Re: Utility to show ACL information?

From: OShah (shexec32_at_aol.com)
Date: 09/19/05


Date: Mon, 19 Sep 2005 04:16:16 -0700


=?Utf-8?B?U2NvdHQgQnVzc2luZ2Vy?= <Scott
Bussinger@discussions.microsoft.com> wrote in
news:702D0503-14B0-4F15-BB77-E2ABF4055F67@microsoft.com:

> Can anyone suggest a tool (GUI or command line) that displays only the
> ACLs assigned specifically on an entire directory tree (i.e. not showing
> inherited items)?
>
> To explain, on my system "C:\Program Files" has (among other things) an
> ACL that allows administrators full control, power users modification
> control, and regular users read only access. What I'd like is a display
> showing that such and such an ACL is applied at this level and then
> changed here and amended there.
>
> We're writing some code that manipulates ACLs and would like an easier
> way to verify the results. Utilities like CACLS show you the effective
> details for any file/folder but I'd like to see a higher level report on
> the file access configuration. Surely someone must have written a
> utility (or there's a way to coerce some other tool) to show this?
>
> Thanks for any ideas!
>

The utility you are looking for could be AccessEnum from
http://www.sysinternals.com/ .

Though I suppose you can also pipe the output from cacls/subinacl/setacl
to findstr (or fc) to find discrepancies.

subinacl [watch wrap on this link]
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8BA3E56-D8FE-
4A91-93CF-ED6985E3927B&displaylang=en

setacl
http://setacl.sourceforge.net/

Please note however, that some of the subfolders are supposed to have
differing ACLs from "Program Files" (Common Files springs to mind). If you
clobber the security descriptor for Common files (or any of the other
folders), then you will end up breaking some programs in unpredictable
manners. Even if the differing ACL belongs to a third party program, it
could have been altered by the program's setup, and not some hacker.

-- 
------------------------------------------------------------------------
oshah [shexec32]
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:
Acrobat.exe
waol.exe
------------------------------------------------------------------------


Relevant Pages

  • Re: how to run application(exe) in browser
    ... directories, etc., in the usual way we handle ACLs. ... Another ActiveX control that exists on my machine might NOT ... We have a whole security mechanism in the kernel which is ... COMPLETELY IGNORED by these kludges of scripting. ...
    (microsoft.public.vc.mfc)
  • Re: how to hide a file
    ... control and ACL-based access control. ... Format of file protection display; permissions not granted are not ... ACLs can be marked as ...
    (comp.os.vms)
  • Re: Does Microsoft lie about the Linux features?
    ... I concur that ACLs give a wider and more granular ... >> control over access rights than the Unix permission bits do. ... the file except for the files owner, ...
    (comp.os.linux.misc)
  • Re: Does Microsoft lie about the Linux features?
    ... I concur that ACLs give a wider and more granular ... >> control over access rights than the Unix permission bits do. ... the file except for the files owner, ...
    (comp.os.linux.hardware)
  • Re: Does Microsoft lie about the Linux features?
    ... I concur that ACLs give a wider and more granular ... >> control over access rights than the Unix permission bits do. ... the file except for the files owner, ...
    (comp.os.linux.networking)