Is there an automated way to traverse a filesystem and remove any ACL entries that reference invalid SIDs in any version of Windows with NTFS?
Asked
Active
Viewed 4,408 times
2 Answers
2
icacls can do that:
ICACLS name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]]
/remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
:g, it removes all occurrences of granted rights to that Sid. With
:d, it removes all occurrences of denied rights to that Sid.
You can also check for bad entries:
ICACLS name /verify [/T] [/C] [/L] [/Q] finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.
Mathieu Chateau
- 3,185
- 16
- 10
-
1FILEACL do this as well. – Rob Nicholson Jul 25 '10 at 11:20
1
Maybe it's because I am running this on a 2003 server, but this does not produce useful results for me.
ICACLS name /verify [/T] [/C] [/L] [/Q] finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.
I'm not sure what that is supposed to do, but it doesn't provide anything useful for me. I have a folder with an unknown SID.
ICACLS foldername
returns the ACL entries, including "No mapping between account names and security IDs was done". It does not tell me which SID it failed to get a mapping for.
ICACLS foldername /verify
All this tells me is: "Successfully processed 1 files; Failed processing 0 files". Sounds great, but what was the result of the processing?
I get the exact same results running this on any individual files in the folder as well. In order to remove the SIDs, you need to know what they are. And this is not a very helpful method for getting a list of the SIDs that need to be cleaned up.
Michael McNally
- 11
- 1
-
Use 'accesschk.exe -lq filename' (google 'accesscheck Russinovich'), to see complete ACL for path (100s of lines per filename). More help accesscheck -h. – mosh Mar 25 '17 at 13:31