Re: Enum only files/folders where explicit NTFS rights have been s

Keep me in touch, since I'm still looking for a solution...

Actually I'm working on a VBscript, but I'm blocked since I do not
understand how inheritance flags are working:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?&lang=en&cr=US&guid=&sloc=en-us&dg=microsoft.public.scripting.vbscript&p=1&tid=de5e8ff1-befc-4bb3-af27-9fb0113872c0&mid=de5e8ff1-befc-4bb3-af27-9fb0113872c0

Thanks.

"Roger Abell [MVP]" wrote:

What I found is that the bit (inheritance requested, ace inherited, etc.
that give info as to origin of a specific ACE are in cases rather difficult
to correctly interpret if the ACL had been touched by earlier generations
of NTFS) and that presenting the info in the way your request is complicated
by fact that the inherited or not info is at the per ACE level but we want
to
see the aggregate named grants (Modify, Full, etc.)

As I said, I am still looking for something that actually does do what you
are after, and does it reliably in face of any history of the storage.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Claude Lachapelle" <ClaudeLachapelle@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:7B738B78-6E97-4C31-9CD0-3363CA456C34@xxxxxxxxxxxxxxxx
Addendum

AccessEnum "differ from parent" feature is not so much evolved, since it
is
only comparing effectives rights listing to the parent rights listing, and
not what SHOULD inherit OR NOT (like for folders rights where "Apply onto:
This folder and subfolers" where files are not inheriting from parent --
which is a normal behavior, but all files are listed since different from
parent).

I think I will submit this "problem" to SysInternals support...

"Claude Lachapelle" wrote:

Initially, I did not see the option "Display files with permissions that
differ from parent" builtin into AccessEnum, thanks for the suggestion,
whit
this flag on, it is now reporting what I need.

Thanks.

"Alun Jones" wrote:

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OoLsM%23HJHHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
Hi Claude,

If you find such tool (reliable that is), let me know please.
I got to the point of trying to write one, mostly did, but soon
discovered that telling if or if not an ACE in an ACL is due
to inheritance is not simple, particularly if the storage has
a history tracing back into NT4.

Have you tried SysInternals' AccessEnum?

http://www.microsoft.com/technet/sysinternals/Security/AccessEnum.mspx

Alun.
~~~~






.

Relevant Pages

  • Re: trouble with delegating unlock rights
    ... > Effective Permissions on this object are: ... > CONTROL ... > <Inherited from parent> ... inheritance enabled ...
    (microsoft.public.win2000.active_directory)
  • Re: Controlling object visibility
    ... It has AU as a member. ... BTW, I would avoid the deny ace, ... but I'd rather block inheritance at Division level. ... > <Inherited from parent> ...
    (microsoft.public.windows.server.active_directory)
  • Re: instance attributes not inherited?
    ... >> Nothing's wrong with python's oop inheritance, ... >> class Child(Parent): ... >the class name be enough for super() to find the right superclass object? ... a bound method has the first argument bound in, and when you call the bound method ...
    (comp.lang.python)
  • Re: Refactoring Tycho API - Opinions wanted
    ... the "flip parent and child" is a useful op. ... > inheritance, but contained in a parent-child relationship. ... > store each child item (a reference to a sub-topic or note, ...
    (comp.lang.ruby)
  • Re: Sharing instances of objects between packages
    ... > packages when the child packages have their own object ... Is there a way to inherit the parent object? ... The House "is a" Building. ... Inheritance is basically about inheriting those metohds. ...
    (perl.beginners)