six demon bag

Wind, fire, all that kind of thing!


Auditing Windows File ACLs

Sometimes you run into a situation where you need to determine the permissions on some directory tree. Be it to document or clean up permissions on the subdirectories of a share, to troubleshoot permission issues due to deleted accounts or groups, or whatever. Manually analyzing permissions is quite tedious, even when using standard tools like cacls or xcacls. The output of XCACLS.vbs isn't any better, but since it's a script, I considered modifying it to suit my needs … until I took an actual look at the script. I abondoned the thought afterwards.

What I'd normally want is not a complete list of all permissions, but rather an overview of the directory tree with permissions listed only where they're not inherited from the parent directory. Some online research turned up ntfsacls, a nice little freeware utility, whose output is much closer to what I desire than (x)cacls. However, it's still not exactly there. For instance, I'd have to run the command twice to get the permissions on the root directory and only the non-inherited permissions below the root. I don't find SDDL all that readable, too. And when using the simplified format, I got the impression that for some items the permissions hadn't been displayed accurately. I didn't look further into that last issue, though, so my impression may have been wrong there.

Bottom line: I wasn't able to find a tool that would traverse a directory tree and display the permissions of the root folder plus all non-inherited permissions below the root folder in a format that I consider readable. Thus, after a question over at got me started, I wrote my own script for auditing ACLs on files and folders.


Version 1.1.2 (2013-02-07; added support for displaying SIDs alongside names)

Version 1.1.1 (2012-05-06; fixed a stupid bug in error handling during folder enumeration)

Version 1.1 (2011-11-13; added handling for denied access to folders and paths longer than 255 characters)

Version 1.0 (2011-09-15; initial release)

Commandline Arguments

AuditACLs.vbs [/e] [/f] [/i] [/n] [/o] [/r] [/s] PATH [PATH ...]
AuditACLs.vbs /?

  /?  Print this help and exit.
  /e  Show extended permissions (default is simple permissions).
  /f  Show security information of files as well (not only folders).
  /i  Show inherited permissions.
  /n  Show user/group names (default).
  /o  Show owner.
  /r  Recurse into subfolders.
  /s  Show SIDs. When used in combination with /n show SIDs alongside names.


AuditACLs is distributed according to the terms of the GNU General Public License Version 2.0.

Posted 20:14 [permalink]