[Last Call] Learn how to a build a cloud-first strategyRegister Now


How can i audit DACL's, SACL's, ACE's etc...on an NTFS file server

Posted on 2006-05-12
Medium Priority
Last Modified: 2008-02-26
Hello everyone,

I am currently trying to document everything I can about an Active Directory domain before I begin a migration.  Very simply, Company A is being split into Company A and B, which are currently on a single forest AD domain and will be split into two seperate forests.  I need to audit all of the (NTFS partitions of course) directories on all of the file servers and export all of the DACL's etc to a text file, excel file anything doesn't really matter.  Anyone have experience with this, seen a VBScript or third party software that will do this?  Any help is greatly appreciated.
Question by:genoint
  • 6
  • 3
LVL 13

Expert Comment

ID: 16670841

you can start with this ... there is more on this site !

Author Comment

ID: 16670913
as far as I can tell that script will only read a single file's DACL and doesnt export to a file.  I actually need to parse a very large directory hirearchy and export the DACL's for all of the folders and files etc...
LVL 13

Expert Comment

ID: 16670971
you need to add recorsive loop ,somthing like : on each file on folder get acls ....
but i think that it will be a limit for how deep the script can go .
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 13

Expert Comment

ID: 16670984
somthing like this :

you can find it all in this site and compose the script you need.

Author Comment

ID: 16671000
ok I will take a look and see if I can figure it out, leaving the office right now, thanks for the help...I am definitely not a vbscript expert so I will see what I can do over the weekend.
LVL 13

Expert Comment

ID: 16673782
OK, i create somthing simple for you that will output the permission to files in specific folder.
there is some things that you need to set like the folder path and log file.
note it can produce very long log files and script for check the computer's files
could faild becouse of memroy issue. (i tried it and faild ... )

hope it will be useful for you.  :)

'******************* start ******************************************
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

'********* set the folder to check *******************************
Set colFiles = objWMIService. ExecQuery("Select * from CIM_DataFile where Path = '\\FOLDERNAME\\'")

'*********  create the LOG file for output ***********************
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile ("c:\files_log.txt", 8, True)

'*********  read the files from folder ***************************

For Each objFile in colFiles
strFileName = objFile.NAME
objTextFile.WriteLine("permission for file: " & objFile.NAME )

FILE_ALL_ACCESS       = &h1f01ff
FILE_APPEND_DATA      = &h000004
FILE_DELETE           = &h010000
FILE_DELETE_CHILD     = &h000040
FILE_EXECUTE          = &h000020
FILE_READ_CONTROL     = &h020000
FILE_READ_DATA        = &h000001
FILE_READ_EA          = &h000008
FILE_SYNCHRONIZE      = &h100000
FILE_WRITE_DAC        = &h040000
FILE_WRITE_DATA       = &h000002
FILE_WRITE_EA         = &h000010
FILE_WRITE_OWNER      = &h080000

Set objWMIService = GetObject("winmgmts:")
Set objFileSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFileName & "'")
intRetVal = objFileSecuritySettings.GetSecurityDescriptor(objSD)

intControlFlags = objSD.ControlFlags

If intControlFlags AND SE_DACL_PRESENT Then
   arrACEs = objSD.DACL
   For Each objACE in arrACEs
      objTextFile.WriteLine( objACE.Trustee.Domain & "\" & objACE.Trustee.Name)
      If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
         objTextFile.WriteLine( vbTab & "Allowed:")
      ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
         objTextFile.WriteLine( vbTab & "Denied:")
      End If
      If objACE.AccessMask AND FILE_ALL_ACCESS Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_ALL_ACCESS ")
      End If
      If objACE.AccessMask AND FILE_APPEND_DATA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_APPEND_DATA ")
      End If
      If objACE.AccessMask AND FILE_DELETE Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE ")
      End If
      If objACE.AccessMask AND FILE_DELETE_CHILD Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE_CHILD ")
      End If
      If objACE.AccessMask AND FILE_EXECUTE Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_EXECUTE ")
      End If
      If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_ATTRIBUTES ")
      End If
      If objACE.AccessMask AND FILE_READ_CONTROL Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_CONTROL ")
      End If
      If objACE.AccessMask AND FILE_READ_DATA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_DATA ")
      End If
      If objACE.AccessMask AND FILE_READ_EA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_EA ")
      End If
      If objACE.AccessMask AND FILE_SYNCHRONIZE Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_SYNCHRONIZE ")
      End If
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_ATTRIBUTES ")
      End If
      If objACE.AccessMask AND FILE_WRITE_DAC Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DAC ")
      End If
      If objACE.AccessMask AND FILE_WRITE_DATA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DATA ")
      End If
      If objACE.AccessMask AND FILE_WRITE_EA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_EA ")
      End If
      If objACE.AccessMask AND FILE_WRITE_OWNER Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_OWNER ")
      End If
   objTextFile.WriteLine( "No DACL present in security descriptor")
End If
'**************************  end ******************************************
LVL 13

Accepted Solution

haim96 earned 200 total points
ID: 16675167
and i have another solution for you (probably simpler):
you can use the command "showacls.exe" i found it in the windows 2003 resource kit.
it will show you all the acls on folders and sub folder but NOT for files.

c:\showacls.exe  /s c:\  >LOG.txt

this will export the resulte into log.txt.

Author Comment

ID: 16682663
Thanks for all of the help guys, that resource kit tool is exactly what I need.
LVL 13

Expert Comment

ID: 16684967
great , chears ...  :)

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question