none
How to list folder permissions for an Active Directory user

    Question

  • Hello,

    Is there a way for Active Directory to list the folders that a particular user has access to? As well as the specific permissions?

    I have not been able to find very much information about this on the web, only two 2004-05 web articles that say it can't be done. I'm looking for someone/thing more creditable to confirm or deny this.

    I have used Somarsoft's DumpSec, this does give me a lot of information about security on directories that I'm sure to find useful, but I am looking for permissions by user, not directory.

    I am also vaguely familiar with Dsrevoke from MS. I have yet to look further into it, but right now it sounds like this does not give me the precise information I am looking for.

    We are using Windows Server 03 R2, Std. Edition, SP2. Active Directory 5.2.3.........

    Thank you,

    Chris
    Friday, November 20, 2009 5:30 PM

Answers

  • Permissions in folders are not stored in active directory, so you can't query AD for that information. You have to query a specific folder, volume, server with scripts or application and then you have a report of users permission.

    AccesEnum (from Sysinternals) is an application to make that kind of reports.
    Fernando Peralta | MCITP:EA, MCTS:Windows Vista, MCSE, MCSA:Security
    Friday, November 20, 2009 6:22 PM

All replies

  • Permissions in folders are not stored in active directory, so you can't query AD for that information. You have to query a specific folder, volume, server with scripts or application and then you have a report of users permission.

    AccesEnum (from Sysinternals) is an application to make that kind of reports.
    Fernando Peralta | MCITP:EA, MCTS:Windows Vista, MCSE, MCSA:Security
    Friday, November 20, 2009 6:22 PM
  • These utilities show ACLS to various degrees.

    Showacls.exe, calcs.exe, xcalcs.exe, xcalcs.vbs, and subinacl.exe

    showacls.exe does folders.  Folders, is usually all you need, you can assume files inhereit permissions and/or you should correct that if the files they don't inherit permissions.

    Calcs.exe *.* shows ACLS on files as well as folders, is built-in to windows 2003, but doesn't automatically recurse folders, so you need to write a batch file that will recurse the folders for you.

    XCalcs.exe/vbs i don't use alot but know they exist.

    Subinacl.exe /files *.* for current folder
    Subinacl.exe /subdirectories *.* for all files in all subdirectories

    If you are moving data around and get access denied as an administrator use Robocopy.exe with the /B switch, to use the backup right and by pass security

    Simple batch to recruse folders and run Cacls.exe command.
    ---------------------------------------------------
    Set BatchName=%0
    REM You must specify %1 as C:\, C:\folder, etc
    For /D %%a in (%1\*) Do Call :Loop "%%a"
    Goto End

    :Loop
    REM %1 = Parameter (%%a) passed from above.
    REM Echo %1
    REM Append to the Output file.
    Cacls.exe %1\*.* >> outputfile.txt 2>&1
    REM Call the batch file again until no sub-folders exist.
    Call %BatchName% %1
    Goto :EOF

    :End

     

    Friday, November 20, 2009 6:30 PM