Utility/report for effective NTFS rights for a single user/group?

Discussion in 'Windows Server' started by Chris, Jan 30, 2007.

  1. Chris

    Chris Guest

    Can someone point me in the way of a utility or perhaps 3rd party program
    that can determine the effective NTFS rights for a user or a group? What I
    would like is to be able to select a user or a group and see what
    folders/files that user has access to. Does something like this exist?

    Or is there another means of possibly generating some kind of report that
    shows who has access rights to each sub-folder of a higher-level folder? I
    know the Effective Permissions tab can be used for this but its too
    simplistic in that you have to evaluate each folder individually. I'm
    thinking in the sense of like generating a report that shows who has access
    to what folders for say a SOX/HIPAA audit.
    Chris, Jan 30, 2007
    1. Advertisements

  2. Chris

    Herb Martin Guest

    Technically Rights and Permissions are two distinct things in NT-class
    systems; what you are referencing are NTFS Permissions.

    The standard built-in tools are CACLS.exe or XCACLS.exe (support tools)
    or just Explorer which all show everything directly assigned or inherited by
    the object.

    But it doesn't do anything for you to figure out precisely what a user
    do -- it just shows the ACEs (access control entries).

    In the resource kit are two utilities (Perms.exe & ShowAcls.exe) that focus
    an individual user. Perms.exe is probably best.
    This is usually a different (type of) question. Since theoretically a user
    may have access to resources in ANY NTFS resource on any volume
    of any machine (not just servers, or even those machines with sharing
    enabled) of the domain, and even other domains in a forest or trust

    Perms can test a single machine, one volume or directory tree at a time.
    Cacls and Xcalcs are probably closest since perms is buggy (I didn't know
    that until just now).

    The free SourceForge.exe "SetACL.exe" might also be used (to capture
    and even later reload permissions) but it is one of THE most complicated
    command lines tools in existence. This is because it was built to do
    'everything' by Unix/Linux folks to work on a Windows box. (Combination
    of all the worst possible switches, but it is cool when you need it.)

    Probably have to combine any of the above with a (Perl, grep etc) program
    to get exactly what you want.
    Herb Martin, Jan 30, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.