BigFix User Group

jcsUTSW · 2008-07-22 11:41:21

Would anyone happen to have a relevance / analysis that will check shared folder permissions for everyone. If everyone exists then report what permissions they have.
Taking it a step further if everyone has rights on a shared folder, display those rights, and then display the corresponding NTFS permissions.

I've been searching the KB and here for something similar and have been unable to find anything.

Thanks in advance.

Ben Kus · 2008-07-23 06:15:00

I think you can do something like:

names of network shares whose (effective generic right permission of dacl of security descriptor of it)

But... I think there was a version of the agent (7.0.1 I believe) that would crash if the dacl didn't exist, so I would be very cautious about using this...

Ben

bhobbs · 2008-07-23 10:35:47

Here is one that will list shares in which the Everyone account is listed as a trustee:

q: names of it whose (exists (account name of trustee of entries of dacls of security descriptors of it) whose (it = "Everyone")) of network shares

This will list every share with Everyone assigned to it and their read, write, execute privileges respectively:

q: (name of it, (account name of trustee of it, read permissions of it, write permissions of it, execute permissions of it) of entries whose (account name of trustee of it = "Everyone") of dacls of security descriptors of it) of network shares

There are a lot of potential privileges that can be listed with this.

read permission of <access control entry>: boolean
list permission of <access control entry>: boolean
write permission of <access control entry>: boolean
create file permission of <access control entry>: boolean
append permission of <access control entry>: boolean
create folder permission of <access control entry>: boolean
read extended attributes permission of <access control entry>: boolean
write extended attributes permission of <access control entry>: boolean
execute permission of <access control entry>: boolean
traverse permission of <access control entry>: boolean
delete child permission of <access control entry>: boolean
read attributes permission of <access control entry>: boolean
write attributes permission of <access control entry>: boolean
query value permission of <access control entry>: boolean
set value permission of <access control entry>: boolean
create subkey permission of <access control entry>: boolean
enumerate subkeys permission of <access control entry>: boolean
change notification permission of <access control entry>: boolean
create link permission of <access control entry>: boolean
delete permission of <access control entry>: boolean
read control permission of <access control entry>: boolean
write dac permission of <access control entry>: boolean
write owner permission of <access control entry>: boolean
synchronize permission of <access control entry>: boolean
maximum allowed permission of <access control entry>: boolean
generic all permission of <access control entry>: boolean
generic execute permission of <access control entry>: boolean
generic write permission of <access control entry>: boolean
generic read permission of <access control entry>: boolean
access mode of <access control entry>: integer

jcsUTSW · 2008-07-24 09:37:47

Thats awesome ! Thank you.

How would I get the rights on the actual folder if 'Everyone' has access to read write or execute on the share permissions?

I'm trying to find machines that are basically wide open to "Everyone" and list where they have access..

Thank you

BrianK · 2009-11-05 22:26:55

I hate to bring a thread back from the dead, but this question seems to be the most applicable. I am trying to see if a particular group has access to a folder. Everything I have seen talks about "effective permissions" and while that works in most cases, we have some folks here who have been a bit too "generous" when applying permissions. I am trying to lock things down, but I want to make sure my new groups are in place before that.

Anyway, this is what I have so far:

account names of trustees of (entries of dacls of security descriptors of it) of folder "c:\folder"

That lists all of the users/groups that have permissions. I need something that will return true/false based on a group name being listed AND that it has write permissions. I have been fiddling with this tonight, but haven't been able to get it working. Thank you in advance for taking a stab at it.

Ben Kus · 2009-11-06 19:55:16

See here to see if it helps:
http://forum.bigfix.com/viewtopic.php?id=963

Please heed the Big Fat Warning.

Ben

BrianK · 2009-11-07 23:01:30

Well, I am not interested in "effective permissions." Like I said before, we had some folks who were a bit "generous" in granting permissions. In other words, they liked to use "Everyone". ::sigh:: Anyway, I ALMOST have something worked out for my fixlet applicability, but it is really ghetto and doesn't quite work.

substring separated by " " whose (it as lowercase contains "group") of account names of trustees of (entries whose (write permission of it = true) of dacls of security descriptors of it) of folder "c:\folder" as lowercase != "group"

It returns "false" when the group has write permission to the folder, but if the group is not there or does not have permission, it laughs at me and says "Singular expression refers to nonexistent object." I need it to return true in that situation and I can't figure out how to guard it so it does.

Anyway, I would really appreciate it if someone has any ideas on how to guard the code as it is, or a better way to go about doing this. Thanks.

BigFix User Group

#1 2008-07-22 11:41:21

Shared Folder Permissions

#2 2008-07-23 06:15:00

Re: Shared Folder Permissions

#3 2008-07-23 10:35:47

Re: Shared Folder Permissions

#4 2008-07-24 09:37:47

Re: Shared Folder Permissions

#5 2009-11-05 22:26:55

Re: Shared Folder Permissions

#6 2009-11-06 19:55:16

Re: Shared Folder Permissions

#7 2009-11-07 23:01:30

Re: Shared Folder Permissions

Board footer