Browse folders recursively for ACLs

[Vince C.]

Hi.

I'd like to check whether security groups that are defined in Active are
used in files/folders security. Are there command line tools to search
folders recursively for security attributes (ACLs)?

Thanks for any hint/suggestion.

Vicne C.

 

[Guest]

Is this what your looking for:

for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"

Note: The last line by the command will allways give this error:
C:\>cacls "free "
The system cannot find the file specified.

 

[Guest]

the last command only does directories. this does directories,
subdirectories, and files:

for /f "tokens=*" %%i in ('dir /a /s /b') do cacls "%%~dpnxi"

 

[Al Dunbar [MS-MVP]]

the last command only does directories. this does directories,
subdirectories, and files:

for /f "tokens=*" %%i in ('dir /a /s /b') do cacls "%%~dpnxi"

Nice, but that does not do much that this does not do:

cacls *.* /t

.... unless you search the output of each cacls command looking for a
specific trustee name...


/Al

 

[Guest]

Your absolutely right! Thanks Al, I apparently overlooked that.

 

[Vince C.]

Le samedi 12 novembre 2005 à 12:08 -0700, Al Dunbar [MS-MVP] a écrit :

Nice, but that does not do much that this does not do:

cacls *.* /t

... unless you search the output of each cacls command looking for a
specific trustee name...

Which is exactly what I want . Thanks Royce & Al.

Note the /t is said to *change* ACLS (cacls /?). Can it also be used to
just *list* recursively?

Vince C.

 

[Guest]

The /t alone will just list ACLs.

Le samedi 12 novembre 2005 à 12:08 -0700, Al Dunbar [MS-MVP] a écrit :

Nice, but that does not do much that this does not do:

cacls *.* /t

... unless you search the output of each cacls command looking for a
specific trustee name...

Which is exactly what I want . Thanks Royce & Al.

Note the /t is said to *change* ACLS (cacls /?). Can it also be used to
just *list* recursively?

Vince C.

 

[Vince C.]

The /t alone will just list ACLs.

Would be nice if the help mentionned that instead of just about the
"change". It's misleading.

Vince C.

 

[Vince C.]

the last command only does directories. this does directories,
subdirectories, and files:

for /f "tokens=*" %%i in ('dir /a /s /b') do cacls "%%~dpnxi"

This one is what I'm looking for. But the output of cacls is awful as it
can't be directly processed into Excel, for instance. It can't even be
treated like a space-separated list of values because spaces can occur in
file or folder names. Neither is there a common delimiter/position to each
"column".

Ok, it's more than nothing but I'd have expected an output format that is
easier to process. I think I'll have to write a custom script to transcode
to CSV.

Vince C.

 

[Vince C.]

Ok, it's more than nothing but I'd have expected an output format that is
easier to process. I think I'll have to write a custom script to transcode
to CSV.

.... or use a windows port of GNU utilities. I think I've got it.

Thanks again.

Vince C.

 

[Jerold Schulman]

This one is what I'm looking for. But the output of cacls is awful as it
can't be directly processed into Excel, for instance. It can't even be
treated like a space-separated list of values because spaces can occur in
file or folder names. Neither is there a common delimiter/position to each
"column".

Ok, it's more than nothing but I'd have expected an output format that is
easier to process. I think I'll have to write a custom script to transcode
to CSV.

Vince C.

If you use XCACLS.VBS, it is much easier to create a CSV file.
See tip 8225 » The Extended Change Access Control List tool (Xcacls.vbs) has been enhanced and replaces Xcacls.exe.
in the 'Tips & Tricks' at http://www.jsifaq.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Jerold Schulman]

... or use a windows port of GNU utilities. I think I've got it.

Thanks again.

Vince C.

See tip 9901 » How can I enumerate the folder permissions on a drive or folder in CSV format?
in the 'Tips & Tricks' at http://www.jsifaq.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Guest]

See tip 9901 » How can I enumerate the folder permissions on a drive or folder in CSV format?
in the 'Tips & Tricks' at http://www.jsifaq.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

Very Nice Jerold! See you added this tip just for Vinces question. Keep up
the good work!

