RE: Show folder Inheritance via script

First, I'm far from being an expert on folder security and inheritance. But
since no one else has responded to you and I'm in the same boat as you, I'll
take a shot.

If you are looking to acquire the parent folder information displayed in the
"Inherit From" column on folder's Advance Security tab, my research indicates
that a WMI vbscript will not provide it. However, there is information that
a vbscript can provide that will "indicate" the inheritance information you
may be wanting.

The Win32_LogicalFileSecuritySetting Class has a controlFlag
"SE_DACL_PROTECTED" that prevents the DACL of the Security Descriptor (SD)
from being modified by inheritable ACEs. If I'm reading the TechNet article
"How Security Descriptors and Access Control List Work," when the "Inherit
from parent the permission entries that apply to child objects" is disabled
on the Advance Security tab this flag gets turned on.

More over, the "GetSecurityDescriptor Method of the
Win32_LogicalFileSecuritySetting Class" returns an object's AccessMask
(permissions), AceFlags (child inheritance), and AceType (Access
Allowed/Denied) for each object's Trustee (Group or User Account). The flag
"INHERITED_ACE" in the AceFlags is set when the system propagtes an inherited
ACE to a child object.

Based upon this information and other scripts I found on the web, I've just
recently created a script that: (1) Allows you to control how many subfolders
to recurse; (2) Determine if "Inherit from parent the permission .." is
enabled on a folder; (3) Determine each trustee's security permissions; (4)
Determine if a trustee's permission on a folder are the same permission as
the parent folder which may help in determining inheritance or at least give
you a good idea; (5) Determine if the permission are inherited; (6) Determine
the folders owner; (7) list the trustee (if they are a local or domain group
I also output their members); and report it to an Excel spread *** (so
you'll need Excel on the running PC or change all my Excel formating to FSO
Writelines). Also, it allows you to run it against remote systems.

However, I can't say that the information it acquires is fool proof or I
haven't made a mistake in my understanding of the whole SD topic. For
example, you can disable the "Inherit from parent the permission .." but
copy the trustees to the folder. So the "SE_DACL_PROTECTED" flag is set but
I believe that the "INHERITED_ACE" is also still set on the trustees copied
because they orginally were inherited from the parent folder when the folder
was created.

If you want it, I'll give you a copy. I'm still in the testing phase, so it
will be a couple of days before it is available. The script is pretty long
so it might be best if I e-mail it to you (you might want to get a hotmail
account).

Another option is XCALS.vbs downloaded from Microsoft. Beaware that it also
can be used to set permission and the output (for as little as I used it and
can remeber) leaves much to be desired. It is certainly not something I
would provide to a customer, which are usually the ones who are determining
the permission settigns in the first place. But it still has it uses.

You may also want to take a look at the 2006 TechNet article "Hey, Scripting
Guy! We All Scream for Security Descriptors."

Dean






"chessexpert" wrote:

I have a huge and complex folder structure, and I would like to know which
folders do not have inheritance set.
.