lpenrod
asked on
Any free utilitys to find and list folders that have inheritance disabled?
Any free utilitys to find and list folders that have inheritance disabled?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran the utility, I can't tell where it show that inheritance is turned off.
There is a column in the database called "Inherited"... it is a boolean (True or False)
You should be able to write a query to hunt for all directories where the inheritance is False
You should be able to write a query to hunt for all directories where the inheritance is False
ASKER
Here is an example of the problem I am having:
Path Name Permissions Inherited
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Domain Users Read & Execute 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Domain Users Read & Execute 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\EBarkley Full Control 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\EBarkley Full Control 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 BUILTIN\Administrators Full Control -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Brand Muffin Design (BMD) Modify -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 CREATOR OWNER Full Control -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Domain Admins Full Control -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\StudioSec Modify -1
Inheritance is not being blocked on this folder.
Path Name Permissions Inherited
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Domain Users Read & Execute 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Domain Users Read & Execute 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\EBarkley Full Control 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\EBarkley Full Control 0
n:\jobs\-CURRENT PDF's-\Citgo\4138 BUILTIN\Administrators Full Control -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Brand Muffin Design (BMD) Modify -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 CREATOR OWNER Full Control -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\Domain Admins Full Control -1
n:\jobs\-CURRENT PDF's-\Citgo\4138 DOMAIN\StudioSec Modify -1
Inheritance is not being blocked on this folder.
OK... so this output means that for this directory, 4 of the ACLs are inherited from some directory above, and 5 of the ACLs are not inherited
So, what exactly are you trying to do? This is no setting that I know of for "only allow inherited ACLs", or "do not allow ACL inheritance".
So, what exactly are you trying to do? This is no setting that I know of for "only allow inherited ACLs", or "do not allow ACL inheritance".
ASKER
When you go to the secuity settings in the properties of a folder and click on the advanced button, you have the option "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.". I need a list of all folders where that option has been deselected (inheritance has been blocked).
Inheritance is a property of each of the ACL entries... it's not a propery of the folder itself. So you'd expect multiple answers per folder.
There is no such thing as inheritance "being blocked"...
For a given folder, each ACL entry either:
a) Has inheritance turned on... or
b) Does not have inheritance turned on.
That's what the database is reflecting.... that some ACL entries have it turned on, others do not.
So, in your case, the database entry for Inherited = false mean that inheritance has been turned off for that entry
I'm obviously not following you.... Tell me again what you're trying to do
There is no such thing as inheritance "being blocked"...
For a given folder, each ACL entry either:
a) Has inheritance turned on... or
b) Does not have inheritance turned on.
That's what the database is reflecting.... that some ACL entries have it turned on, others do not.
So, in your case, the database entry for Inherited = false mean that inheritance has been turned off for that entry
I'm obviously not following you.... Tell me again what you're trying to do
...wait
Is your question now: "How do I write a Microsft Access query to list all folders where an ACL entry has inheritance turned off"? If so, the query would look like this:
SELECT [050609].Path, Max([050609].Inherited) AS MaxOfInherited
FROM 050609
GROUP BY [050609].Path;
...where [050609] is the table name
Is your question now: "How do I write a Microsft Access query to list all folders where an ACL entry has inheritance turned off"? If so, the query would look like this:
SELECT [050609].Path, Max([050609].Inherited) AS MaxOfInherited
FROM 050609
GROUP BY [050609].Path;
...where [050609] is the table name
ASKER
Explicit assignments are showing up as "not inherited" which is not the same as "do not inherit from parent".
I need to know on what folders the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." option has been deselected.
I need to know on what folders the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." option has been deselected.
That checkbox is designed to automate the "turning off inheritance" for the current folder (you'd be asked if you wanted to start with a clean slate or use the existing as a starting point). What it actually does, is go into the list of ACL entries and turn off each entry's inherited flag or wipes out all of the entries (depending on what choice you made)
Windows itself doesn't have an attribute for this feature... behind the scenes the only place where inheritance is found is in each ACL entry. The presence/absence of this checkmark is NOT stored anywhere!
The check mark is just one of the techniques used to turn off inheritance of an ACL entry. After inheritance is turned off, the ACL entry itself doesn't remember how the inheritance was turned off (via that check mark, or by some other means). The method used to accomplish this is not stored anywhere.
I suspect that Windows is looking to see if there are any entries with inheritance turned on (then it puts a check mark there), or if none of the entries have inheritance turned on (then it clears the check mark there).
So, I still think you could write a query to find where all of the Inherited flags are False for a given folder. It'd now be like this:
SELECT [050609].Path, Min([050609].Inherited) AS MinOfInherited
FROM 050609
GROUP BY [050609].Path
HAVING Min([050609].Inherited) = 0;
Windows itself doesn't have an attribute for this feature... behind the scenes the only place where inheritance is found is in each ACL entry. The presence/absence of this checkmark is NOT stored anywhere!
The check mark is just one of the techniques used to turn off inheritance of an ACL entry. After inheritance is turned off, the ACL entry itself doesn't remember how the inheritance was turned off (via that check mark, or by some other means). The method used to accomplish this is not stored anywhere.
I suspect that Windows is looking to see if there are any entries with inheritance turned on (then it puts a check mark there), or if none of the entries have inheritance turned on (then it clears the check mark there).
So, I still think you could write a query to find where all of the Inherited flags are False for a given folder. It'd now be like this:
SELECT [050609].Path, Min([050609].Inherited) AS MinOfInherited
FROM 050609
GROUP BY [050609].Path
HAVING Min([050609].Inherited) = 0;
ASKER
That query worked, thank you.
If Windows doesn't store the checkmark somewhere, then if you created a new user and gave them rights to a parent folder, wouldn't those rights flow into that folder that has the checkmark removed?
If Windows doesn't store the checkmark somewhere, then if you created a new user and gave them rights to a parent folder, wouldn't those rights flow into that folder that has the checkmark removed?
Forget the checkmark... that's just a means to the end.
The only thing that determines inheritance is the absense/presence of the INHERITED_ACE flag in the header of each Access Control Entry (ACE)
The only thing that determines inheritance is the absense/presence of the INHERITED_ACE flag in the header of each Access Control Entry (ACE)
ASKER