Need help combining/merging two relevance queries into one analyses property

Content Authoring
1

Here is what I’m trying to do. I need to combine a list of NTFS permissions with a list of Share permissions, into one analysis:

I have easily separated the queries so they work separately:

NTFS Permissions (Analysis 1):
(if (name of operating system as lowercase contains “win”) then (("[NTFS]: " & name of it, path of it,(account name of trustee of it & “: " & (”//") & (
if (generic all permission of it) then “Full Control//” else (
if (generic write permission of it) then “Modify//” else (
if (generic read permission of it AND generic execute permission of it) then “Read & Execute//” else (
(if (read permission of it) then “Read/” else “”)
& (if (write permission of it) then “Write/” else “”)
& (if (execute permission of it) then “Execute/” else “”)
& (if (delete permission of it) then “Delete/” else “”)
& (if (list permission of it) then “List/” else “”)
& (if (append permission of it) then “Append/” else “”)
& (if (write dac permission of it) then “Modify DACL/” else “”) & ("/")
)
)
)
)) of entries of dacls of security descriptors of folders (paths of it)) of network shares whose (name of it does not contain “$”)) else nothings)

A1:
test, C:\test, [NTFS]: Authenticated Users: //Modify//
test, C:\test, [NTFS]: SYSTEM: //Full Control//
test, C:\test, [NTFS]: Administrators: //Full Control//
test, C:\test, [NTFS]: Users: //Read & Execute//
HP, C:\HP, [NTFS]: Authenticated Users: //Modify//
HP, C:\HP, [NTFS]: SYSTEM: //Full Control//
HP, C:\HP, [NTFS]: Administrators: //Full Control//
HP, C:\HP, [NTFS]: Users: //Read & Execute//

Share Permissions (Analysis 2):
(if (name of operating system as lowercase contains “win”) then (("[SHARE]: " & name of it, (account name of trustee of it & “: " & (”//") & (
if (generic all permission of it) then “Full Control//” else (
if (generic write permission of it) then “Change//” else (
if (generic read permission of it) then “Read//” else (
(if (read permission of it) then “Read/” else “”)
& (if (write permission of it) then “Write/” else “”)
& (if (execute permission of it) then “Execute/” else “”)
& (if (delete permission of it) then “Delete/” else “”)
& (if (list permission of it) then “List/” else “”)
& (if (append permission of it) then “Append/” else “”)
& (if (write dac permission of it) then “Modify DACL/” else “”) & ("/")
)
)
)
)) of entries of dacls of security descriptors of it) of network shares whose (name of it does not contain “$”)) else nothings)

A2:
test, [SHARE]: Everyone: //Read//
HP, [SHARE]: Everyone: //Change//

I need to combine these two so a single analysis result looks like:
test, C:\test, [NTFS]: Authenticated Users: //Modify// - [SHARE]: Everyone: //Read//
test, C:\test, [NTFS]: SYSTEM: //Full Control// - [SHARE]: Everyone: //Read//
test, C:\test, [NTFS]: Administrators: //Full Control// - [SHARE]: Everyone: //Read//
test, C:\test, [NTFS]: Users: //Read & Execute// - [SHARE]: Everyone: //Read//
HP, C:\HP, [NTFS]: Authenticated Users: //Modify// - [SHARE]: Everyone: //Change//
HP, C:\HP, [NTFS]: SYSTEM: //Full Control// - [SHARE]: Everyone: //Change//
HP, C:\HP, [NTFS]: Administrators: //Full Control// - [SHARE]: Everyone: //Change//
HP, C:\HP, [NTFS]: Users: //Read & Execute// - [SHARE]: Everyone: //Change//

2

try this
(if (name of operating system as lowercase contains “win”) then unique values of (item 0 of it as string & item 1 of it as string) of ((( “[NTFS]: " & name of it, path of it,(account name of trustee of it & “: " & (”//”) & (if (generic all permission of it) then “Full Control//” else ( if (generic write permission of it) then “Modify//” else ( if (generic read permission of it AND generic execute permission of it) then “Read & Execute//” else ( (if (read permission of it) then “Read/” else “”) & (if (write permission of it) then “Write/” else “”) & (if (execute permission of it) then “Execute/” else “”) & (if (delete permission of it) then “Delete/” else “”) & (if (list permission of it) then “List/” else “”) & (if (append permission of it) then “Append/” else “”) & (if (write dac permission of it) then “Modify DACL/” else “”) & ("/") ) ) ) )) of entries of dacls of security descriptors of folders (paths of it)),("[SHARE]: " & name of it, (account name of trustee of it & “: " & (”//") & (if (generic all permission of it) then “Full Control//” else ( if (generic write permission of it) then “Change//” else ( if (generic read permission of it) then “Read//” else ((if (read permission of it) then “Read/” else “”) & (if (write permission of it) then “Write/” else “”) & (if (execute permission of it) then “Execute/” else “”) & (if (delete permission of it) then “Delete/” else “”) & (if (list permission of it) then “List/” else “”) & (if (append permission of it) then “Append/” else “”) & (if (write dac permission of it) then “Modify DACL/” else “”) & ("/") ) ) ) )) of entries of dacls of security descriptors of it)) of network shares whose (name of it does not contain “$”)) else nothings)

