(imported topic written by jcsUTSW)
Would anyone happen to have a relevance / analysis that will check shared folder permissions for everyone. If everyone exists then report what permissions they have.
Taking it a step further if everyone has rights on a shared folder, display those rights, and then display the corresponding NTFS permissions.
I’ve been searching the KB and here for something similar and have been unable to find anything.
Thanks in advance.
(imported comment written by BenKus)
I think you can do something like:
names of network shares whose (effective generic right permission of dacl of security descriptor of it)
But… I think there was a version of the agent (7.0.1 I believe) that would crash if the dacl didn’t exist, so I would be very cautious about using this…
Ben
(imported comment written by bhobbs91)
Here is one that will list shares in which the Everyone account is listed as a trustee:
q: names of it whose (exists (account name of trustee of entries of dacls of security descriptors of it) whose (it = “Everyone”)) of network shares
This will list every share with Everyone assigned to it and their read, write, execute privileges respectively:
q: (name of it, (account name of trustee of it, read permissions of it, write permissions of it, execute permissions of it) of entries whose (account name of trustee of it = “Everyone”) of dacls of security descriptors of it) of network shares
There are a lot of potential privileges that can be listed with this.
read permission of : boolean
list permission of : boolean
write permission of : boolean
create file permission of : boolean
append permission of : boolean
create folder permission of : boolean
read extended attributes permission of : boolean
write extended attributes permission of : boolean
execute permission of : boolean
traverse permission of : boolean
delete child permission of : boolean
read attributes permission of : boolean
write attributes permission of : boolean
query value permission of : boolean
set value permission of : boolean
create subkey permission of : boolean
enumerate subkeys permission of : boolean
change notification permission of : boolean
create link permission of : boolean
delete permission of : boolean
read control permission of : boolean
write dac permission of : boolean
write owner permission of : boolean
synchronize permission of : boolean
maximum allowed permission of : boolean
generic all permission of : boolean
generic execute permission of : boolean
generic write permission of : boolean
generic read permission of : boolean
access mode of : integer
(imported comment written by jcsUTSW)
Thats awesome ! Thank you.
How would I get the rights on the actual folder if ‘Everyone’ has access to read write or execute on the share permissions?
I’m trying to find machines that are basically wide open to “Everyone” and list where they have access…
Thank you
(imported comment written by SystemAdmin)
I hate to bring a thread back from the dead, but this question seems to be the most applicable. I am trying to see if a particular group has access to a folder. Everything I have seen talks about “effective permissions” and while that works in most cases, we have some folks here who have been a bit too “generous” when applying permissions. I am trying to lock things down, but I want to make sure my new groups are in place before that.
Anyway, this is what I have so far:
account names of trustees of (entries of dacls of security descriptors of it) of folder “c:\folder”
That lists all of the users/groups that have permissions. I need something that will return true/false based on a group name being listed AND that it has write permissions. I have been fiddling with this tonight, but haven’t been able to get it working. Thank you in advance for taking a stab at it.
(imported comment written by BenKus)
See here to see if it helps:
http://forum.bigfix.com/viewtopic.php?id=963
Please heed the Big Fat Warning.
Ben
(imported comment written by SystemAdmin)
Well, I am not interested in “effective permissions.” Like I said before, we had some folks who were a bit “generous” in granting permissions. In other words, they liked to use “Everyone”. ::sigh:: Anyway, I ALMOST have something worked out for my fixlet applicability, but it is really ghetto and doesn’t quite work.
substring separated by " " whose (it as lowercase contains “group”) of account names of trustees of (entries whose (write permission of it = true) of dacls of security descriptors of it) of folder “c:\folder” as lowercase != “group”
It returns “false” when the group has write permission to the folder, but if the group is not there or does not have permission, it laughs at me and says “Singular expression refers to nonexistent object.” I need it to return true in that situation and I can’t figure out how to guard it so it does.
Anyway, I would really appreciate it if someone has any ideas on how to guard the code as it is, or a better way to go about doing this. Thanks.