Thursday, February 08, 2007

 

Folder ACL Dump

First of all, I've been on a bit of a command-line kick recently. In other words, I'd rather take a few minutes to write a quick CMD (aka BAT) script than VBS. I'm having fun discovering the power of the Windows command line.

So today I needed to dump to file NTFS permissions for all folders on a large drive. (When trying just a simple cacls /t /c *.* > cacls.txt the command was failing on one file deep in the folder structure.) So I'm going to assume that the files inherit the permissions of the parent folder and just dump the folder ACLs (this is only a precaution for a hardware change this weekend).

So I wanted to try and dump the ACLs for all folders by using the command line. I tried a few options, did some research, and eventually came up with the following single-line command:

D:\>FOR /R %A IN (.) DO cacls "%A" >> cacls.txt

FOR /R recursively loops through the directory tree, so it actually causes the following sort of command to be repeatedly run:

D:\>cacls D:\directory1\. >> cacls.txt
D:\>cacls D:\directory1\directory1\. >> cacls.txt
D:\>cacls D:\directory1\directory2\. >> cacls.txt

...

Which then yields the following sort of output in cacls.txt:


D:\Directory1 BUILTIN\Administrators:(OI)(NP)F
BUILTIN\Administrators:(OI)(CI)F
DOMAIN\Domain Users:(OI)(CI)C

D:\Directory1\Directory1 BUILTIN\Administrators:(OI)(CI)F
DOMAIN\Accounting:(OI)(CI)C
DOMAIN\Executives:(OI)(CI)C

D:\Directory1\Directory2 BUILTIN\Administrators:(OI)(CI)F
DOMAIN\Accounting:(OI)(CI)C
DOMAIN\Executives_C:(OI)(CI)C


There's probably an easier way to do this (come on, Patrick, I know you want to comment!), but it was quick enough for me to come up with this and it produced the output I wanted.

Comments:
Hmmm. I'm surprised that "cacls C:\ /t /c > cacls.txt" didn't work. The /c is supposed to allow the command to continue even if encounters an error (which I was actually able to confirm).

Otherwise, nice script.

My instinct (as you know) would have been to try this in VBScript first, but there aren't any *simple* ways to do this in VBScript, so your command works really well.

BTW, you know what you could also do? Take the filename and ACL information, and put them in a database, so you can quickly find the exact file and its ACL... That's not overkill, right? ;-)
 
I originally tried just cacls /t and then through in the /c after getting an "access denied" error. Then the error was something like "filename, path or directory is invalid." (That's not the exact error (gasp, I didn't write it down!), but the gist.) It crapped out on one file that was buried in several folders with very long names. The full path name was more than 255 - my hunch is that neither calcs or xcalcs (tried it too) can handle paths bigger than that. That hunch has little fact to back it up, though. :)
 
You could try Accesschk, which can be found at http://www.microsoft.com/technet/sysinternals/Security/AccessChk.mspx .

This lists the permissions at the top level, and then only subdirectories that have different permissions.

Neat tool.

Tom_Watson [AT] hotmail [DOT] co [DOT] uk
 
I've used DumpSec/DumpACL (http://www.systemtools.com/download/dumpacl.zip) for this purpose before. Works great!
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?