[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 912
  • Last Modified:

Any free utilitys to find and list folders that have inheritance disabled?

Any free utilitys to find and list folders that have inheritance disabled?
0
lpenrod
Asked:
lpenrod
  • 7
  • 6
1 Solution
 
grayeCommented:
I've got a program called List_ACLs that will record all of the Access Control List (ACL) data into a Microsoft Access database.   We use it to record all of the permissions on the entire server....

After it's in the database, you could easly write a query to show all directories where ACL inheritance is turned off.

The program is only available in VB.Net source code (so you'll have to find somebody with Visual Studio.Net to compile it for you).

If you're interested, the source is available at: http://home.hot.rr.com/graye/AdminTools.htm
0
 
lpenrodAuthor Commented:
Yea, thanks!
0
 
lpenrodAuthor Commented:
I ran the utility, I can't tell where it show that inheritance is turned off.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
grayeCommented:
There is a column in the database called "Inherited"... it is a boolean (True or False)

You should be able to write a query to hunt for all directories where the inheritance is False
0
 
lpenrodAuthor Commented:
Here is an example of the problem I am having:
Path      Name      Permissions      Inherited
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\Domain Users      Read & Execute      0
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\Domain Users      Read & Execute      0
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\EBarkley      Full Control      0
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\EBarkley      Full Control      0
n:\jobs\-CURRENT PDF's-\Citgo\4138      BUILTIN\Administrators      Full Control      -1
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\Brand Muffin Design (BMD)      Modify      -1
n:\jobs\-CURRENT PDF's-\Citgo\4138      CREATOR OWNER      Full Control      -1
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\Domain Admins      Full Control      -1
n:\jobs\-CURRENT PDF's-\Citgo\4138      DOMAIN\StudioSec      Modify      -1

Inheritance is not being blocked on this folder.
0
 
grayeCommented:
OK... so this output means that for this directory, 4 of the ACLs are inherited from some directory above, and 5 of the ACLs are not inherited

So, what exactly are you trying to do?   This is no setting that I know of for "only allow inherited ACLs", or "do not allow ACL inheritance".
0
 
lpenrodAuthor Commented:
When you go to the secuity settings in the properties of a folder and click on the advanced button, you have the option "Inherit from parent the permission entries that apply to child objects.  Include these with entries explicitly defined here.".  I need a list of all folders where that option has been deselected (inheritance has been blocked).
0
 
grayeCommented:
Inheritance is a property of each of the ACL entries... it's not a propery of the folder itself.   So you'd expect multiple answers per folder.

There is no such thing as inheritance "being blocked"...

For a given folder, each ACL entry either:
    a) Has inheritance turned on... or
    b) Does not have inheritance turned on.

That's what the database is reflecting.... that some ACL entries have it turned on, others do not.

So, in your case, the database entry for Inherited = false mean that inheritance has been turned off for that entry

I'm obviously not following you....  Tell me again what you're trying to do
0
 
grayeCommented:
...wait

Is your question now:  "How do I write a Microsft Access query to list all folders where an ACL entry has inheritance turned off"?   If so, the query would look like this:

SELECT [050609].Path, Max([050609].Inherited) AS MaxOfInherited
FROM 050609
GROUP BY [050609].Path;

...where [050609] is the table name
0
 
lpenrodAuthor Commented:
Explicit assignments are showing up as "not inherited" which is not the same as "do not inherit from parent".

I need to know on what folders the "Inherit from parent the permission entries that apply to child objects.  Include these with entries explicitly defined here." option has been deselected.
0
 
grayeCommented:
That checkbox is designed to automate the "turning off inheritance" for the current folder (you'd be asked if you wanted to start with a clean slate or use the existing as a starting point).  What it actually does, is go into the list of ACL entries and turn off each entry's inherited flag or wipes out all of the entries (depending on what choice you made)

Windows itself doesn't have an attribute for this feature... behind the scenes the only place where inheritance is found is in each ACL entry.  The presence/absence of this checkmark is NOT stored anywhere!

The check mark is just one of the techniques used to turn off inheritance of an ACL entry.   After inheritance is turned off, the ACL entry itself doesn't remember how the inheritance was turned off (via that check mark, or by some other means).  The method used to accomplish this is not stored anywhere.

I suspect that Windows is looking to see if there are any entries with inheritance turned on (then it puts a check mark there), or if none of the entries have inheritance turned on (then it clears the check mark there).

So, I still think you could write a query to find where all of the Inherited flags are False for a given folder.  It'd now be like this:

SELECT [050609].Path, Min([050609].Inherited) AS MinOfInherited
FROM 050609
GROUP BY [050609].Path
HAVING Min([050609].Inherited) = 0;
0
 
lpenrodAuthor Commented:
That query worked, thank you.

If Windows doesn't store the checkmark somewhere, then if you created a new user and gave them rights to a parent folder, wouldn't those rights flow into that folder that has the checkmark removed?
0
 
grayeCommented:
Forget the checkmark... that's just a means to the end.

The only thing that determines inheritance is the absense/presence of the INHERITED_ACE flag in the header of each Access Control Entry (ACE)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now