Re: NTFS Effective Permissions?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Gerry Hickman (gerry666uk_at_yahoo.co.uk)
Date: 12/20/04 

Date: Mon, 20 Dec 2004 21:57:13 +0000

Hi Kirk,

I think you are misunderstanding the discussion. The original poster was
not talking about "managing NTFS from script", he was saying he wanted
the "user to be able to see effective permissions instead of having to
use Windows Explorer" - that's two completely different things.

You can already use scripting with NTFS. I use this from JScript to
automate creation of user's home directories. PERL is the superior
language when it comes to scripting, but JScript is the second best and
it's built into Windows.

Kirk Batzer wrote:
> I am also interested in finding easier ways to view and set NTFS File and
> directory ACLs/ACEs via scripts. Scripting tools should also include ways
> to view and set permissions on other objects, such as registry keys and
> values. To dismiss this topic, and to indicate one should only use the
> Windows Explorer Security dialog is a cop-out!. This is a scripting
> newsgroup. Unfortunately, there are very few scripting tools from Microsoft
> to perform these functions. To perform these type of tasks you need to get
> into the guts of lower level programming. Unfortunately, this is beyond
> most SysAdmins, but it shouldn't be this way!
>
> There are scripting modules in perl that perform these tasks.
> "Win32::NT_FileSecurity" and "Win32::Perms" provide an interface to ACLS and
> ACEs of files and folders. Win32::Perms claims to provide access beyond
> that of Files and Folders.
>
> I've used these perl scripting tools, and they do work. Be warned, they are
> not for the faint hearted. Documentation and examples are scarce. Listing
> the effective security permissions don't necessarily match "one for one"
> with the access permissions listed in the Advanced Windows Security dialog.
> You also need to be concerned with the inheritance flags, which adds another
> layer of complexity.
>
> The Windows Explorer Security Dialog also has defaults that are not
> necessarily invoked when you set access permissions outside of Windows
> Explorer. I find these tools difficult to understand and only use them to
> view basic account access rights.
>
> I hope Microsoft will someday provide better scriptable methods to the NTFS
> ACL and ACE objects.
>
> Kirk
>
>
> "Al Dunbar [MS-MVP]" <alan-no-drub-spam@hotmail.com> wrote in message
> news:eaekBwS5EHA.4008@TK2MSFTNGP15.phx.gbl...
>
>>"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
>>news:enDE4574EHA.208@TK2MSFTNGP12.phx.gbl...
>>
>>>Hi,
>>>
>>>It partly depends on what you mean by effective permissions?
>>>
>>>But seriously, why would any ordinary user need to be concerned with
>>>this kind of thing? If they're a developer, they probably already know
>>>how to go to the security tab. If they're a "normal" user they shouldn't
>>>need to know.
>>
>>And further to this, there are some permission combinations that prevent
>>the
>>effected user from finding out what the permissions are. IMHO, if the
>>account has sufficient access to actually see the permissions, then the
>>existing tools should suffice.
>>
>>/Al
>>
>>
>>>Lando wrote:
>>>
>>>
>>>>Is there any way via script to display the effective permissions the
>>>>currently logged on user has for a subdirectory? I would like to create
>>
>>a
>>
>>>>script that you could add to the right-click option in explorer that
>>
>>would
>>
>>>>take the current user and subdirectory and show you your effective
>>>>permissions. I know you can do this manually by going to the security
>>
>>tab
>>
>>>>and clicking advanced, searching for your user account but this is too
>>>>confusing for our users. I just don't know where to start.
>>>>
>>>>Thanks.
>>>>
>>>>
>>>
>>>
>>>--
>>>Gerry Hickman (London UK)
>>
>>
>
> 

-- 
Gerry Hickman (London UK)

Relevant Pages

  • Re: how to restrict users to search in their own Organizational Unit
    ... candidate for scripting IF the process makes sense at ... If MOSS Admins need to administer users and/or group membership, just create a mmc console and delegate the proper rights for them. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating Multiple FTP Users and Containers (2000 Server + IIS)
    ... > IIS Administrator for an FTP site. ... > complete Windows Scripting novice so I'm hoping that I can get some help ... > What I am even more unsure of is scripting the creation of Virtual Folders ... The permissions will need to be set to ...
    (microsoft.public.windows.server.scripting)
  • Re: Sql permissions headache
    ... By scripting all of your database objects and the permissions ... Knowing which permissions to assign each group is not going to be easy... ... creation (tables, views, stored procs, etc.), I put a GRANT statement to ...
    (microsoft.public.sqlserver.security)
  • Re: Creating Multiple FTP Users and Containers (2000 Server + IIS)
    ... >complete Windows Scripting novice so I’m hoping that I can get some help on ... >What I am even more unsure of is scripting the creation of Virtual Folders ... The permissions will need to be set to ... >account will need to be given ‘modify’ permissions (everything except ‘full ...
    (microsoft.public.windows.server.scripting)
  • Re: xcacls.vbs version 5.1
    ... We use open share permissions and tight NTFS ... Windows XP/Win2k3 computer instead and see if it helps on the speed. ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.windows.server.scripting)