Archives for: July 2009, 01

Script for tidying up NTFS rights

July 1st, 2009

Script to list all file rights on a particular folder.

Use this to try to spot "blocked inheritance" and excessive ACLs.

Most of this is taken from here

--------------------------
'==========================================================================
'
' NAME:
'
' AUTHOR: Stephen Hulse , Stephen Hulse
' DATE : 01/07/2009
'
' COMMENT:
'
'==========================================================================

Public objAccessRights
Set objAccessRights = CreateObject("Scripting.Dictionary")
AddRights()
ShowFolderList("E:\MyFolder")

Function ShowFolderList(folderspec)
Dim fso, f, f1, s, sf
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFolder(folderspec)
Set sf = f.SubFolders
For Each f1 in sf
GetACE folderspec & "\" & f1.name
ShowFolderList(folderspec & "\" & f1.name)
Next
End Function

Function GetACE(strFolder)
'On Error Resume Next
If GetObject("winmgmts:\\.\root\cimv2").Get("Win32_LogicalFileSecuritySetting='" & strFolder & "'").GetSecurityDescriptor(objSD) = 0 Then
For Each objAce in objSD.DACL
If objAce.AceFlags = 3 Then
If Isnull(objAce.Trustee.Name) Then
strName = objAce.Trustee.SIDString
Else
strName = objAce.Trustee.Domain & "\" & objAce.Trustee.Name
End If
WScript.Echo strFolder & " " & strName & " " & ListRights(objAce.AccessMask)
End If
Next
End If
End Function

Function ListRights(dblAccessMask)
Dim dblAccess, strRights
strRights = ""
For Each dblAccess in objAccessRights
If dblAccessMask >= dblAccess Then
strRights = objAccessRights(dblAccess) & ","
dblAccessMask = dblAccessMask - dblAccess
End If
Next
If len(strRights) > 1 Then
strRights = Left(strRights,Len(strRights) - 1)
End If
ListRights = strRights
End Function

Function AddRights()
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"
End Function

Posted in Scripts