 

[Kok Yong Lee]

Hi Royce,

when I copied your command into a batch file and run the batch file, I get
the following error

C:\Lee\main_release>newest
d`) was unexpected at this time.

C:\Lee\main_release>FOR /F "skip=3 tokens=5*" d`) do cacls "j"

Any ideas what I have missed?

thanks in advanced.

 

[billious]

Hi Royce,

when I copied your command into a batch file and run the batch file, I get
the following error

C:\Lee\main_release>newest
d`) was unexpected at this time.

C:\Lee\main_release>FOR /F "skip=3 tokens=5*" d`) do cacls "j"

Any ideas what I have missed?

thanks in advanced.

Hmmm... now the line you are attempting to run is

FOR /F "skip=3 tokens=5*" d`) do cacls "j"

and the line in the post was

for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"


Now - is there a difference here?

HTH

....Bill

 

[Kok Yong Lee]

Hi Bill,

well that is what I am wondering as well, because in my batch file I only
have the folowing line
========================================
for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"
========================================
yet when I run the batch run it just behave completely different.

 

[foxidrive]

Hi Bill,

well that is what I am wondering as well, because in my batch file I only
have the folowing line
========================================
for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"
========================================

double the percent signs (%=%%) in a batch file, as opposed to a command
line.

 

[billious]

double the percent signs (%=%%) in a batch file, as opposed to a command
line.

Very true, foxi - that will cure the immediate problem as posted.

The next problem is that "skip=3 tokens=5*" isn't universal or reliable.
It's not reliable because the last line of the "dir" report using this
structure has token5="free" which will attempt to perform CACLS on a
directory name "free ". It's not universal - I believe it assumes "am/pm"
time-format since on my system it only "hits" directorynames that contain
spaces - and then only the second-token-onwards of those (I use 24-hr
time-format.)

A far better solution would be

for /f "delims=" %%i in ('dir /b/a:d') do cacls "%%i"

The next problem in this thread is the actual requirement AIUI of the OP.
This appears to be a CSV file containing the ACL data (but no specification
as to precise format.) Leaving aside the minor change to this nebulous
requirement introduced by the "/a:d" filter for directories only, the
observation was made that the CACLS format was difficult to process and
'Neither is there a common delimiter/position to each "column" '. This last
assertion is debatable. The CACLS output is one of three forms:

1) filename[space]ACL-spec
2) [(length-of-filename+1) spaces]ACL-spec
2) [(length-of-filename+1+a few more) spaces]supplementary-ACL-spec

so to process it to a useful CSV-format, I'd expect
"filename","ACL-spec"
or
"filename","ACL-spec","supplementary-ACL-spec" (where
"supplementary-ACL-spec" may be "")

Since writing the file/directory-name to a tempfile and then executing
for %%i in (tempfilename) do set /a yLF=%%~zi-2

will set yLF to the length of the filename, producing the CSV format by
substringing the CACLS output isn't particularly hard, and I've got that
part working. The only bug I've found is where the target
file/directory-name contains a "poison character" - especially "&" which
kills off the substringing mechanism.

I've yet to find a way of removing the filename from a line such as
c:\106x\newest file with strange&characters!% hello BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

(where the "NT" in the second line is in the same column as the "B" of
"BUILTIN" in the first)

So at this point I'm stuck trying to solve someone else's problem

HTH

....Bill

 

[Vince C.]

Le lundi 14 novembre 2005 à 09:51 -0500, Jerold Schulman a écrit :

If you use XCACLS.VBS, it is much easier to create a CSV file.
See tip 8225 » The Extended Change Access Control List tool (Xcacls.vbs) has been enhanced and replaces Xcacls.exe.
in the 'Tips & Tricks' at http://www.jsifaq.com

Thanks a lot Jerold. That's quite nice. That will surely help a lot of
people. Auditing security attributes is tedious without that tool. It
helps detecting what security groups are used and which aren't. That's
so much true when someone else was maintaining security, who's not there
anymore. For instance...

Vince C.