Re: Utility/report for effective NTFS rights for a single user/group?
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 30 Jan 2007 12:35:59 -0600
"Chris" <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FDC41606-AD25-419B-9F27-57F2FA24187E@xxxxxxxxxxxxxxxx
Can someone point me in the way of a utility or perhaps 3rd party program
that can determine the effective NTFS rights for a user or a group?
Technically Rights and Permissions are two distinct things in NT-class
operating
systems; what you are referencing are NTFS Permissions.
The standard built-in tools are CACLS.exe or XCACLS.exe (support tools)
or just Explorer which all show everything directly assigned or inherited by
the object.
But it doesn't do anything for you to figure out precisely what a user
can/cannot
do -- it just shows the ACEs (access control entries).
In the resource kit are two utilities (Perms.exe & ShowAcls.exe) that focus
on
an individual user. Perms.exe is probably best.
What I
would like is to be able to select a user or a group and see what
folders/files that user has access to. Does something like this exist?
This is usually a different (type of) question. Since theoretically a user
may have access to resources in ANY NTFS resource on any volume
of any machine (not just servers, or even those machines with sharing
enabled) of the domain, and even other domains in a forest or trust
relationship.
Perms can test a single machine, one volume or directory tree at a time.
(But I just found a bug in perms <UGH>) which ruins some of that.
Or is there another means of possibly generating some kind of report that
shows who has access rights to each sub-folder of a higher-level folder?
I
know the Effective Permissions tab can be used for this but its too
simplistic in that you have to evaluate each folder individually. I'm
thinking in the sense of like generating a report that shows who has
access
to what folders for say a SOX/HIPAA audit.
Cacls and Xcalcs are probably closest since perms is buggy (I didn't know
that until just now).
The free SourceForge.exe "SetACL.exe" might also be used (to capture
and even later reload permissions) but it is one of THE most complicated
command lines tools in existence. This is because it was built to do
'everything' by Unix/Linux folks to work on a Windows box. (Combination
of all the worst possible switches, but it is cool when you need it.)
Probably have to combine any of the above with a (Perl, grep etc) program
filter
to get exactly what you want.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Prev by Date: Re: Utility to copy print queues from one print server to another
- Next by Date: Re: Corrupt account or computer account?
- Previous by thread: Re: Utility to copy print queues from one print server to another
- Next by thread: Re: event id 5719
- Index(es):
Relevant Pages
|
