How can i audit DACL's, SACL's, ACE's etc...on an NTFS file server

Hello everyone,

I am currently trying to document everything I can about an Active Directory domain before I begin a migration.  Very simply, Company A is being split into Company A and B, which are currently on a single forest AD domain and will be split into two seperate forests.  I need to audit all of the (NTFS partitions of course) directories on all of the file servers and export all of the DACL's etc to a text file, excel file anything doesn't really matter.  Anyone have experience with this, seen a VBScript or third party software that will do this?  Any help is greatly appreciated.
Who is Participating?
haim96Connect With a Mentor Commented:
and i have another solution for you (probably simpler):
you can use the command "showacls.exe" i found it in the windows 2003 resource kit.
it will show you all the acls on folders and sub folder but NOT for files.

c:\showacls.exe  /s c:\  >LOG.txt

this will export the resulte into log.txt.

you can start with this ... there is more on this site !
genointAuthor Commented:
as far as I can tell that script will only read a single file's DACL and doesnt export to a file.  I actually need to parse a very large directory hirearchy and export the DACL's for all of the folders and files etc...
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

you need to add recorsive loop ,somthing like : on each file on folder get acls ....
but i think that it will be a limit for how deep the script can go .
somthing like this :

you can find it all in this site and compose the script you need.
genointAuthor Commented:
ok I will take a look and see if I can figure it out, leaving the office right now, thanks for the help...I am definitely not a vbscript expert so I will see what I can do over the weekend.
OK, i create somthing simple for you that will output the permission to files in specific folder.
there is some things that you need to set like the folder path and log file.
note it can produce very long log files and script for check the computer's files
could faild becouse of memroy issue. (i tried it and faild ... )

hope it will be useful for you.  :)

'******************* start ******************************************
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

'********* set the folder to check *******************************
Set colFiles = objWMIService. ExecQuery("Select * from CIM_DataFile where Path = '\\FOLDERNAME\\'")

'*********  create the LOG file for output ***********************
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile ("c:\files_log.txt", 8, True)

'*********  read the files from folder ***************************

For Each objFile in colFiles
strFileName = objFile.NAME
objTextFile.WriteLine("permission for file: " & objFile.NAME )

FILE_ALL_ACCESS       = &h1f01ff
FILE_APPEND_DATA      = &h000004
FILE_DELETE           = &h010000
FILE_DELETE_CHILD     = &h000040
FILE_EXECUTE          = &h000020
FILE_READ_CONTROL     = &h020000
FILE_READ_DATA        = &h000001
FILE_READ_EA          = &h000008
FILE_SYNCHRONIZE      = &h100000
FILE_WRITE_DAC        = &h040000
FILE_WRITE_DATA       = &h000002
FILE_WRITE_EA         = &h000010
FILE_WRITE_OWNER      = &h080000

Set objWMIService = GetObject("winmgmts:")
Set objFileSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFileName & "'")
intRetVal = objFileSecuritySettings.GetSecurityDescriptor(objSD)

intControlFlags = objSD.ControlFlags

If intControlFlags AND SE_DACL_PRESENT Then
   arrACEs = objSD.DACL
   For Each objACE in arrACEs
      objTextFile.WriteLine( objACE.Trustee.Domain & "\" & objACE.Trustee.Name)
      If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
         objTextFile.WriteLine( vbTab & "Allowed:")
      ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
         objTextFile.WriteLine( vbTab & "Denied:")
      End If
      If objACE.AccessMask AND FILE_ALL_ACCESS Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_ALL_ACCESS ")
      End If
      If objACE.AccessMask AND FILE_APPEND_DATA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_APPEND_DATA ")
      End If
      If objACE.AccessMask AND FILE_DELETE Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE ")
      End If
      If objACE.AccessMask AND FILE_DELETE_CHILD Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_DELETE_CHILD ")
      End If
      If objACE.AccessMask AND FILE_EXECUTE Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_EXECUTE ")
      End If
      If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_ATTRIBUTES ")
      End If
      If objACE.AccessMask AND FILE_READ_CONTROL Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_CONTROL ")
      End If
      If objACE.AccessMask AND FILE_READ_DATA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_DATA ")
      End If
      If objACE.AccessMask AND FILE_READ_EA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_READ_EA ")
      End If
      If objACE.AccessMask AND FILE_SYNCHRONIZE Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_SYNCHRONIZE ")
      End If
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_ATTRIBUTES ")
      End If
      If objACE.AccessMask AND FILE_WRITE_DAC Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DAC ")
      End If
      If objACE.AccessMask AND FILE_WRITE_DATA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_DATA ")
      End If
      If objACE.AccessMask AND FILE_WRITE_EA Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_EA ")
      End If
      If objACE.AccessMask AND FILE_WRITE_OWNER Then
         objTextFile.WriteLine( vbTab & vbTab & "FILE_WRITE_OWNER ")
      End If
   objTextFile.WriteLine( "No DACL present in security descriptor")
End If
'**************************  end ******************************************
genointAuthor Commented:
Thanks for all of the help guys, that resource kit tool is exactly what I need.
great , chears ...  :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.