Access and Permission Tools One of the most common tasks LAN Administrators ask how to do is to check permissions on shared resources. What is shared and who has access to it? You can buy third party tools to accomplish this, but if your budget is tight, why not use a few utilities in the NT Resource Kit. Add a little scripting and you can build your own tool. There is much more to many of these utilities than what is going to be covered here, but at least you'll know what to look for. SHOWACLS ShowACLS will display the ACL (Access Control List) for a specified file or directory. showacls /s /u:domain\user filespec /s include sub-directories /u specify domain\user ACE header values: 0x1 - Object Inherit ACE 0x2 - Container Inherit ACE 0x4 - No Propagate Inherit ACE 0x8 - Inherit Only ACE Access mask values: A Generic All l List Directory R Generic Read d Read Data W Generic Write S Synchronize X Generic Execute r File Read w File Write a File Append fx File Execute D Delete rE Read EA rW Write EA For example, if I run SHOWACLS C:\NTRESKIT I get the following output: C:\ntreskit\ BUILTIN\Administrators Full Control [ALL] Everyone Change [RWXD] CREATOR OWNER Full Control [ALL] NT AUTHORITY\SYSTEM Full Control [ALL] If I wanted, I could show the ACL for a specific user by running SHOWACLS /U:domain\jhicks Finally, I can check the ACL for a specific file in general or use the /U switch to see what access an individual user has. The file specification must be a single file. Wildcards won't work. C:\ntreskit>showacls /u:req138ch perms.exe User: [\req138ch] has the following access to file [C:\ntreskit\perms.exe]: C:\ntreskit\perms.exe Everyone Change [RWXD] BUILTIN\Administrators Full Control [ALL] The account req138ch has access via Everyone and the Administrators Built-In group. PERMS Another handy utility is PERMS which will show you access control for a user or group. PERMS [domain\|computer\]username path [/i] [/s] [domain\|computer\]username Name of user whose permissions are to be checked. path A file or directory, wildcards (*,?) accepted. /i Assumes the specified user is logged on interactively to computer where the file/directory resides. With this switch, PERMS assumes the user is a member of the INTERACTIVE group. Without this switch, PERMS assumes the user is a member of the NETWORK group. /s Check permissions on files in subdirectories. The output access mask contains the following letters: R Read W Write X Execute D Delete P Change Permissions O Take Ownership A General All - No Access * The specified user is the owner of the file or directory. # A group the user is a member of owns the file or directory. ? The user's access permisssions can not be determined. If I run PERMS user01 c:\ntreskit\*.doc I will get a list of permissions for all .DOC files for USER01: C:\ntreskit>perms user01 *.doc C:\ntreskit\AUTOEXNT.DOC perms: RWXD--- C:\ntreskit\COMPREG.DOC perms: RWXD--- C:\ntreskit\FCOPY.DOC perms: RWXD--- C:\ntreskit\GRPCPY.DOC perms: RWXD--- C:\ntreskit\NETTIME.DOC perms: RWXD--- C:\ntreskit\PATHMAN.DOC perms: RWXD--- C:\ntreskit\POSIX.DOC perms: RWXD--- I can certainly use CACLS to accomplish these same tasks, and would need to if I wanted to assign or change permissions from a command prompt. But PERMS and SHOWACLS are read-only utilities which can provide a certain degree of re-assurance that you won't mistakenly trash your all the hard work that went in to setting permissions in the first place. If you do want to change permissions, take a look at XCACLS in the Resource Kit. It is an enhanced and more powerful version of CACLS that needs it's own article or how-to so I won't get into it here. There is a MS Word document (XCACLS.DOC) in the Resource Kit that can explain much of what you need to know. A couple quick related how-to's. What if you see that the Marketing group has Full Control permissions. Who is in that group? You could open User Manager for Domains, find the group, and open it up. What if you wanted to print it out? Your solution is to use SHOWMBRS from the Resource Kit. C:\ntreskit>showmbrs /? Usage: showmbrs domain\group or showmbrs \\domain\group or showmbrs group Or, if I'm troubleshooting an access problem, I may need to know what groups a specific user is a member of. For that I can use SHOWGRPS. C:\ntreskit>showgrps /? Usage: showgrps [/A] domain\user or showgrps [/A] user /A - Check all known trusted domain You can do a lot from the GUI, but if you want to build your own auditing or inventory tools, you can't beat these Resource Kit utilities. Find this article at: http://cramsession.com/articles/get-article.asp © 1999 - 2005 CramSession. All Rights Reserved. |