|
|
DOWNLOAD THE CODE:
 38942.zip
The script uses the filefolder variable to properly output the status information on screen. This information tells you whether the script is processing files and folders or just folders.
The script stores the specified username or group name and two built-in group names (i.e., Everyone and Authenticated User) in a temporary file (%temp%\
getaccess.$$$). The script later uses the names in this file in conjunction with showacls.exe to determine whether the user or group specified has access to a file or folder.
As Listing 3 shows, the script uses the Net User command to determine whether the specified account is a user account or group account. If the Net User command doesn't return an error, the specified account is a user account; otherwise, the specified account is considered a group account. If the specified account is a user account, the script proceeds to Step 4. If the specified account is a group account, the script jumps to Step 5.
When the specified account is a user account, the script appends to the temporary file the groups to which the user belongs. The code in Listing 1, which I've already discussed, accomplishes this task.
The script obtains the names of files and folders (or folders only if you included the /d switch) in the specified directory. The script uses the dirflag variable it set earlier in conjunction with the For and Dir commands to obtain these names:
For /f "tokens=*" %%i in ('Dir
%dirflag% %path_to_scan%')
Do Call :checkaccess "%%i"
The For command tells the script to take each line in the Dir command's output, store that line in the %i variable, and run the code in the :checkaccess module against that line.
The :checkaccess and :hasaccess modules constitute the most important part of the script because they identify the files and folders to which the user or group has access. Although the code is important, it's straightforward, as Listing 4 shows.
After the script passes the name of the file or folder to the :checkaccess module, the module stores the name in a variable named target. The :checkaccess module then loops through each account in the temporary file and runs the :hasaccess module against it. The :hasaccess module compares the Showacls command's output for the current file or folder against the current account in the temporary file by filtering the output through two Find commands.
If either Find command returns an exit code of 0, a match is present. When a match occurs, the script sends that file or folder name to the output file and the console screen.
Known Limitations
I've executed GetAccess.cmd in both Win2K and NT environments. You can download the script from Windows & .NET Magazine's Web site (http://www.winnetmag.com, InstantDoc ID 38942). To use this script, you must have show-acls.exe installed in the same folder from which you launch the script or in a folder that's part of your path environment. GetAccess.cmd has certain limitations:
The script doesn't determine whether the specified account exists in your domain. The script only determines whether the specified account is a user account. If the specified account isn't a user account, the script assumes it's a group account. Thus, if you misspell a user account, the script assumes that the account is a group account. So, make sure that you enter all account names correctly on the command line.
The script works for accounts only in your domain. (Net.exe imposes this limitation.)
Depending on the naming convention in your organization, the script might mistakenly output a match if one account name is a truncated version of another account name. For example, if MyGroup21 has access to a file and you're looking for MyGroup2, the script will show MyGroup21 as a match. To get around this problem, you can use the Findstr command with the /x switch instead of the Find command. However, if you choose to replace the Find command with the FindStr command in the script, when you specify a group account name as a parameter, you must make sure that the name exactly matches (including case) the group name in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (Win2K) or in User Manager for Domains (NT).
The script can be extremely slow, especially when you audit a large folder structure against an account that belongs to many groups. The process is slow because for each account in the temporary file, the script must run showacls.exe against each folder that the Dir command returns. For example, suppose that 1000 subfolders are in the folder you're auditing and the temporary file contains five accounts (i.e., Everyone, Authenticated User, the specified user, and two additional groups to which the user belongs). The script must execute the :hasaccess module 5000 times (1000 subfolders * 5 accounts).
An Effortless Audit
GetAccess.cmd provides an inexpensive solution to an auditing problem that many network administrators face. Although the script has a few limitations, the alternative—manually checking the permissions of each file and folder—is a lot less desirable. End of Article
 Prev. page
1
2
[3]
next page -->
|
|
|
|
