Many network administrators devise a highly organized permission structure based on user groups for their NTFS file systems. Over time, permissions on shared files and folders can become unmanageable, especially if users frequently request temporary access to different folders within the shared folder structure. Administrators often end up assigning individual permissions for such users directly on the folders because none of the existing groups match the users' restrictions.
At the time, such assignments aren't a problem as long as the administrators carefully apply the permissions and keep the security and integrity of the folders intact. However, problems can arise months or years later when a major restructuring of the organization requires the administrator to audit and clean up the groups and security rights for these shared folders.
Where do you begin if, as part of a security audit, you're requested to report the files and folders to which each user and group has access? Wouldn't it be great if you could snap your fingers and get that information in an instant? Unfortunately, it's not that simple, but you can write a script to perform a security audit. To write such a script, you need to use showacls.exe and net.exe.
Showacls.exe
Showacls.exe is a useful but often overlooked command-line utility in the Microsoft Windows 2000 Server Resource Kit and Microsoft Windows NT Server 4.0 Resource Kit. This utility lets you display the access rights for files and folders on NTFS partitions, including access permissions for users. You simply follow the command syntax
showacls.exe path [/s]
where path is the full path to the file or folder for which you want to display the access rights (e.g., F:\myshare\data). If you use the optional /s switch, the utility displays the access permissions for the specified directory and all its subdirectories.
At first glance, you might think that you can use this command alone for the audit. However, you still need to know all the groups to which each user belongs because showacls.exe isn't aware of an account's group membership and might not report the files and folders to which those groups have access. You would then need to manually search each file or folder to determine whether that user and the groups to which the user belongs have access to it. Although Showacls is helpful, the audit remains primarily a manual task. However, you can creatively use this utility to obtain useful information programmatically, as I show you later.
Net.exe
Net.exe comes with Win2K, NT, and other Windows OSs. This utility offers many commands that let you manage various network components, such as shares, sessions, services, and user accounts. Most network administrators use this utility to map and unmap drive letters to network shares. However, you can also use the utility's Net User command to obtain the groups to which a user belongs. You follow the syntax
Net User user [/domain]
where user is the user account and /domain is a switch that designates the specified account as a domain account rather than a local account. This Net User command outputs most of the account information, including all the groups to which the user belongs, for the specified user account. However, before you can use the group information, you need to parse the output and extract the group names. The code in Listing 1 does just that. Because an asterisk (*) separates the groups in the Net User command's output, the code uses an asterisk as a delimiter. The code then strips away trailing spaces and writes the groups, one on each line, to a temporary file (i.e., %Temp%\getaccess.$$$).
Previous
Kevin Chen June 24, 2003