...

Hi j,

Well here is what I have made.
Save it as a .vbs file.
You must edit it to point it at the parent directory containing the folders you wish to report on.
You must also change the drive letter (in the Sub ShowFolders section) from S to wherever you are working. Also in that section, the script assumes that you are storing xcacls.vbs in C:\xcacls.vbs, so modify accordingly.
(I am planning next to create a wrapper to allow the paths and drive letters to be entered at a prompt window.)

To run the script, just open a command prompt and navigate to the folder where the script is stored and type cscript scriptname.vbs

The output instructions are handled by the script.

I hacked this together, so please excuse any sloppiness.

patrick

----------------------

Const FOR_READING = 1

Dim g_oShell
Set g_oShell = CreateObject("Wscript.Shell")

strFolder = "S:\Budgets\2009 BUDGET"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFolder = objFSO.GetFolder(strFolder)

WScript.Echo objFolder.Path


ShowSubFolders(objFolder)



Sub ShowSubFolders(objFolder)

Set colFolders = objFolder.SubFolders


For Each objSubFolder In colFolders


Dim NewFileName
NewFileName = Replace(objsubfolder, "\", "-")
NewFileName = Replace(NewFileName, "S:", "-S")
'MsgBox NewFileName


g_oShell.Run "cmd /c" & " """ & "cscript " & "C:\xcacls\xcacls.vbs" & " """ & objSubFolder.Path & """ //nologo > Permissions_Audit""" & NewFileName & """.txt", 0
WScript.Echo objSubFolder.Path


ShowSubFolders(objSubFolder)


Next


End Sub

J said...

Patrick, thanks for sharing!

I did find a better way to view and backup NTFS permissions, much more suitable for later restore if the server should crash.

I used the FILEACL.EXE tool which has a great batch operation mode:

fileacl \\host\d$\dat\users /batchreal /sub
# gives:
FILEACL \\host\d$\dat\users /INHERIT /REPLACE /SUB
FILEACL \\host\d$\dat\users /S "NT AUTHORITY\Authenticated Users":RX/U /S "BUILTIN\Administrators":F /S "NT AUTHORITY\SYSTEM":F /S "NT AUTHORITY\Authenticated Users":F /REPLACE /PROTECT
FILEACL \\host\d$\dat\users\Jeff /S "domain\Jeff":F


I still use XCACLS.VBS for setting or removing control, because it is newer and easier to use than fileacl.exe, eg:

REM Removing the check in: [ ] allow inheriable permissions from the parent to propagate to this object and all child objects
cscript %xcaclsbin% %rootdir% /i copy /server %destserver%
REM Remove inheritance from the users dir:
cscript //Nologo %xcaclsbin% %rootdir%\%subdir%\%1 /q /i copy /server %destserver%
REM Remove the Authenticated users:
cscript //Nologo %xcaclsbin% %rootdir%\%subdir%\%1 /q /e /r "NT AUTHORITY\Authenticated Users" /server %destserver%
REM Add the user:
cscript //Nologo %xcaclsbin% %rootdir%\%subdir%\%1 /q /e /g "domain\%1":F /server %destserver%



Fileacl.exe is very powerful still, here is url and md5 sum:
ba0d0c49683279393f1f496511e8a4ef c:\bin\fileacl.exe

http://www.microsoft.com/downloads/details.aspx?FamilyID=723F64EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en

FILEACL v3.0.1.6
Brief Description
NTFS Permissions command line tool
FILEACL allows to manipulate ACLs on NTFS volumes

And an article:
http://windowsitpro.com/article/articleid/85052/jsi-tip-10080-fileaclexe-freeware-allows-to-manipulate-acls-on-ntfs-volumes.html