As i mentioned earlier the xcacls.vbs output is truncated so the information is not fully presented, eg. usernames are cut at 24 characters. This got very annoying, so I was happy to find a solution:
Edit xcacls.vbs line 593, Call PrintMsg( strPackString...
Edit xcacls.vbs line 614, Call AddStringToArray(arraystrACLS,
I changed the two lines to:
Call PrintMsg( strPackString("Type", 8, 1, TRUE) & strPackString("Username", 50, 1, TRUE) & strPackString("Permissions", 42, 1, TRUE) & strPackString("Inheritance", 35, 1, TRUE)) For Each objDACL_Member in objSecDescriptor.DACL
Call AddStringToArray(arraystrACLS, strPackString(strAceType, 8, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 50, 1, TRUE) & strPackString(TempSECString, 42, 1, TRUE) & strPackString(strAceFlags, 35, 1, TRUE),-1) Set objtrustee = Nothing
Now the output is more useful.
The next problem is that I can not get Xcacls.vbs to only work on folders when querying subdirectories. The parameters /s /t does work across subdirs, but it includes files, which is not what I want!
This does not seem possible, i can not find a combination of switches that does travel subdirectories, but only displays directory permissions and not files too. I get output like:
**************************************************************************
Directory: d:\data\file.txt
Permissions:
Type Username Permissions Inheritance
...
So I had to make a small wrapper, to only run XCACLS on a predefined list of dirs, without using any /s /t. This is not scalable at all!
What I would rather like is a script to get a remote dirlisting, where we can check if a filehandle is a dir, and if it is a directory then call xcalcs. I dont have that yet :-)
A better solution is much better.
Subscribe to:
Post Comments (Atom)
4 comments:
Did you find an answer to your question?
No, sorry, I am still using a predefined list of directories that i want to know security settings of, eg:
d:\app\
d:\dat\
d:\dat\Grid
d:\dat\Private
...
Then i parse that file, for each line doing:
XCACLS.vbs %line% /server %remoteserver%
I would be more than happy to see something better :-)
Hi j,
Well here is what I have made.
Save it as a .vbs file.
You must edit it to point it at the parent directory containing the folders you wish to report on.
You must also change the drive letter (in the Sub ShowFolders section) from S to wherever you are working. Also in that section, the script assumes that you are storing xcacls.vbs in C:\xcacls.vbs, so modify accordingly.
(I am planning next to create a wrapper to allow the paths and drive letters to be entered at a prompt window.)
To run the script, just open a command prompt and navigate to the folder where the script is stored and type cscript scriptname.vbs
The output instructions are handled by the script.
I hacked this together, so please excuse any sloppiness.
patrick
----------------------
Const FOR_READING = 1
Dim g_oShell
Set g_oShell = CreateObject("Wscript.Shell")
strFolder = "S:\Budgets\2009 BUDGET"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(strFolder)
WScript.Echo objFolder.Path
ShowSubFolders(objFolder)
Sub ShowSubFolders(objFolder)
Set colFolders = objFolder.SubFolders
For Each objSubFolder In colFolders
Dim NewFileName
NewFileName = Replace(objsubfolder, "\", "-")
NewFileName = Replace(NewFileName, "S:", "-S")
'MsgBox NewFileName
g_oShell.Run "cmd /c" & " """ & "cscript " & "C:\xcacls\xcacls.vbs" & " """ & objSubFolder.Path & """ //nologo > Permissions_Audit""" & NewFileName & """.txt", 0
WScript.Echo objSubFolder.Path
ShowSubFolders(objSubFolder)
Next
End Sub
Patrick, thanks for sharing!
I did find a better way to view and backup NTFS permissions, much more suitable for later restore if the server should crash.
I used the FILEACL.EXE tool which has a great batch operation mode:
fileacl \\host\d$\dat\users /batchreal /sub
# gives:
FILEACL \\host\d$\dat\users /INHERIT /REPLACE /SUB
FILEACL \\host\d$\dat\users /S "NT AUTHORITY\Authenticated Users":RX/U /S "BUILTIN\Administrators":F /S "NT AUTHORITY\SYSTEM":F /S "NT AUTHORITY\Authenticated Users":F /REPLACE /PROTECT
FILEACL \\host\d$\dat\users\Jeff /S "domain\Jeff":F
I still use XCACLS.VBS for setting or removing control, because it is newer and easier to use than fileacl.exe, eg:
REM Removing the check in: [ ] allow inheriable permissions from the parent to propagate to this object and all child objects
cscript %xcaclsbin% %rootdir% /i copy /server %destserver%
REM Remove inheritance from the users dir:
cscript //Nologo %xcaclsbin% %rootdir%\%subdir%\%1 /q /i copy /server %destserver%
REM Remove the Authenticated users:
cscript //Nologo %xcaclsbin% %rootdir%\%subdir%\%1 /q /e /r "NT AUTHORITY\Authenticated Users" /server %destserver%
REM Add the user:
cscript //Nologo %xcaclsbin% %rootdir%\%subdir%\%1 /q /e /g "domain\%1":F /server %destserver%
Fileacl.exe is very powerful still, here is url and md5 sum:
ba0d0c49683279393f1f496511e8a4ef c:\bin\fileacl.exe
http://www.microsoft.com/downloads/details.aspx?FamilyID=723F64EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en
FILEACL v3.0.1.6
Brief Description
NTFS Permissions command line tool
FILEACL allows to manipulate ACLs on NTFS volumes
And an article:
http://windowsitpro.com/article/articleid/85052/jsi-tip-10080-fileaclexe-freeware-allows-to-manipulate-acls-on-ntfs-volumes.html
Post a Comment