Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you are looking for a script to fetch audit permission settings on a folder, here it is:
===================================================================================================================
This is just a sample. It would require some modification to run it fully.
Const GENERIC_ALL = &H10000000
Const GENERIC_EXECUTE = &H20000000
Const GENERIC_READ = &H80000000
Const GENERIC_WRITE = &H40000000
Const OBJECT_INHERIT_ACE = 1
Const CONTAINER_INHERIT_ACE = 2
Const NO_PROPAGATE_INHERIT_ACE = 4
Const INHERIT_ONLY_ACE = 8
Const INHERITED_ACE = 16
Const AUDIT_ACE_TYPE = &H2
Const FAILED_ACCESS_ACE_FLAG = &H80
Const SUCCESSFUL_ACCESS_ACE_FLAG = &H40
Dim strComputer
strComputer = "."
Dim oShell
Dim sortie, ace, trustee,retVal, wmiSecurityDescriptor
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set WshShell = WScript.CreateObject("WScript.Shell")
getPermissions "C:\Test"
Sub getPermissions (name)
Set objFile = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & name & "'")
If objFile.GetSecurityDescriptor(objSD) = 0 Then
If isArray(objSD.SACL) Then
For Each objAce in objSD.SACL
If objAce.AceType = AUDIT_ACE_TYPE Then
strAceType = ""
If objAce.AceFlags And FAILED_ACCESS_ACE_FLAG Then
If objAce.AceFlags And SUCCESSFUL_ACCESS_ACE_FLAG Then
strAceType = "All"
Else
strAceType = "Fail"
End If
Else
If objAce.AceFlags And SUCCESSFUL_ACCESS_ACE_FLAG Then
strAceType = "Success"
Else
strAceType = "No"
End If
End If
Wscript.echo strAceType
Wscript.echo objAce.Trustee.Domain & "\" &objAce.Trustee.Name
If objAce.AceFlags And OBJECT_INHERIT_ACE Then
If objAce.AceFlags And CONTAINER_INHERIT_ACE Then
If objAce.AceFlags And INHERIT_ONLY_ACE Then
Wscript.echo "Subfolders and Files only"
Else
Wscript.echo "This Folder, Subfolders and Files"
End If
Else
If objAce.AceFlags And INHERIT_ONLY_ACE Then
Wscript.echo "Files Only"
Else
Wscript.echo "This Folder and Files"
End If
End If
Else
If objAce.AceFlags And CONTAINER_INHERIT_ACE Then
If objAce.AceFlags And INHERIT_ONLY_ACE Then
Wscript.echo "Subfolders only"
Else
Wscript.echo "This Folder and Subfolders"
End If
Else
Wscript.echo "This Folder Only"
End If
End If
Dim strPerm
strPerm = ""
If objAce.AccessMask AND 524288 Then
strPerm = strPerm & "Take Ownership;"
End If
If objAce.AccessMask AND 262144 Then
strPerm = strPerm & "Change Permissions;"
End If
If objAce.AccessMask AND 131072 Then
strPerm = strPerm & "Read Permissions;"
End If
If objAce.AccessMask AND 65536 Then
strPerm = strPerm & "Delete;"
End If
If objAce.AccessMask AND 256 Then
strPerm = strPerm & "Write Attributes;"
End If
If objAce.AccessMask AND 128 Then
strPerm = strPerm & "Read Attributes;"
End If
If objAce.AccessMask AND 64 Then
strPerm = strPerm & "Delete Subfolders and Files;"
End If
If objAce.AccessMask AND 32 Then
strPerm = strPerm & "Traverse Folder / Execute File;"
End If
If objAce.AccessMask AND 16 Then
strPerm = strPerm & "Write Extended Attributes;"
End If
If objAce.AccessMask AND 8 Then
strPerm = strPerm & "Read Extended Attributes;"
End If
If objAce.AccessMask AND 4 Then
strPerm = strPerm & "Create Folders / Append Data;"
End If
If objAce.AccessMask AND 2 Then
strPerm = strPerm & "Create Files / Write Data;"
End If
If objAce.AccessMask AND 1 Then
strPerm = strPerm & "List Folder / Read Data;"
End If
If objAce.AccessMask And GENERIC_ALL Then
strPerm = strPerm & "Generic All;"
End If
If objAce.AccessMask And GENERIC_EXECUTE Then
strPerm = strPerm & "Generic Execute;"
End If
If objAce.AccessMask And GENERIC_READ Then
strPerm = strPerm & "Generic Read;"
End If
If objAce.AccessMask And GENERIC_WRITE Then
strPerm = strPerm & "Generic Write;"
End If
Wscript.echo strPerm
End If
line = line + 1
Next
Else
Wscript.echo name & " doesn't have audit setting."
End If
End If
================================================================================================================================
Disclaimer: Above script is just for illustration purpose. Not recommended to run on production server without testing.
This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
Comments
- Anonymous
March 14, 2009
PingBack from http://www.anith.com/?p=19065