What's the best tool to dump ACLs?
Q: I was wondering if there were any tools or techniques to list existing permissions for a given group name across a Windows NT domain. Ours is a particularly large domain and we regularly review permissions using DumpACL, but I was looking for something a little more convenient than manually searching ACLs for an instance of a particular group name. A command line utility that could pipe the result to a text file would be nice.
A: There is a tool that will do exactly what you need, and it's surprisingly close at hand. By the wording of your question, I have to assume that you are using the graphical interface for DumpACL (now called DumpSec to manually search through file access control lists (ACLs) to identify the group in question. Many are not aware that DumpSec also operates in command-line mode and can generate reports in a number of text file formats. Using DumpSec in command-line mode is as simple as calling it from a command line rather than launching it from Windows Explorer. The following example will run DumpSec in batch mode (the command shown here is line-wrapped for legibility):
C:\dumpsec> dumpsec.exe /computer=\\server1 /rpt=allsharedirs
/outfile=c:\reports\output.txt /saveas= tsv
This report will dump the permissions for all non-administrative shares on \\server1, and it assumes you already have an existing network connection to \\server1 with appropriate privileges (for example, connect to \\server1\IPC$ as Administrator). The report will show owner and permissions but not audit settings, and it is saved as the tab separated value ("tsv") file c:\reports\output.txt. This command could easily be scripted to check a list of servers on a regular basis. Now all you have to do is findstr this output file for the group name that you are interested in, and all relevant references should pop up. For example, to find all occurrences of the "Power Users" group, you could use:
C:\ dumpsec>findstr /C:"Power Users" c:\reports\output.txt
\\server1\share1\ server1\Power Users RWXD RWXD
\\server1\docs\ server1\Power Users o all all
This pulls each line of the DumpSec output that contains "Power Users," as shown. I have not added the column headers from the original DumpSec report here, but from right to left they are: shared directory/file, Account, Owner, Directory Permissions, and File Permissions. So from the findstr output, we see that for the \\server1\docs share, Power Users are the owner, and they have all permissions for the directory and files therein.
I hope this gets you started on automating the process of reviewing permissions. Don't forget that DumpSec can also probe many other aspects of Windows NT/Windows 2000 security in the same way, including users, groups, the Registry, printers, policies, rights, and services.