Browse folders recursively for ACLs

  • Thread starter Thread starter Vince C.
  • Start date Start date
V

Vince C.

Hi.

I'd like to check whether security groups that are defined in Active are
used in files/folders security. Are there command line tools to search
folders recursively for security attributes (ACLs)?

Thanks for any hint/suggestion.

Vicne C.
 
Is this what your looking for:

for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"

Note: The last line by the command will allways give this error:
C:\>cacls "free "
The system cannot find the file specified.
 
the last command only does directories. this does directories,
subdirectories, and files:

for /f "tokens=*" %%i in ('dir /a /s /b') do cacls "%%~dpnxi"
 
Royce said:
the last command only does directories. this does directories,
subdirectories, and files:

for /f "tokens=*" %%i in ('dir /a /s /b') do cacls "%%~dpnxi"
Click to expand...

Nice, but that does not do much that this does not do:

cacls *.* /t

.... unless you search the output of each cacls command looking for a
specific trustee name...


/Al
 
Le samedi 12 novembre 2005 à 12:08 -0700, Al Dunbar [MS-MVP] a écrit :
Nice, but that does not do much that this does not do:

cacls *.* /t

... unless you search the output of each cacls command looking for a
specific trustee name...
Click to expand...

Which is exactly what I want :-). Thanks Royce & Al.

Note the /t is said to *change* ACLS (cacls /?). Can it also be used to
just *list* recursively?

Vince C.
 
The /t alone will just list ACLs.

Vince C. said:
Le samedi 12 novembre 2005 à 12:08 -0700, Al Dunbar [MS-MVP] a écrit :
Nice, but that does not do much that this does not do:

cacls *.* /t

... unless you search the output of each cacls command looking for a
specific trustee name...
Click to expand...

Which is exactly what I want :-). Thanks Royce & Al.

Note the /t is said to *change* ACLS (cacls /?). Can it also be used to
just *list* recursively?

Vince C.
Click to expand...
 
Royce said:
the last command only does directories. this does directories,
subdirectories, and files:

for /f "tokens=*" %%i in ('dir /a /s /b') do cacls "%%~dpnxi"
Click to expand...

This one is what I'm looking for. But the output of cacls is awful as it
can't be directly processed into Excel, for instance. It can't even be
treated like a space-separated list of values because spaces can occur in
file or folder names. Neither is there a common delimiter/position to each
"column".

Ok, it's more than nothing but I'd have expected an output format that is
easier to process. I think I'll have to write a custom script to transcode
to CSV.

Vince C.
 
Vince C. said:
Ok, it's more than nothing but I'd have expected an output format that is
easier to process. I think I'll have to write a custom script to transcode
to CSV.
Click to expand...

.... or use a windows port of GNU utilities. I think I've got it.

Thanks again.

Vince C.
 
This one is what I'm looking for. But the output of cacls is awful as it
can't be directly processed into Excel, for instance. It can't even be
treated like a space-separated list of values because spaces can occur in
file or folder names. Neither is there a common delimiter/position to each
"column".

Ok, it's more than nothing but I'd have expected an output format that is
easier to process. I think I'll have to write a custom script to transcode
to CSV.

Vince C.
Click to expand...
If you use XCACLS.VBS, it is much easier to create a CSV file.
See tip 8225 » The Extended Change Access Control List tool (Xcacls.vbs) has been enhanced and replaces Xcacls.exe.
in the 'Tips & Tricks' at http://www.jsifaq.com

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com
 
Hi Royce,

when I copied your command into a batch file and run the batch file, I get
the following error

C:\Lee\main_release>newest
d`) was unexpected at this time.

C:\Lee\main_release>FOR /F "skip=3 tokens=5*" d`) do cacls "j"

Any ideas what I have missed?

thanks in advanced.
 
Kok Yong Lee said:
Hi Royce,

when I copied your command into a batch file and run the batch file, I get
the following error

C:\Lee\main_release>newest
d`) was unexpected at this time.

C:\Lee\main_release>FOR /F "skip=3 tokens=5*" d`) do cacls "j"

Any ideas what I have missed?

thanks in advanced.
Click to expand...

Hmmm... now the line you are attempting to run is

FOR /F "skip=3 tokens=5*" d`) do cacls "j"

and the line in the post was

for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"


Now - is there a difference here?

HTH

....Bill
 
Hi Bill,

well that is what I am wondering as well, because in my batch file I only
have the folowing line
========================================
for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"
========================================
yet when I run the batch run it just behave completely different.
 
Hi Bill,

well that is what I am wondering as well, because in my batch file I only
have the folowing line
========================================
for /f "skip=3 tokens=5*" %i in ('dir /a:d') do cacls "%i %j"
========================================
Click to expand...

double the percent signs (%=%%) in a batch file, as opposed to a command
line.
 
foxidrive said:
double the percent signs (%=%%) in a batch file, as opposed to a command
line.
Click to expand...

Very true, foxi - that will cure the immediate problem as posted.

The next problem is that "skip=3 tokens=5*" isn't universal or reliable.
It's not reliable because the last line of the "dir" report using this
structure has token5="free" which will attempt to perform CACLS on a
directory name "free ". It's not universal - I believe it assumes "am/pm"
time-format since on my system it only "hits" directorynames that contain
spaces - and then only the second-token-onwards of those (I use 24-hr
time-format.)

A far better solution would be

for /f "delims=" %%i in ('dir /b/a:d') do cacls "%%i"

The next problem in this thread is the actual requirement AIUI of the OP.
This appears to be a CSV file containing the ACL data (but no specification
as to precise format.) Leaving aside the minor change to this nebulous
requirement introduced by the "/a:d" filter for directories only, the
observation was made that the CACLS format was difficult to process and
'Neither is there a common delimiter/position to each "column" '. This last
assertion is debatable. The CACLS output is one of three forms:

1) filename[space]ACL-spec
2) [(length-of-filename+1) spaces]ACL-spec
2) [(length-of-filename+1+a few more) spaces]supplementary-ACL-spec

so to process it to a useful CSV-format, I'd expect
"filename","ACL-spec"
or
"filename","ACL-spec","supplementary-ACL-spec" (where
"supplementary-ACL-spec" may be "")

Since writing the file/directory-name to a tempfile and then executing
for %%i in (tempfilename) do set /a yLF=%%~zi-2

will set yLF to the length of the filename, producing the CSV format by
substringing the CACLS output isn't particularly hard, and I've got that
part working. The only bug I've found is where the target
file/directory-name contains a "poison character" - especially "&" which
kills off the substringing mechanism.

I've yet to find a way of removing the filename from a line such as
c:\106x\newest file with strange&characters!% hello BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

(where the "NT" in the second line is in the same column as the "B" of
"BUILTIN" in the first)

So at this point I'm stuck trying to solve someone else's problem :(

HTH

....Bill
 
Le lundi 14 novembre 2005 à 09:51 -0500, Jerold Schulman a écrit :
If you use XCACLS.VBS, it is much easier to create a CSV file.
See tip 8225 » The Extended Change Access Control List tool (Xcacls.vbs) has been enhanced and replaces Xcacls.exe.
in the 'Tips & Tricks' at http://www.jsifaq.com
Click to expand...

Thanks a lot Jerold. That's quite nice. That will surely help a lot of
people. Auditing security attributes is tedious without that tool. It
helps detecting what security groups are used and which aren't. That's
so much true when someone else was maintaining security, who's not there
anymore. For instance...

Vince C.
 
Back
Top