Link to home
Start Free TrialLog in
Avatar of meciab
meciabFlag for Belgium

asked on

List ACL from a file server: how to avoid execution error if I don't have read rights on some folders?

Hi all,

I need to know all the ntfs rights of all folders on a file server for migration purposes.
There are some folders where it seems I don't have the right to read acl, so the script crashes at run time (after several hours).

Can you guys help me add to the following script the error control/ acl test/whatever so the script just bypasses folders where I don't have the rights?

Thanks
Set FSO = CreateObject("Scripting.FileSystemObject")
ShowSubfolders FSO.GetFolder("d:\")

Sub ShowSubFolders(Folder)
    On Error Resume Next
    For Each Subfolder in Folder.SubFolders
        acl Subfolder.Path
        ShowSubFolders Subfolder
    Next
End Sub

Function acl(folder)
    On Error Resume Next
    strFolderName = folder
    
    SE_DACL_PRESENT = &h4
    ACCESS_ALLOWED_ACE_TYPE = &h0
    ACCESS_DENIED_ACE_TYPE  = &h1
    
    FILE_ALL_ACCESS         = &h1f01ff
    FOLDER_ADD_SUBDIRECTORY = &h000004
    FILE_DELETE             = &h010000
    FILE_DELETE_CHILD       = &h000040
    FOLDER_TRAVERSE         = &h000020
    FILE_READ_ATTRIBUTES    = &h000080
    FILE_READ_CONTROL       = &h020000
    FOLDER_LIST_DIRECTORY   = &h000001
    FILE_READ_EA            = &h000008
    FILE_SYNCHRONIZE        = &h100000
    FILE_WRITE_ATTRIBUTES   = &h000100
    FILE_WRITE_DAC          = &h040000
    FOLDER_ADD_FILE         = &h000002
    FILE_WRITE_EA           = &h000010
    FILE_WRITE_OWNER        = &h080000
    
    Set objWMIService = GetObject("winmgmts:")
    Set objFolderSecuritySettings = _
    objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")
    intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)
    
    intControlFlags = objSD.ControlFlags
    
    If intControlFlags AND SE_DACL_PRESENT Then
       arrACEs = objSD.DACL
       For Each objACE in arrACEs
          permission = strFolderName & ";"
          permission =  permission & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & ";"
          
          If objACE.AceType = ACCESS_ALLOWED_ACE_TYPE Then
             permission =  permission & "Allowed:" & ";"
          ElseIf objACE.AceType = ACCESS_DENIED_ACE_TYPE Then
             permission =  permission & "Denied:" & ";"
          End If
          If objACE.AccessMask AND FILE_ALL_ACCESS Then
             permission =  permission &  "FILE_ALL_ACCESS " & ";"
          End If
          If objACE.AccessMask AND FOLDER_ADD_SUBDIRECTORY Then
             permission =  permission &  " FOLDER_ADD_SUBDIRECTORY " & ";"
          End If
          If objACE.AccessMask AND FILE_DELETE Then
             permission =  permission &  "FILE_DELETE " & ";"
          End If
          If objACE.AccessMask AND FILE_DELETE_CHILD Then
             permission =  permission &   "FILE_DELETE_CHILD " & ";"
          End If
          If objACE.AccessMask AND FOLDER_TRAVERSE Then
             permission =  permission & " FOLDER_TRAVERSE " & ";"
          End If
          If objACE.AccessMask AND FILE_READ_ATTRIBUTES Then
             permission =  permission &  "FILE_READ_ATTRIBUTES " & ";"
          End If
          If objACE.AccessMask AND FILE_READ_CONTROL Then
             permission =  permission &  "FILE_READ_CONTROL " & ";"
          End If
          If objACE.AccessMask AND FOLDER_LIST_DIRECTORY Then
             permission =  permission &  " FOLDER_LIST_DIRECTORY " & ";"
          End If
          If objACE.AccessMask AND FILE_READ_EA Then
             permission =  permission &  "FILE_READ_EA " & ";"
          End If
          If objACE.AccessMask AND FILE_SYNCHRONIZE Then
             permission =  permission &  "FILE_SYNCHRONIZE " & ";"
          End If
          If objACE.AccessMask AND FILE_WRITE_ATTRIBUTES Then
             permission =  permission & "FILE_WRITE_ATTRIBUTES " & ";"
          End If
          If objACE.AccessMask AND FILE_WRITE_DAC Then
             permission =  permission &  "FILE_WRITE_DAC " & ";"
          End If
          If objACE.AccessMask AND FOLDER_ADD_FILE Then
             permission =  permission &  " FOLDER_ADD_FILE " & ";"
          End If
          If objACE.AccessMask AND FILE_WRITE_EA Then
             permission =  permission &  "FILE_WRITE_EA " & ";"
          End If
          If objACE.AccessMask AND FILE_WRITE_OWNER Then
             permission =  permission &  "FILE_WRITE_OWNER " & ";"
          End If
          WScript.Echo permission
       Next
    Else
       WScript.Echo "No DACL present in security descriptor"
    End If
    acl = 1
End Function

Open in new window

Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

You already have On Error Resume Next covering most of the script. Where does it crash?

Chris
Avatar of meciab
meciab
Flag of Belgium image

ASKER

Yeah that's why I don't understand.
It crashes when trying to open a folder where I don't have the rights, I suppose in the recursive subfolder browse. The thing is, it's a huge file server and I don't know how many folders will cause the issue so I don't want to bypass a specific one, I want it to bypass all possible read errors...
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of meciab
meciab
Flag of Belgium image

ASKER

Moving On error Resume Next to the top worked.
Thanks