View folder permissions

system · July 17, 2007, 1:03am

(imported topic written by SystemAdmin)

Greetings,

How can I create a property to show me a concatination of permissions for a directory wether it is C:\windows or C:\winnt? for example “C:\windows\test1”. Thank you.

BenKus · July 17, 2007, 5:48am

(imported comment written by BenKus)

Hey Alfred,

You might want to reference here:

http://forum.bigfix.com/viewtopic.php?pid=3684

or

http://forum.bigfix.com/viewtopic.php?pid=3928

For instance, here is how you would see if “Administrator” had read/write access of the “C:\windows\test1”:

q: (effective read permission for “Administrator” of it, effective write permissions for “Administrator” of it) of dacl of security descriptor of folder “test1” of windows folder
A: True, True

system · July 17, 2007, 8:31pm

(imported comment written by SystemAdmin)

Ben,

Thank you for the reply, but correct me if I’m reading these links incorrectly. Those appear to show me what access a certain account has (Administrator) on a specified directory, I need the flip side of that. I need BigFix to show me who has access to a specified directory. Do I need to create a script then run it through BigFix? Thank you.

BenKus · July 18, 2007, 4:51am

(imported comment written by BenKus)

Hey Alfred,

Permissions are very strange because of all the weird rules around inheritance and groups and such… If you are interested in the explicit permissions (and not the “effective permissions”), you can do something like this:

q: (account name of trustee of it & " - " & (if (generic all permission of it) then “Full Control” else “”) & (if (generic read permission of it) then “Read” else “”) & (if (generic write permission of it) then “Write” else “”) ) of entries whose (generic all permission of it OR generic read permission of it OR generic write permission of it) of dacl of security descriptor of windows folder
A: Users - Read
A: Power Users - ReadWrite
A: Administrators - Full Control
A: SYSTEM - Full Control
A: CREATOR OWNER - Full Control

This will list the permissions that are stored with the object (but doesn’t try to deal with inheritance or the fact that users might be in user groups that have permissions).

Let me know if that works for you,

Ben

BenKus · July 19, 2007, 5:59am

(imported comment written by BenKus)

Hmmm… I don’t really know what the difference between “generic read permission” and “read permission”, but it seems to affect this relevance.

Try this instead to take into account all possibilities of Read, Write, Execute:

q: (account name of trustee of it & " - " & (if (generic read permission of it OR read permission of it) then “R” else “”) & (if (generic write permission of it OR write permission of it) then “W” else “”) & (if (generic execute permission of it OR execute permission of it) then “E” else “”)) of entries whose (exists generic read permission of it OR read permission of it OR generic write permission of it OR write permission of it OR generic execute permission of it OR execute permission of it) of dacl of security descriptor of folder “temp” of windows folder
A: Administrators - RWE
A: SYSTEM - RWE
A: Users - RE
A: Authenticated Users - RWE

Ben

system · November 7, 2008, 12:31am

(imported comment written by dgaynor91)

Ben Kus

Hmmm… I don’t really know what the difference between “generic read permission” and “read permission”, but it seems to affect this relevance.

Try this instead to take into account all possibilities of Read, Write, Execute:

q: (account name of trustee of it & " - " & (if (generic read permission of it OR read permission of it) then “R” else “”) & (if (generic write permission of it OR write permission of it) then “W” else “”) & (if (generic execute permission of it OR execute permission of it) then “E” else “”)) of entries whose (exists generic read permission of it OR read permission of it OR generic write permission of it OR write permission of it OR generic execute permission of it OR execute permission of it) of dacl of security descriptor of folder “temp” of windows folder
A: Administrators - RWE
A: SYSTEM - RWE
A: Users - RE
A: Authenticated Users - RWE

Ben

Hi. I’m trying to produce the same kind of output but for a particular folder. This is what I have but I get nothing for an answer when I query. Where am I going wrong?

Q: (account name of trustee of it & " - " & (if (generic all permission of it) then “Full Control” else “”) & (if (generic read permission of it) then “Read” else “”) & (if (generic write permission of it) then “Write” else “”) ) of entries whose (generic all permission of it OR generic read permission of it OR generic write permission of it) of dacl of security descriptor of folder (expand environment string of “c:\program files\ca”)

Thanks.

system · November 7, 2008, 1:28am

(imported comment written by jessewk)

I think you need to chose your folder differently. I believe this is what you’re looking for:

… of folder (expand environment string of “%25ProgramFiles%25\ca”)