1 Like
3

That worked. Thanks! I updated my original as follows:

(if (name of operating system as lowercase contains “win”) then unique values of (item 0 of it as string & item 1 of it as string) of ((("\" & (computer name) & “” & name of it, “[PATH]: " & path of it,(”[NTFS ACL]: " & account name of trustee of it & “: " & (”//") & (if (generic all permission of it) then “Full Control//” else ( if (generic write permission of it) then “Modify//” else ( if (generic read permission of it AND generic execute permission of it) then “Read & Execute//” else ( (if (read permission of it) then “Read/” else “”) & (if (write permission of it) then “Write/” else “”) & (if (execute permission of it) then “Execute/” else “”) & (if (delete permission of it) then “Delete/” else “”) & (if (list permission of it) then “List/” else “”) & (if (append permission of it) then “Append/” else “”) & (if (write dac permission of it) then “Modify DACL/” else “”) & ("/") ) ) ) )) of entries of dacls of security descriptors of folders (paths of it)),((" - [SHARE ACL]: " & account name of trustee of it & “: " & (”//") & (if (generic all permission of it) then “Full Control//” else ( if (generic write permission of it) then “Change//” else ( if (generic read permission of it) then “Read//” else ((if (read permission of it) then “Read/” else “”) & (if (write permission of it) then “Write/” else “”) & (if (execute permission of it) then “Execute/” else “”) & (if (delete permission of it) then “Delete/” else “”) & (if (list permission of it) then “List/” else “”) & (if (append permission of it) then “Append/” else “”) & (if (write dac permission of it) then “Modify DACL/” else “”) & ("/") ) ) ) )) of entries of dacls of security descriptors of it)) of network shares whose (name of it does not contain “$”)) else nothings)

One last question. If I have more than one group assigned to the Share permissions, it creates two results for each NTFS permission entry. How would I have the results display unique results for the “NTFS” information, but then just list the Share permission results on one line (vs. it splitting it in two).

Example:
\100505\HP, [PATH]: C:\HP, [NTFS ACL]: Administrators: //Full Control// - [SHARE ACL]: Everyone: //Change//
\100505\HP, [PATH]: C:\HP, [NTFS ACL]: Administrators: //Full Control// - [SHARE ACL]: Users: //Read//

Would become:
\100505\HP, [PATH]: C:\HP, [NTFS ACL]: Administrators: //Full Control// - [SHARE ACL]: Everyone: //Change//, Users: //Read//

4

My change to your change… I added a concatenation on the front of the Share ACL.

" - [SHARE ACL]: " & concatenation ", " of

(if (name of operating system as lowercase contains "win") then unique values of (item 0 of it as string & item 1 of it as string) of ((("\" & (computer name) & "\" & name of it, "[PATH]: " & path of it,("[NTFS ACL]: " & account name of trustee of it & ": " & ("//") & (if (generic all permission of it) then "Full Control//" else ( if (generic write permission of it) then "Modify//" else ( if (generic read permission of it AND generic execute permission of it) then "Read & Execute//" else ( (if (read permission of it) then "Read/" else "") & (if (write permission of it) then "Write/" else "") & (if (execute permission of it) then "Execute/" else "") & (if (delete permission of it) then "Delete/" else "") & (if (list permission of it) then "List/" else "") & (if (append permission of it) then "Append/" else "") & (if (write dac permission of it) then "Modify DACL/" else "") & ("/") ) ) ) )) of entries of dacls of security descriptors of folders (paths of it)),( " - [SHARE ACL]: " & concatenation ", " of ( account name of trustee of it & ": " & ("//") & (if (generic all permission of it) then "Full Control//" else ( if (generic write permission of it) then "Change//" else ( if (generic read permission of it) then "Read//" else ((if (read permission of it) then "Read/" else "") & (if (write permission of it) then "Write/" else "") & (if (execute permission of it) then "Execute/" else "") & (if (delete permission of it) then "Delete/" else "") & (if (list permission of it) then "List/" else "") & (if (append permission of it) then "Append/" else "") & (if (write dac permission of it) then "Modify DACL/" else "") & ("/") ) ) ) )) of entries of dacls of security descriptors of it)) of network shares whose (name of it does not contain "$")) else nothings)

My results…
A: \GWIN7\temp, [PATH]: C:\temp, [NTFS ACL]: Administrators: //Full Control// - [SHARE ACL]: Administrators: //Full Control//, Everyone: //Full Control//
A: \GWIN7\temp, [PATH]: C:\temp, [NTFS ACL]: SYSTEM: //Full Control// - [SHARE ACL]: Administrators: //Full Control//, Everyone: //Full Control//
A: \GWIN7\temp, [PATH]: C:\temp, [NTFS ACL]: example: //Full Control// - [SHARE ACL]: Administrators: //Full Control//, Everyone: //Full Control//

-Jgo

5

Brilliant! Works great… Thanks