CramSession
Click to Printwww.cramsession.comClose Window


Access and Permission Tools

One of the most common tasks LAN Administrators ask how to do
is to check permissions on shared resources. What is shared
and who has access to it? You can buy third party tools to
accomplish this, but if your budget is tight, why not use a few
utilities in the NT Resource Kit. Add a little scripting and
you can build your own tool.

There is much more to many of these utilities than what is
going to be covered here, but at least you'll know what to look
for.

SHOWACLS
ShowACLS will display the ACL (Access Control List) for a
specified file or directory.

showacls /s /u:domain\user filespec

/s include sub-directories
/u specify domain\user

ACE header values:

0x1 - Object Inherit ACE
0x2 - Container Inherit ACE
0x4 - No Propagate Inherit ACE
0x8 - Inherit Only ACE

Access mask values:

A Generic All l List Directory
R Generic Read d Read Data
W Generic Write S Synchronize
X Generic Execute r File Read
w File Write a File Append
fx File Execute D Delete
rE Read EA rW Write EA

For example, if I run SHOWACLS C:\NTRESKIT I get the following
output:

C:\ntreskit\
BUILTIN\Administrators Full Control [ALL]
Everyone Change [RWXD]
CREATOR OWNER Full Control [ALL]
NT AUTHORITY\SYSTEM Full Control [ALL]

If I wanted, I could show the ACL for a specific user by running SHOWACLS /U:domain\jhicks

Finally, I can check the ACL for a specific file in general or
use the /U switch to see what access an individual user has.
The file specification must be a single file. Wildcards won't
work.

C:\ntreskit>showacls /u:req138ch perms.exe

User: [\req138ch]
has the following access to file [C:\ntreskit\perms.exe]:

C:\ntreskit\perms.exe
Everyone Change [RWXD]
BUILTIN\Administrators Full Control [ALL]

The account req138ch has access via Everyone and the
Administrators Built-In group.

PERMS
Another handy utility is PERMS which will show you access
control for a user or group.

PERMS [domain\|computer\]username path [/i] [/s]

[domain\|computer\]username Name of user whose permissions are to be checked.
path A file or directory, wildcards (*,?) accepted.
/i Assumes the specified user is logged on interactively
to computer where the file/directory resides.
With this switch, PERMS assumes the user is a member
of the INTERACTIVE group. Without this switch, PERMS
assumes the user is a member of the NETWORK group.
/s Check permissions on files in subdirectories.

The output access mask contains the following letters:

R Read
W Write
X Execute
D Delete
P Change Permissions
O Take Ownership
A General All
- No Access
* The specified user is the owner of the file or directory.
# A group the user is a member of owns the file or directory.
? The user's access permisssions can not be determined.

If I run PERMS user01 c:\ntreskit\*.doc I will get a list of
permissions for all .DOC files for USER01:

C:\ntreskit>perms user01 *.doc

C:\ntreskit\AUTOEXNT.DOC perms: RWXD---

C:\ntreskit\COMPREG.DOC perms: RWXD---

C:\ntreskit\FCOPY.DOC perms: RWXD---

C:\ntreskit\GRPCPY.DOC perms: RWXD---

C:\ntreskit\NETTIME.DOC perms: RWXD---

C:\ntreskit\PATHMAN.DOC perms: RWXD---

C:\ntreskit\POSIX.DOC perms: RWXD---


I can certainly use CACLS to accomplish these same tasks, and
would need to if I wanted to assign or change permissions from
a command prompt. But PERMS and SHOWACLS are read-only
utilities which can provide a certain degree of re-assurance
that you won't mistakenly trash your all the hard work that
went in to setting permissions in the first place.

If you do want to change permissions, take a look at XCACLS in
the Resource Kit. It is an enhanced and more powerful version
of CACLS that needs it's own article or how-to so I won't get
into it here. There is a MS Word document (XCACLS.DOC) in the
Resource Kit that can explain much of what you need to know.

A couple quick related how-to's. What if you see that the
Marketing group has Full Control permissions. Who is in that
group? You could open User Manager for Domains, find the group,
and open it up. What if you wanted to print it out? Your
solution is to use SHOWMBRS from the Resource Kit.

C:\ntreskit>showmbrs /?

Usage:

showmbrs domain\group or
showmbrs \\domain\group or
showmbrs group

Or, if I'm troubleshooting an access problem, I may need to
know what groups a specific user is a member of. For that I
can use SHOWGRPS.

C:\ntreskit>showgrps /?

Usage:

showgrps [/A] domain\user or
showgrps [/A] user

/A - Check all known trusted domain

You can do a lot from the GUI, but if you want to build your
own auditing or inventory tools, you can't beat these Resource
Kit utilities.


Find this article at:
http://cramsession.com/articles/get-article.asp


1999 - 2005 CramSession. All Rights Reserved.