genoint
asked on
How can i audit DACL's, SACL's, ACE's etc...on an NTFS file server
Hello everyone,
I am currently trying to document everything I can about an Active Directory domain before I begin a migration. Very simply, Company A is being split into Company A and B, which are currently on a single forest AD domain and will be split into two seperate forests. I need to audit all of the (NTFS partitions of course) directories on all of the file servers and export all of the DACL's etc to a text file, excel file anything doesn't really matter. Anyone have experience with this, seen a VBScript or third party software that will do this? Any help is greatly appreciated.
I am currently trying to document everything I can about an Active Directory domain before I begin a migration. Very simply, Company A is being split into Company A and B, which are currently on a single forest AD domain and will be split into two seperate forests. I need to audit all of the (NTFS partitions of course) directories on all of the file servers and export all of the DACL's etc to a text file, excel file anything doesn't really matter. Anyone have experience with this, seen a VBScript or third party software that will do this? Any help is greatly appreciated.
ASKER
as far as I can tell that script will only read a single file's DACL and doesnt export to a file. I actually need to parse a very large directory hirearchy and export the DACL's for all of the folders and files etc...
you need to add recorsive loop ,somthing like : on each file on folder get acls ....
but i think that it will be a limit for how deep the script can go .
but i think that it will be a limit for how deep the script can go .
somthing like this :
http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/stfivb08.mspx
you can find it all in this site and compose the script you need.
http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/stfivb08.mspx
you can find it all in this site and compose the script you need.
ASKER
ok I will take a look and see if I can figure it out, leaving the office right now, thanks for the help...I am definitely not a vbscript expert so I will see what I can do over the weekend.
OK, i create somthing simple for you that will output the permission to files in specific folder.
there is some things that you need to set like the folder path and log file.
note it can produce very long log files and script for check the computer's files
could faild becouse of memroy issue. (i tried it and faild ... )
hope it will be useful for you. :)
'******************* start ************************** ********** ******
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=imper sonate}!\\ " & strComputer & "\root\cimv2")
'********* set the folder to check ************************** *****
Set colFiles = objWMIService. ExecQuery("Select * from CIM_DataFile where Path = '\\FOLDERNAME\\'")
'********* create the LOG file for output ***********************
Set objFSO = CreateObject("Scripting.Fi leSystemOb ject")
Set objTextFile = objFSO.OpenTextFile ("c:\files_log.txt", 8, True)
'********* read the files from folder ************************** *
For Each objFile in colFiles
strFileName = objFile.NAME
objTextFile.WriteLine("per mission for file: " & objFile.NAME )
SE_DACL_PRESENT = &h4
ACCESS_ALLOWED_ACE_TYPE = &h0
ACCESS_DENIED_ACE_TYPE = &h1
FILE_ALL_ACCESS = &h1f01ff
FILE_APPEND_DATA = &h000004
FILE_DELETE = &h010000
FILE_DELETE_CHILD = &h000040
FILE_EXECUTE = &h000020
FILE_READ_ATTRIBUTES = &h000080
FILE_READ_CONTROL = &h020000
FILE_READ_DATA = &h000001
FILE_READ_EA = &h000008
FILE_SYNCHRONIZE = &h100000
FILE_WRITE_ATTRIBUTES = &h000100
FILE_WRITE_DAC = &h040000
FILE_WRITE_DATA = &h000002
FILE_WRITE_EA = &h000010
FILE_WRITE_OWNER = &h080000
Set objWMIService = GetObject("winmgmts:")
Set objFileSecuritySettings = objWMIService.Get("Win32_L ogicalFile SecuritySe tting='" & strFileName & "'")
intRetVal = objFileSecuritySettings.Ge tSecurityD escriptor( objSD)
intControlFlags = objSD.ControlFlags
If intControlFlags AND SE_DACL_PRESENT Then
arrACEs = objSD.DACL
For Each objACE in arrACEs
objTextFile.WriteLine( objACE.Trustee.Domain & "\" & objACE.Trustee.Name)
If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
objTextFile.WriteLine( vbTab & "Allowed:")
ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
objTextFile.WriteLine( vbTab & "Denied:")
End If
If objACE.AccessMask AND FILE_ALL_ACCESS Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_ALL_ACCESS ")
End If
If objACE.AccessMask AND FILE_APPEND_DATA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_APPEND_DATA ")
End If
If objACE.AccessMask AND FILE_DELETE Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE ")
End If
If objACE.AccessMask AND FILE_DELETE_CHILD Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE_CHILD ")
End If
If objACE.AccessMask AND FILE_EXECUTE Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_EXECUTE ")
End If
If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_ATTRIBUTES ")
End If
If objACE.AccessMask AND FILE_READ_CONTROL Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_CONTROL ")
End If
If objACE.AccessMask AND FILE_READ_DATA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_DATA ")
End If
If objACE.AccessMask AND FILE_READ_EA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_EA ")
End If
If objACE.AccessMask AND FILE_SYNCHRONIZE Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_SYNCHRONIZE ")
End If
If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_ATTRIBUTES ")
End If
If objACE.AccessMask AND FILE_WRITE_DAC Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DAC ")
End If
If objACE.AccessMask AND FILE_WRITE_DATA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DATA ")
End If
If objACE.AccessMask AND FILE_WRITE_EA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_EA ")
End If
If objACE.AccessMask AND FILE_WRITE_OWNER Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_OWNER ")
End If
Next
Else
objTextFile.WriteLine( "No DACL present in security descriptor")
End If
Next
'************************* * end ************************** ********** ******
there is some things that you need to set like the folder path and log file.
