One of the most common tasks LAN
Administrators ask how to do is to check permissions on shared resources.
What is shared and who has access to it? You can buy third party tools to
accomplish this, but if your budget is tight, why not use a few
utilities in the NT Resource Kit. Add a little scripting and you can
build your own tool.
There is much more to many of these utilities than
what is going to be covered here, but at least you'll know what to look
for.
SHOWACLS ShowACLS will display the ACL (Access Control List)
for a specified file or directory.
A Generic All l List Directory R Generic Read d Read
Data W Generic Write S Synchronize X Generic Execute r File Read w File
Write a File Append fx File Execute D Delete rE Read EA rW Write
EA
For example, if I run SHOWACLS C:\NTRESKIT I get the following
output:
C:\ntreskit\ BUILTIN\Administrators Full Control
[ALL] Everyone Change [RWXD] CREATOR OWNER Full Control [ALL] NT
AUTHORITY\SYSTEM Full Control [ALL]
If I wanted, I could show the ACL for
a specific user by running SHOWACLS /U:domain\jhicks
Finally, I can
check the ACL for a specific file in general or use the /U switch to see
what access an individual user has. The file specification must be a single
file. Wildcards won't work.
C:\ntreskit>showacls /u:req138ch
perms.exe
User: [\req138ch] has the following access to file
[C:\ntreskit\perms.exe]:
C:\ntreskit\perms.exe Everyone Change
[RWXD] BUILTIN\Administrators Full Control [ALL]
The account req138ch
has access via Everyone and the Administrators Built-In
group.
PERMS Another handy utility is PERMS which will show you access
control for a user or group.
PERMS [domain\|computer\]username path
[/i] [/s]
[domain\|computer\]username Name of user whose permissions are
to be checked. path A file or directory, wildcards (*,?) accepted. /i
Assumes the specified user is logged on interactively to computer where the
file/directory resides. With this switch, PERMS assumes the user is a
member of the INTERACTIVE group. Without this switch, PERMS assumes the
user is a member of the NETWORK group. /s Check permissions on files in
subdirectories.
The output access mask contains the following
letters:
R Read W Write X Execute D Delete P Change
Permissions O Take Ownership A General All - No Access * The
specified user is the owner of the file or directory. # A group the user is a
member of owns the file or directory. ? The user's access permisssions can
not be determined.
If I run PERMS user01 c:\ntreskit\*.doc I will get a
list of permissions for all .DOC files for
USER01:
C:\ntreskit>perms user01 *.doc
C:\ntreskit\AUTOEXNT.DOC
perms: RWXD---
C:\ntreskit\COMPREG.DOC perms:
RWXD---
C:\ntreskit\FCOPY.DOC perms:
RWXD---
C:\ntreskit\GRPCPY.DOC perms:
RWXD---
C:\ntreskit\NETTIME.DOC perms:
RWXD---
C:\ntreskit\PATHMAN.DOC perms:
RWXD---
C:\ntreskit\POSIX.DOC perms: RWXD---
I can certainly
use CACLS to accomplish these same tasks, and would need to if I wanted to
assign or change permissions from a command prompt. But PERMS and SHOWACLS
are read-only utilities which can provide a certain degree of re-assurance
that you won't mistakenly trash your all the hard work that went in to
setting permissions in the first place.
If you do want to change
permissions, take a look at XCACLS in the Resource Kit. It is an enhanced
and more powerful version of CACLS that needs it's own article or how-to so
I won't get into it here. There is a MS Word document (XCACLS.DOC) in the
Resource Kit that can explain much of what you need to know.
A couple
quick related how-to's. What if you see that the Marketing group has Full
Control permissions. Who is in that group? You could open User Manager for
Domains, find the group, and open it up. What if you wanted to print it out?
Your solution is to use SHOWMBRS from the Resource
Kit.
C:\ntreskit>showmbrs /?
Usage:
showmbrs
domain\group or showmbrs \\domain\group or showmbrs group
Or, if
I'm troubleshooting an access problem, I may need to know what groups a
specific user is a member of. For that I can use
SHOWGRPS.
C:\ntreskit>showgrps...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals.
Email this Article
Print this Article
