How to view all files/folders denied to a particular User?

  • Thread starter Thread starter Howard
  • Start date Start date
H

Howard

I have a user account called Visitor on my computer (XP). I set a bunch of
files and folders to deny permission to the Visitor user account by
right-clicking and going to the properties security tab on each of them, one
by one. Is there any way to now get a complete list of the files/folders
denied to this user account so I can see all of them at once? I've searched
everywhere and not only not found a way to do it, but oddly not even found
anyone asking about it. It seems something an admin would very often want.
 
Howard said:
I have a user account called Visitor on my computer (XP). I set a bunch of
files and folders to deny permission to the Visitor user account by
right-clicking and going to the properties security tab on each of them,
one
by one. Is there any way to now get a complete list of the files/folders
denied to this user account so I can see all of them at once? I've
searched
everywhere and not only not found a way to do it, but oddly not even found
anyone asking about it. It seems something an admin would very often want.
Click to expand...

This is not odd at all. What you asked is equivalent to asking "Which doors
in our town won't I be able to open with my house keys?" You can't tell
unless you try all of them. Next day someone will build another house that
you have to test too. Much better to ask the reverse: Which files and
folders ***can*** a visitor open? Presumably the ones that have the words
"everyone" and "visitor" in their security descriptor, plus the ones that
are open for groups where "visitor" is a member. This tool might help you
obtain this information: SystemTools.exe (downloadable as dumpacl.zip from
http://robot.pbwiki.com/UsefulTools).

My personal preference is to disable the "guest" account. Having it enabled
is a security risk. Much better to create a dedicated account for visitors,
with tightly defined access permissions.
 
First of all this IS a dedicated account for visitors. It is a limited user
account called Visitor, not the default Guest account. And giving it the
tightly defined access permissions is precisely what I was doing.

So I went through and by hand denied permissions to a variety of files and
folders. This account has access to most files and folders, with only some
exceptions, which I chose. Thus, it's far more efficient to get a list of the
files denied than the ones allowed, as the allowed list would be much much
bigger and would then have to be compared to a list of all files to know
which ones were denied. My reason for wanting this specific denied list is in
case I ever have to reinstall windows so that I can go back and simply check
off the same list of files to deny the Visitor account. I would have kept a
list by hand as I did it, but just assumed there was a place I could click on
a user account and get a list of files denied. I was surprised to find out
there was no way to get this information that I could discern.

This is not like a random resident asking which houses can a key open. This
is a closed system that I administer. It is like the landlord of a complex
knowing which keys open which apartments in a system they run. All I want to
have is a list of denials I specifically have created for a particular user
all in one place, instead of having to check every file and folder by hand
one-by-one. It is a very reasonable request. And the information obviously
must be on the machine. Somewhere there has to be some list the computer
checks telling it which files and folders are secured from which accounts.

I'll check out the tool you suggested, but I'm really surprised there is
nowhere on XP itself to see which files/folders on a file system have been
denied to a particular user.
 
You can use this command, then examine c:\cacls.txt:
cacls c:\*.* /t > c:\cacls.txt
Look for the string "Visitor:N"
 
For the command cacls, it says that /t "changes ACLs of specified files in
the current directory and all its subdirectories"

Using the command you offered is only going to print out the current
settings to cacls.txt, not change them, correct?
 
If you don't add an action switch such as /g or /r then it will only list
permissions. On the other hand you should not take my word for it - you
should test the command on a small directory tree that you create for this
purpose. It will take no more than a couple of minutes . . .
 
Pegasus,

Thanks so much. The DumpSec program in the System Tools package you
recommended does allow me to get a list and sort it in excel to get the info
I need.

I also want to try getting the info using the command prompt. However, I've
had more trouble with this method. First, it would print the info to
cacls.txt, but it would appear to go through the C: drive alphabetically
until it came to c:\hiberfile.sys and stop. So it never even got to the
folders with the most data.

Now, for some reason, every time I try it - even after rebooting - I'm
getting "The process cannot access the file because it is being used by
another process." I have tried using various names for the txt file to which
I have it write, including names I have never used before, but still get that
message.

It would be really nice to see how the info comes out using the cacls
command. Any ideas how to get it working?
 
Howard said:
Pegasus,

Thanks so much. The DumpSec program in the System Tools package you
recommended does allow me to get a list and sort it in excel to get the
info
I need.

I also want to try getting the info using the command prompt. However,
I've
had more trouble with this method. First, it would print the info to
cacls.txt, but it would appear to go through the C: drive alphabetically
until it came to c:\hiberfile.sys and stop. So it never even got to the
folders with the most data.

Now, for some reason, every time I try it - even after rebooting - I'm
getting "The process cannot access the file because it is being used by
another process." I have tried using various names for the txt file to
which
I have it write, including names I have never used before, but still get
that
message.

It would be really nice to see how the info comes out using the cacls
command. Any ideas how to get it working?
Click to expand...

In such cases you should ***always*** use the inbuilt help function:

cacls /?

You will immediately see that adding the /c switch allows the command to
continue when errors are found.
 
Back
Top