recursively browse or capture directory permissions or ACL on windows 2003 server

Need to do some overall auditing of a messy file server(s) structure where several years of adding/removing permissions has resulted in the occasional permission to something that should not exist (or the occasional adding of "users" with "ALL" to overcome lack of understanding of permissions in a windows environment).

Regardless of how we got there, need to get ourselves out of the situation as efficiently as possible.

One thought has been using xcacls to dump all the permissions to a file for later parsing or import into a database.  Using the command;
   xcacls d:\new /T /C > fileperm.txt
gives me directories and subdirectories, but also all files which I would like to remove/omit so I just have to deal with directories.

So two options;

1) a script or tool that will dump an entire directory tree along with who has access to what so it can be reviewed easily

2) tweak the above use of xcacls to only dump directories into the output file which i can then parse into a database or something (building my own review mechanism).

Appreciate input.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The cacls/xcacls output is basically impossible to parse.
If you want a more concise list, check this from SystemTools/Somarsoft (my favorite tool):
DumpSec (
Install the download on an XP machine, uncheck "Hyena"; you can then copy DumpSec.exe and the help file to where you want.
You'll get the most concise report possible when you go to Report > Permission Reports Options, check only "Show Permissions", and set the radio button to "Show directories (but not files) whose permissions differ ...".
Showing the owner will create a lot of entries nobody actually cares about when all you want is an NTFS permission report, and file permissions usually aren't that interesting, either.

Or these tools from Sysinternals:
AccessEnum (
AccessChk (
ShareEnum (
Or this one from Scriptlogic:
Security Explorer (

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
daveathsAuthor Commented:
DumpSec = bang on for what I was looking for...

Thanks a bundle.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.