Re: NTFS Effective Permissions?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Kirk Batzer (kbatzer_at_rutgers.edu)
Date: 12/21/04 

Date: Tue, 21 Dec 2004 10:10:47 -0500

Hello Gerry,

I took this discussion to manage file or directory permissions via a script
and not be forced to MANUALLY use the Advanced Security settings in the
Windows Explorer.

I may have taken this a little far, but when I read the discussion I just
went into a frenzy and unloaded some thoughts.

Kirk

"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:unvIb7t5EHA.2788@TK2MSFTNGP15.phx.gbl...
> Hi Kirk,
>
> I think you are misunderstanding the discussion. The original poster was
> not talking about "managing NTFS from script", he was saying he wanted the
> "user to be able to see effective permissions instead of having to use
> Windows Explorer" - that's two completely different things.
>
> You can already use scripting with NTFS. I use this from JScript to
> automate creation of user's home directories. PERL is the superior
> language when it comes to scripting, but JScript is the second best and
> it's built into Windows.
>
> Kirk Batzer wrote:
>> I am also interested in finding easier ways to view and set NTFS File and
>> directory ACLs/ACEs via scripts. Scripting tools should also include
>> ways to view and set permissions on other objects, such as registry keys
>> and values. To dismiss this topic, and to indicate one should only use
>> the Windows Explorer Security dialog is a cop-out!. This is a scripting
>> newsgroup. Unfortunately, there are very few scripting tools from
>> Microsoft to perform these functions. To perform these type of tasks you
>> need to get into the guts of lower level programming. Unfortunately,
>> this is beyond most SysAdmins, but it shouldn't be this way!
>>
>> There are scripting modules in perl that perform these tasks.
>> "Win32::NT_FileSecurity" and "Win32::Perms" provide an interface to ACLS
>> and ACEs of files and folders. Win32::Perms claims to provide access
>> beyond that of Files and Folders.
>>
>> I've used these perl scripting tools, and they do work. Be warned, they
>> are not for the faint hearted. Documentation and examples are scarce.
>> Listing the effective security permissions don't necessarily match "one
>> for one" with the access permissions listed in the Advanced Windows
>> Security dialog. You also need to be concerned with the inheritance
>> flags, which adds another layer of complexity.
>>
>> The Windows Explorer Security Dialog also has defaults that are not
>> necessarily invoked when you set access permissions outside of Windows
>> Explorer. I find these tools difficult to understand and only use them
>> to view basic account access rights.
>>
>> I hope Microsoft will someday provide better scriptable methods to the
>> NTFS ACL and ACE objects.
>>
>> Kirk
>>
>>
>> "Al Dunbar [MS-MVP]" <alan-no-drub-spam@hotmail.com> wrote in message
>> news:eaekBwS5EHA.4008@TK2MSFTNGP15.phx.gbl...
>>
>>>"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
>>>news:enDE4574EHA.208@TK2MSFTNGP12.phx.gbl...
>>>
>>>>Hi,
>>>>
>>>>It partly depends on what you mean by effective permissions?
>>>>
>>>>But seriously, why would any ordinary user need to be concerned with
>>>>this kind of thing? If they're a developer, they probably already know
>>>>how to go to the security tab. If they're a "normal" user they shouldn't
>>>>need to know.
>>>
>>>And further to this, there are some permission combinations that prevent
>>>the
>>>effected user from finding out what the permissions are. IMHO, if the
>>>account has sufficient access to actually see the permissions, then the
>>>existing tools should suffice.
>>>
>>>/Al
>>>
>>>
>>>>Lando wrote:
>>>>
>>>>
>>>>>Is there any way via script to display the effective permissions the
>>>>>currently logged on user has for a subdirectory? I would like to create
>>>
>>>a
>>>
>>>>>script that you could add to the right-click option in explorer that
>>>
>>>would
>>>
>>>>>take the current user and subdirectory and show you your effective
>>>>>permissions. I know you can do this manually by going to the security
>>>
>>>tab
>>>
>>>>>and clicking advanced, searching for your user account but this is too
>>>>>confusing for our users. I just don't know where to start.
>>>>>
>>>>>Thanks.
>>>>>
>>>>>
>>>>
>>>>
>>>>--
>>>>Gerry Hickman (London UK)
>>>
>>>
>>
>>
>
>
> --
> Gerry Hickman (London UK)

Relevant Pages

  • Re: SunJavaScript/Flash/IE6 Not Working right! Help?
    ... I don't have yahoo toolbar ... ... , Windows Messenger. ... You could try refreshing Windows Scripting. ... The Safe Mode test should tell you whether the problem lies with IE or ...
    (microsoft.public.windows.inetexplorer.ie6.setup)
  • Re: IE displays source when viewing web pages
    ... > related to a firewall (it didn't happen before I had one, ... You can try updating your scripting engine. ... You might also try installing the Windows Script 5.6 for Windows 2000 and XP ... Internet options>Advanced tab..scroll down to Security and check Allow ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: SP2 ... just a thought to ponder ..Paul Thurrotts site ......
    ... Changes in IE scripting capabilities ... prevents script-initiated changes to IE windows. ... is making changes in SP2 that affect Outlook Express and Windows Messenger, ... You can click in that area of the heading to display the images ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress.stationery)
  • Re: restrict software installation
    ... Preventing users from executing stuff on their home directory and in ... Is there some similar principle in Windows? ... emphasis on 'minimize network transfers'. ... Perhaps you can control this via some scripting stuff? ...
    (Focus-Microsoft)
  • Re: Do I Need a Firewall?
    ... Are you a dialup customer? ... Uninstall Windows Scripting Host, the operating system used to run ... Visual Basic Scripting files emailed to you. ... Download Webwasher from www.webwasher.com for free. ...
    (comp.security.firewalls)