• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 859
  • Last Modified:

recursively browse or capture directory permissions or ACL on windows 2003 server

Need to do some overall auditing of a messy file server(s) structure where several years of adding/removing permissions has resulted in the occasional permission to something that should not exist (or the occasional adding of "users" with "ALL" to overcome lack of understanding of permissions in a windows environment).

Regardless of how we got there, need to get ourselves out of the situation as efficiently as possible.

One thought has been using xcacls to dump all the permissions to a file for later parsing or import into a database.  Using the command;
   xcacls d:\new /T /C > fileperm.txt
gives me directories and subdirectories, but also all files which I would like to remove/omit so I just have to deal with directories.

So two options;

1) a script or tool that will dump an entire directory tree along with who has access to what so it can be reviewed easily

2) tweak the above use of xcacls to only dump directories into the output file which i can then parse into a database or something (building my own review mechanism).

Appreciate input.
1 Solution
The cacls/xcacls output is basically impossible to parse.
If you want a more concise list, check this from SystemTools/Somarsoft (my favorite tool):
DumpSec (http://www.systemtools.com/somarsoft)
Install the download on an XP machine, uncheck "Hyena"; you can then copy DumpSec.exe and the help file to where you want.
You'll get the most concise report possible when you go to Report > Permission Reports Options, check only "Show Permissions", and set the radio button to "Show directories (but not files) whose permissions differ ...".
Showing the owner will create a lot of entries nobody actually cares about when all you want is an NTFS permission report, and file permissions usually aren't that interesting, either.

Or these tools from Sysinternals:
AccessEnum (http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx)
AccessChk (http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx)
ShareEnum (http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx)
Or this one from Scriptlogic:
Security Explorer (http://www.scriptlogic.com/products/securityexplorer/)
daveathsAuthor Commented:
DumpSec = bang on for what I was looking for...

Thanks a bundle.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now