note it can produce very long log files and script for check the computer's files
could faild becouse of memroy issue. (i tried it and faild ... )
hope it will be useful for you. :)
'******************* start **************************
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=imper
'********* set the folder to check **************************
Set colFiles = objWMIService. ExecQuery("Select * from CIM_DataFile where Path = '\\FOLDERNAME\\'")
'********* create the LOG file for output ***********************
Set objFSO = CreateObject("Scripting.Fi
Set objTextFile = objFSO.OpenTextFile ("c:\files_log.txt", 8, True)
'********* read the files from folder **************************
For Each objFile in colFiles
strFileName = objFile.NAME
objTextFile.WriteLine("per
SE_DACL_PRESENT = &h4
ACCESS_ALLOWED_ACE_TYPE = &h0
ACCESS_DENIED_ACE_TYPE = &h1
FILE_ALL_ACCESS = &h1f01ff
FILE_APPEND_DATA = &h000004
FILE_DELETE = &h010000
FILE_DELETE_CHILD = &h000040
FILE_EXECUTE = &h000020
FILE_READ_ATTRIBUTES = &h000080
FILE_READ_CONTROL = &h020000
FILE_READ_DATA = &h000001
FILE_READ_EA = &h000008
FILE_SYNCHRONIZE = &h100000
FILE_WRITE_ATTRIBUTES = &h000100
FILE_WRITE_DAC = &h040000
FILE_WRITE_DATA = &h000002
FILE_WRITE_EA = &h000010
FILE_WRITE_OWNER = &h080000
Set objWMIService = GetObject("winmgmts:")
Set objFileSecuritySettings = objWMIService.Get("Win32_L
intRetVal = objFileSecuritySettings.Ge
intControlFlags = objSD.ControlFlags
If intControlFlags AND SE_DACL_PRESENT Then
arrACEs = objSD.DACL
For Each objACE in arrACEs
objTextFile.WriteLine( objACE.Trustee.Domain & "\" & objACE.Trustee.Name)
If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
objTextFile.WriteLine( vbTab & "Allowed:")
ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
objTextFile.WriteLine( vbTab & "Denied:")
End If
If objACE.AccessMask AND FILE_ALL_ACCESS Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_ALL_ACCESS ")
End If
If objACE.AccessMask AND FILE_APPEND_DATA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_APPEND_DATA ")
End If
If objACE.AccessMask AND FILE_DELETE Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE ")
End If
If objACE.AccessMask AND FILE_DELETE_CHILD Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE_CHILD ")
End If
If objACE.AccessMask AND FILE_EXECUTE Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_EXECUTE ")
End If
If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_ATTRIBUTES ")
End If
If objACE.AccessMask AND FILE_READ_CONTROL Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_CONTROL ")
End If
If objACE.AccessMask AND FILE_READ_DATA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_DATA ")
End If
If objACE.AccessMask AND FILE_READ_EA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_EA ")
End If
If objACE.AccessMask AND FILE_SYNCHRONIZE Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_SYNCHRONIZE ")
End If
If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_ATTRIBUTES ")
End If
If objACE.AccessMask AND FILE_WRITE_DAC Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DAC ")
End If
If objACE.AccessMask AND FILE_WRITE_DATA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DATA ")
End If
If objACE.AccessMask AND FILE_WRITE_EA Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_EA ")
End If
If objACE.AccessMask AND FILE_WRITE_OWNER Then
objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_OWNER ")
End If
Next
Else
objTextFile.WriteLine( "No DACL present in security descriptor")
End If
Next
'*************************
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all of the help guys, that resource kit tool is exactly what I need.
great , chears ... :)
you can start with this ... there is more on this site !