How write audit on folder's user permission (Read, Write, Special)?

(imported topic written by HSLimMic91)

Hi,

I would like to ask, how do we audit the user’s access permission. Such as “read”, “write”, “full control”, “special permission” and etc…

Example of the screenshot is:

http://img24.imageshack.us/img24/3300/accessx.jpg

I tried using:

q:effective write permission for “Administrators” of dacls of security descriptors of folder “\hlim31-desk\c$\WINDOWS”

A: True

T: 38.915 ms

But when i tried to check the access for “Power Users” it gives me:

q:effective write permission for “Power Users” of dacls of security descriptors of folder “\hlim31-desk\c$\WINDOWS”

E: Singular expression refers to nonexistent object.

Can someone please tell which part of my fixlet is wrong?

Thank you in advance to those who reply and take a look here.

Thank you,

Regards,

(imported comment written by BenKus)

Are you trying to check the permissions of a remote share? try again with “C:\Windows”

Ben

(imported comment written by HSLimMic91)

Yes Ben, I’m trying to check on a Remote share as well.

For the above example, I can’t seems to check the other groups of user. Is that audit only available for the Administrator?

Thank you for the fast response.

(imported comment written by BenKus)

I am not sure why the power users failed, but you shouldn’t use relevance to check the permissions of a remote share. Why not just use relevance to check the permissions of the local share on the hlim31-deskop computer? If you sent this out to all your computers, it would cause all of them to check the permissions on this share (which is not what you want)… Also, it wouldn’t even work because the SYSTEM account wouldn’t have privileges…

Ben

(imported comment written by HSLimMic91)

Thanks Ben, for your reply. In fact, I tried out as what you suggested earlier. But its also the same. I can’t seems to audit the access permission of other user group (in this case, “Power User”), it can only check the permission for “Administrator”.

Is there any catch in this audit? Or is there any audit that I can list out all the group that have access to the file?

Eg of the following. Is there any audit that can list down there exists Administrator and Power User group in the specific directory?

Thank you very much

(imported comment written by Jeff Saxton)

Can you tell us what the following relevance expressions return when executed locally?

Q: dacls of security descriptor of folder “c:\windows”

Q: dacls of security descriptor of folder “c:”

Also what version of QNA Relevance Debugger of Fixlet Dedbugger are you using?

(imported comment written by HSLimMic91)

Hi Jeff,

Q: dacls of security descriptor of folder “c:\windows”

A: D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)

T: 0.690 ms

Q: dacls of security descriptor of folder “c:”

A: D:(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;S-1-5-21-1004336348-1383384898-1417001333-367372)

T: 3.114 ms

I’m currently using BigFix Debugger version: 8.0.627.0

How do I read the returned result? It seems encrypted?

Thanks for replying Jeff, appreciate it :slight_smile:

(imported comment written by HSLimMic91)

Anyone have any idea on how to do a access control audit?

(imported comment written by SystemAdmin)

Here is a shares and share permission analysis that you might be able to adapt to get the information you are looking for …

(name of it, path of it, (if (not exists entries of dacls of security descriptors of it) then “n/a” else ((trustee of it as string & “:” & (if ( read permission of it) then “R” else “”) &(if ( write permission of it) then “W” else “” ) &(if ( execute permission of it) then “E” else “” ) &(if ( set value permission of it) then “F” else “” )) of entries of dacls of security descriptors of it))) of network shares whose ((name of it != “IPC$”) AND (name of it != “ADMIN$”) AND (name of it != “C$”) AND (name of it != “D$”) AND (name of it != “E$”) AND (name of it != “F$”) AND (name of it != “G$”) AND (name of it != “H$”) AND (name of it != “I$”))

Example output: , , dacl example would be: \Everyone:RWEF OR Domain\User:RE

This doesn’t go into the special dacls, but it might point you in the right direction. When you get it worked out, please post for everyone’s benefit.