Re: NTFS Effective Permissions?

• Previous message: Al Dunbar [MS-MVP]: "Re: Disabling the WSH"
• In reply to: Kirk Batzer: "Re: NTFS Effective Permissions?"
• Next in thread: Gerry Hickman: "Re: NTFS Effective Permissions?"
• Reply: Gerry Hickman: "Re: NTFS Effective Permissions?"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 20 Dec 2004 19:30:54 -0700

"Kirk Batzer" <kbatzer@rutgers.edu> wrote in message
news:eLSafls5EHA.2124@TK2MSFTNGP15.phx.gbl...
> I am also interested in finding easier ways to view and set NTFS File and
> directory ACLs/ACEs via scripts. Scripting tools should also include ways
> to view and set permissions on other objects, such as registry keys and
> values. To dismiss this topic, and to indicate one should only use the
> Windows Explorer Security dialog is a cop-out!. This is a scripting
> newsgroup. Unfortunately, there are very few scripting tools from
Microsoft
> to perform these functions. To perform these type of tasks you need to
get
> into the guts of lower level programming. Unfortunately, this is beyond
> most SysAdmins, but it shouldn't be this way!
>
> There are scripting modules in perl that perform these tasks.
> "Win32::NT_FileSecurity" and "Win32::Perms" provide an interface to ACLS
and
> ACEs of files and folders. Win32::Perms claims to provide access beyond
> that of Files and Folders.
>
> I've used these perl scripting tools, and they do work. Be warned, they
are
> not for the faint hearted. Documentation and examples are scarce.
Listing
> the effective security permissions don't necessarily match "one for one"
> with the access permissions listed in the Advanced Windows Security
dialog.
> You also need to be concerned with the inheritance flags, which adds
another
> layer of complexity.
>
> The Windows Explorer Security Dialog also has defaults that are not
> necessarily invoked when you set access permissions outside of Windows
> Explorer. I find these tools difficult to understand and only use them to
> view basic account access rights.
>
> I hope Microsoft will someday provide better scriptable methods to the
NTFS
> ACL and ACE objects.

Yeah, t'would be nice. But I wouldn't hold my breath on this one if I were
you.

Under the hood, security is very detailed and granular, and much of it is
difficult to relate to the kinds of permissions and restrictions that one is
often wanting to place on folders and files. The security tab on the
Explorer file/folder property dialog also carries more detail than one would
think should be necessary, but even this is a simplification of the really
detailed set of ACL/ACE's under the hood.

For example, I often see NTFS objects whose security settings as displayed
in the GUI are identical, while a script that uses ADsSecurity.dll to
display the detailed security settings shows that they are not the same. I
assume that this has something to do with how permissions were inherited by
the objects and/or how they were created.

If they attempted to superimpose a layer of sensibility on this whole domain
at the scripting level, I think they would be making the same mistake that
has been made elsewhere where the nitty gritty details get bound up in a
presentation layer of sorts. What *would* be nice would be a good
explanation of just exactly what is meant by by the terminology used at the
low level, and what it actually does.

/Al

> Kirk
>
>
> "Al Dunbar [MS-MVP]" <alan-no-drub-spam@hotmail.com> wrote in message
> news:eaekBwS5EHA.4008@TK2MSFTNGP15.phx.gbl...
> >
> > "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> > news:enDE4574EHA.208@TK2MSFTNGP12.phx.gbl...
> >> Hi,
> >>
> >> It partly depends on what you mean by effective permissions?
> >>
> >> But seriously, why would any ordinary user need to be concerned with
> >> this kind of thing? If they're a developer, they probably already know
> >> how to go to the security tab. If they're a "normal" user they
shouldn't
> >> need to know.
> >
> > And further to this, there are some permission combinations that prevent
> > the
> > effected user from finding out what the permissions are. IMHO, if the
> > account has sufficient access to actually see the permissions, then the
> > existing tools should suffice.
> >
> > /Al
> >
> >> Lando wrote:
> >>
> >> > Is there any way via script to display the effective permissions the
> >> > currently logged on user has for a subdirectory? I would like to
create
> > a
> >> > script that you could add to the right-click option in explorer that
> > would
> >> > take the current user and subdirectory and show you your effective
> >> > permissions. I know you can do this manually by going to the security
> > tab
> >> > and clicking advanced, searching for your user account but this is
too
> >> > confusing for our users. I just don't know where to start.
> >> >
> >> > Thanks.
> >> >
> >> >
> >>
> >>
> >> --
> >> Gerry Hickman (London UK)
> >
> >
>
>

• Previous message: Al Dunbar [MS-MVP]: "Re: Disabling the WSH"
• In reply to: Kirk Batzer: "Re: NTFS Effective Permissions?"
• Next in thread: Gerry Hickman: "Re: NTFS Effective Permissions?"
• Reply: Gerry Hickman: "Re: NTFS Effective Permissions?"
• Messages sorted by: [ date ] [ thread ]