13

I am trying to find out is IIS_IUSRS has FullControl of certain folders under directories.

Example

I have c:\inetpub\sites\

Under c:\inetpub\sites\ i have about 50 site folders

In each folder i have 3 folders called uploads, media, requests.

I would like to find out if BUILTIN\IIS_IUSRS has FullControl

Couple of problems, Not all sites have uploads, media, requests some might only have uploads, media or media, requests or just media etc.

Couple of commands I have tried using Powershell. 

Get-ChildItem -Recurse | Get-Acl | out-string -stream | select-string -pattern "media"

Get-ChildItem -Recurse | Get-Acl | out-string -stream | select-string -pattern "uploads"

Get-ChildItem -Recurse | Get-Acl | out-string -stream | select-string -pattern "requests"

I would like modify this to look for BUILTIN\IIS_IUSRS as the user

Anthony Fornito
  • 9,546
  • 1
  • 34
  • 124

1 Answers1

8

At the risk of shamelessly rep-whoring, here's a batch file that will return any directories that name `BUILTIN\IIS_IUSRS" with "Full Control" permission (with object and container inherit enabled):

@echo off
for /f "usebackq delims=" %%i in (`dir /ad /s /b`) do call :df "%%i"
goto :EOF

:df
icacls %1 | find /i "BUILTIN\IIS_IUSRS:(OI)(CI)(F)" >NUL 2>NUL
if not errorlevel 1 echo %~1

Run this in the your top-level directory. It will output any directories it finds with the permission you're looking for.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331