Find NTFS permissions for an account

We need to use an application that runs as a number of windows services.
Those services run under a local user account that was created when the
application was installed.

We need those accounts to be Windows 2008 Domain level accounts (the
services will be set up to access files on other servers, not the way the
application is designed, but for up-time reasons we want those files on our
fail-over file server).

We don't know what permissions were given to the accounts. We could go
through manually looking at permissions on every directory to see whether
they are there or not, and if so what permissions were assigned, but this
would take a LONG time.

There must be an application that an administrator can install on the server
and run, passing in the acount name for the local account, and having the
app come back with a list of directories they have permissions to, and what
they are.

Anyone know of such a thing?

Once we know what those permissions are we can duplicate them for the domain
level account...

I think it can be done using a script ... or check with XCACLS and filter
the results.

"Roger" <> wrote in message
news:eznFm$...
> We need to use an application that runs as a number of windows services.
> Those services run under a local user account that was created when the
> application was installed.
>
> We need those accounts to be Windows 2008 Domain level accounts (the
> services will be set up to access files on other servers, not the way the
> application is designed, but for up-time reasons we want those files on
> our fail-over file server).
>
> We don't know what permissions were given to the accounts. We could go
> through manually looking at permissions on every directory to see whether
> they are there or not, and if so what permissions were assigned, but this
> would take a LONG time.
>
> There must be an application that an administrator can install on the
> server and run, passing in the acount name for the local account, and
> having the app come back with a list of directories they have permissions
> to, and what they are.
>
> Anyone know of such a thing?
>
> Once we know what those permissions are we can duplicate them for the
> domain level account...
>
>

>"Roger" <> wrote in message
>news:eznFm$...
>> We need to use an application that runs as a number of windows services.
>> Those services run under a local user account that was created when the
>> application was installed.
>>
>> We need those accounts to be Windows 2008 Domain level accounts (the
>> services will be set up to access files on other servers, not the way the
>> application is designed, but for up-time reasons we want those files on
>> our fail-over file server).
>>
>> We don't know what permissions were given to the accounts. We could go
>> through manually looking at permissions on every directory to see whether
>> they are there or not, and if so what permissions were assigned, but this
>> would take a LONG time.
>>
>> There must be an application that an administrator can install on the
>> server and run, passing in the acount name for the local account, and
>> having the app come back with a list of directories they have permissions
>> to, and what they are.
>>
>> Anyone know of such a thing?
>>
>> Once we know what those permissions are we can duplicate them for the
>> domain level account...
>>
>>

On Tue, 4 May 2010 00:56:49 +0300, "Andrei Ungureanu"
<> wrote:

>I think it can be done using a script ... or check with XCACLS and filter
>the results.
>


I agree with XCACLS to find them.

There is also a third party product I've used in the past, called
Security Explorer, that is quite a bit more robust.

Script Logic Security Explorer
http://www.scriptlogic.com/products/security-explorer/


Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Yes, I've used it too. Security Explorer is great.

Andrei.

"Ace Fekay [MVP - Directory Services, MCT]" <>
wrote in message news:...
>>"Roger" <> wrote in message
>>news:eznFm$...
>>> We need to use an application that runs as a number of windows services.
>>> Those services run under a local user account that was created when the
>>> application was installed.
>>>
>>> We need those accounts to be Windows 2008 Domain level accounts (the
>>> services will be set up to access files on other servers, not the way
>>> the
>>> application is designed, but for up-time reasons we want those files on
>>> our fail-over file server).
>>>
>>> We don't know what permissions were given to the accounts. We could go
>>> through manually looking at permissions on every directory to see
>>> whether
>>> they are there or not, and if so what permissions were assigned, but
>>> this
>>> would take a LONG time.
>>>
>>> There must be an application that an administrator can install on the
>>> server and run, passing in the acount name for the local account, and
>>> having the app come back with a list of directories they have
>>> permissions
>>> to, and what they are.
>>>
>>> Anyone know of such a thing?
>>>
>>> Once we know what those permissions are we can duplicate them for the
>>> domain level account...
>>>
>>>
>
> On Tue, 4 May 2010 00:56:49 +0300, "Andrei Ungureanu"
> <> wrote:
>
>>I think it can be done using a script ... or check with XCACLS and filter
>>the results.
>>
>
>
> I agree with XCACLS to find them.
>
> There is also a third party product I've used in the past, called
> Security Explorer, that is quite a bit more robust.
>
> Script Logic Security Explorer
> http://www.scriptlogic.com/products/security-explorer/
>
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.

Try Somarsoft's DUMPACL. If you can find it. I used it five or six years
ago, but noticed it didn't work perfectly. Only caught about 95% of the
ACL's. There's another one I was thinking about using to track down and
deassign ACE's of departed employees from files on the storage devices.
Love to kill off their accounts, but I don't want to maroon files. It would
be like erasing accounts from one's chart of accounts.


On 5/3/10 5:56 PM, in article , "Andrei
Ungureanu" <> wrote:

> I think it can be done using a script ... or check with XCACLS and filter
> the results.
>
> "Roger" <> wrote in message
> news:eznFm$...
>> We need to use an application that runs as a number of windows services.
>> Those services run under a local user account that was created when the
>> application was installed.
>>
>> We need those accounts to be Windows 2008 Domain level accounts (the
>> services will be set up to access files on other servers, not the way the
>> application is designed, but for up-time reasons we want those files on
>> our fail-over file server).
>>
>> We don't know what permissions were given to the accounts. We could go
>> through manually looking at permissions on every directory to see whether
>> they are there or not, and if so what permissions were assigned, but this
>> would take a LONG time.
>>
>> There must be an application that an administrator can install on the
>> server and run, passing in the acount name for the local account, and
>> having the app come back with a list of directories they have permissions
>> to, and what they are.
>>
>> Anyone know of such a thing?
>>
>> Once we know what those permissions are we can duplicate them for the
>> domain level account...
>>
>>