Re: How to view all files/folders denied to a particular User?

If you don't add an action switch such as /g or /r then it will only list
permissions. On the other hand you should not take my word for it - you
should test the command on a small directory tree that you create for this
purpose. It will take no more than a couple of minutes . . .


"Howard" <Howard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1DDA9C9-27CD-4E47-965B-92E926716BAC@xxxxxxxxxxxxxxxx
For the command cacls, it says that /t "changes ACLs of specified files in
the current directory and all its subdirectories"

Using the command you offered is only going to print out the current
settings to cacls.txt, not change them, correct?

"Pegasus (MVP)" wrote:

You can use this command, then examine c:\cacls.txt:
cacls c:\*.* /t > c:\cacls.txt
Look for the string "Visitor:N"

"Howard" <Howard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53946D34-09B6-417A-96CE-A744C57B3BC7@xxxxxxxxxxxxxxxx
First of all this IS a dedicated account for visitors. It is a limited
user
account called Visitor, not the default Guest account. And giving it
the
tightly defined access permissions is precisely what I was doing.

So I went through and by hand denied permissions to a variety of files
and
folders. This account has access to most files and folders, with only
some
exceptions, which I chose. Thus, it's far more efficient to get a list
of
the
files denied than the ones allowed, as the allowed list would be much
much
bigger and would then have to be compared to a list of all files to
know
which ones were denied. My reason for wanting this specific denied list
is
in
case I ever have to reinstall windows so that I can go back and simply
check
off the same list of files to deny the Visitor account. I would have
kept
a
list by hand as I did it, but just assumed there was a place I could
click
on
a user account and get a list of files denied. I was surprised to find
out
there was no way to get this information that I could discern.

This is not like a random resident asking which houses can a key open.
This
is a closed system that I administer. It is like the landlord of a
complex
knowing which keys open which apartments in a system they run. All I
want
to
have is a list of denials I specifically have created for a particular
user
all in one place, instead of having to check every file and folder by
hand
one-by-one. It is a very reasonable request. And the information
obviously
must be on the machine. Somewhere there has to be some list the
computer
checks telling it which files and folders are secured from which
accounts.

I'll check out the tool you suggested, but I'm really surprised there
is
nowhere on XP itself to see which files/folders on a file system have
been
denied to a particular user.

"Pegasus (MVP)" wrote:


"Howard" <Howard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5580BF23-1633-4286-9048-A9D34BF71F6D@xxxxxxxxxxxxxxxx
I have a user account called Visitor on my computer (XP). I set a
bunch
of
files and folders to deny permission to the Visitor user account by
right-clicking and going to the properties security tab on each of
them,
one
by one. Is there any way to now get a complete list of the
files/folders
denied to this user account so I can see all of them at once? I've
searched
everywhere and not only not found a way to do it, but oddly not even
found
anyone asking about it. It seems something an admin would very often
want.

This is not odd at all. What you asked is equivalent to asking "Which
doors
in our town won't I be able to open with my house keys?" You can't
tell
unless you try all of them. Next day someone will build another house
that
you have to test too. Much better to ask the reverse: Which files and
folders ***can*** a visitor open? Presumably the ones that have the
words
"everyone" and "visitor" in their security descriptor, plus the ones
that
are open for groups where "visitor" is a member. This tool might help
you
obtain this information: SystemTools.exe (downloadable as dumpacl.zip
from
http://robot.pbwiki.com/UsefulTools).

My personal preference is to disable the "guest" account. Having it
enabled
is a security risk. Much better to create a dedicated account for
visitors,
with tightly defined access permissions.








.

Relevant Pages

  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... The -ga command isn't a part of that beta version. ... permissions to the global assembly cache. ... Please review the steps in it, for creating a service account for an ASP.NET 2.0 application, ... I've also tried the aspnet_regiis thing as well as setting permissions on folders as described ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Homefolder path on multiple users with already existing home folders...
    ... "Somebody" messed up our security settings on the homefolders, ... folders anymore... ... So I tried to take one user, wihout his own permissions, went in to ... for account names and granting that account and administrators access. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchange 2003 full mailbox permissions
    ... "Using KB article 821897 "How to Assign Service Account Access to All ... to give my user account every available permission (i.e. all except ... "Special Permissions", which is greyed out) on the mailbox store ...
    (microsoft.public.exchange.admin)
  • Re: File and Folder Permissions
    ... have permissions determined by where they are. ... UserX to have Full control over all new files and folders then ... account, such as a new profile directory. ...
    (microsoft.public.security)
  • Re: Creating Multiple FTP Users and Containers (2000 Server + IIS)
    ... >complete Windows Scripting novice so I’m hoping that I can get some help on ... >What I am even more unsure of is scripting the creation of Virtual Folders ... The permissions will need to be set to ... >account will need to be given ‘modify’ permissions (everything except ‘full ...
    (microsoft.public.windows.server.scripting)
Loading