3

Is there any software that can scan through an NTFS file system and generate an easy to read report of NTFS permissions?

Ronnie Overby
  • 681
  • 2
  • 12
  • 24

6 Answers6

2

XCACLS.vbs will give you the NTFS permissions, in yet another super ugly format. Also, it is extra slow.

Upside, you redirect it into a file, let it run overnight(s), and end up with a whole crapload of text that you can parse with Python, or your language of choice, to produce something useful.

JamesCW
  • 309
  • 1
  • 4
  • 16
1

You should try SetACL. It has three different ways of listing permissing: tabular output (easy to read), CSV and SDDL (the latter two are easier to consume by scripts). John Gardeniers probably did not know about that. It also is very fast - and free.

Given admin rights SetACL can list the permissions of every file and folder on the drive regardless of permissions. It also works with paths longer than 260 characters.

Here is an example, listing permissions recursively for every file and folder on drive C: on a German system:

D:\>setacl -on c:\ -ot file -actn list -lst f:tab -rec cont_obj

\\?\c:\

   DACL(protected+auto_inherited):
   VORDEFINIERT\Administratoren   full   allow   no_inheritance
   VORDEFINIERT\Administratoren   full   allow   container_inherit+object_inherit+inherit_only
   NT-AUTORIT─T\SYSTEM   full   allow   no_inheritance
   NT-AUTORIT─T\SYSTEM   full   allow   container_inherit+object_inherit+inherit_only
   VORDEFINIERT\Benutzer   read_execute   allow   container_inherit+object_inherit
   NT-AUTORIT─T\Authentifizierte Benutzer   change   allow   container_inherit+object_inherit+inherit_only
   NT-AUTORIT─T\Authentifizierte Benutzer   FILE_ADD_SUBDIRECTORY   allow   no_inheritance

\\?\c:\$Recycle.Bin

   DACL(protected+auto_inherited):
   VORDEFINIERT\Administratoren   full   allow   no_inheritance
   VORDEFINIERT\Administratoren   full   allow   container_inherit+object_inherit+inherit_only
   NT-AUTORIT─T\SYSTEM   full   allow   no_inheritance
   NT-AUTORIT─T\SYSTEM   full   allow   container_inherit+object_inherit+inherit_only
   VORDEFINIERT\Benutzer   read_execute+FILE_ADD_SUBDIRECTORY+FILE_WRITE_ATTRIBUTES   allow   no_inheritance

\\?\c:\$Recycle.Bin\S-1-5-21-3377029132-2631215491-2583730848-1000

   DACL(protected):
   VORDEFINIERT\Administratoren   full   allow   container_inherit+object_inherit
   NT-AUTORIT─T\SYSTEM   full   allow   container_inherit+object_inherit
   nb-hklein\hklein   full   allow   container_inherit+object_inherit

[...]

More examples of how to use SetACL can be found here.

Helge Klein
  • 2,101
  • 1
  • 16
  • 22
1

The Microsoft utilities all have known issues handling permissions correctly or performance issues.

Use fileacl.exe [folder] /files /sub > output.txt

http://www.gbordier.com/gbtools/fileacl.asp

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

We use either SecURED from ManageRED Software or AccessReporter from Winzero. They both report NTFS and Share permissions in a user friendly format. (There is a free fully functional evaluation version of SecURED.)

Easy to understand reports in HTML format or exportable to CSV, XLS or text.

mgorven
  • 30,615
  • 7
  • 79
  • 122
TechNVR
  • 1
0

The ones I have used are:

AccessEnum
DumpSec

I would not call these easy to read though. Sorry.

ITGuy24
  • 1,576
  • 1
  • 15
  • 29
0

I use SetACL.exe, which is very quick, but it also produces very ugly output.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
  • Do you know that SetACL has three listing modes: tabular, CSV and SDDL? The tabular mode is pretty easy to read - see my answer. – Helge Klein Jan 14 '11 at 08:48
  • @Helge, your example merely proves my point about the very ugly output. Without post-processing any output involving more than a few entries is very difficult and time consuming to read. – John Gardeniers Jan 14 '11 at 21:19