Re: NTFS Effective Permissions?

From: Kirk Batzer (kbatzer_at_rutgers.edu)
Date: 12/20/04 

Date: Mon, 20 Dec 2004 14:23:21 -0500

I am also interested in finding easier ways to view and set NTFS File and
directory ACLs/ACEs via scripts. Scripting tools should also include ways
to view and set permissions on other objects, such as registry keys and
values. To dismiss this topic, and to indicate one should only use the
Windows Explorer Security dialog is a cop-out!. This is a scripting
newsgroup. Unfortunately, there are very few scripting tools from Microsoft
to perform these functions. To perform these type of tasks you need to get
into the guts of lower level programming. Unfortunately, this is beyond
most SysAdmins, but it shouldn't be this way!

There are scripting modules in perl that perform these tasks.
"Win32::NT_FileSecurity" and "Win32::Perms" provide an interface to ACLS and
ACEs of files and folders. Win32::Perms claims to provide access beyond
that of Files and Folders.

I've used these perl scripting tools, and they do work. Be warned, they are
not for the faint hearted. Documentation and examples are scarce. Listing
the effective security permissions don't necessarily match "one for one"
with the access permissions listed in the Advanced Windows Security dialog.
You also need to be concerned with the inheritance flags, which adds another
layer of complexity.

The Windows Explorer Security Dialog also has defaults that are not
necessarily invoked when you set access permissions outside of Windows
Explorer. I find these tools difficult to understand and only use them to
view basic account access rights.

I hope Microsoft will someday provide better scriptable methods to the NTFS
ACL and ACE objects.

Kirk

"Al Dunbar [MS-MVP]" <alan-no-drub-spam@hotmail.com> wrote in message
news:eaekBwS5EHA.4008@TK2MSFTNGP15.phx.gbl...
>
> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> news:enDE4574EHA.208@TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> It partly depends on what you mean by effective permissions?
>>
>> But seriously, why would any ordinary user need to be concerned with
>> this kind of thing? If they're a developer, they probably already know
>> how to go to the security tab. If they're a "normal" user they shouldn't
>> need to know.
>
> And further to this, there are some permission combinations that prevent
> the
> effected user from finding out what the permissions are. IMHO, if the
> account has sufficient access to actually see the permissions, then the
> existing tools should suffice.
>
> /Al
>
>> Lando wrote:
>>
>> > Is there any way via script to display the effective permissions the
>> > currently logged on user has for a subdirectory? I would like to create
> a
>> > script that you could add to the right-click option in explorer that
> would
>> > take the current user and subdirectory and show you your effective
>> > permissions. I know you can do this manually by going to the security
> tab
>> > and clicking advanced, searching for your user account but this is too
>> > confusing for our users. I just don't know where to start.
>> >
>> > Thanks.
>> >
>> >
>>
>>
>> --
>> Gerry Hickman (London UK)
>
>

Relevant Pages

  • Re: NTFS Effective Permissions?
    ... Scripting tools should also include ways ... there are very few scripting tools from ... > with the access permissions listed in the Advanced Windows Security ...
    (microsoft.public.scripting.wsh)
  • Re: how to restrict users to search in their own Organizational Unit
    ... candidate for scripting IF the process makes sense at ... If MOSS Admins need to administer users and/or group membership, just create a mmc console and delegate the proper rights for them. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating Multiple FTP Users and Containers (2000 Server + IIS)
    ... > IIS Administrator for an FTP site. ... > complete Windows Scripting novice so I'm hoping that I can get some help ... > What I am even more unsure of is scripting the creation of Virtual Folders ... The permissions will need to be set to ...
    (microsoft.public.windows.server.scripting)
  • Re: Sql permissions headache
    ... By scripting all of your database objects and the permissions ... Knowing which permissions to assign each group is not going to be easy... ... creation (tables, views, stored procs, etc.), I put a GRANT statement to ...
    (microsoft.public.sqlserver.security)
  • Re: Creating Multiple FTP Users and Containers (2000 Server + IIS)
    ... >complete Windows Scripting novice so I’m hoping that I can get some help on ... >What I am even more unsure of is scripting the creation of Virtual Folders ... The permissions will need to be set to ... >account will need to be given ‘modify’ permissions (everything except ‘full ...
    (microsoft.public.windows.server.scripting)
Loading