Tool for outputing ACLs to the individual user level?
Results 1 to 8 of 8

Thread: Tool for outputing ACLs to the individual user level?

  1. #1
    Member
    Join Date
    Aug 2005
    Posts
    98

    Tool for outputing ACLs to the individual user level?

    Hi Everyone,

    Client areas at work are after a tool that will allow them to:
    1) Output the ACLs for a user specified drive/share/directory/file; AND
    2) If the object on the ACL is a group, recursively enumerate the members of this group until it gets down to an individual user level

    Basically the client wants to be able audit who has access to their data and ammend appropriately.

    I have found a bunch of stuff that solves one part of the problem but not both, at present we are looking to develop our own tool as we just can't find anything matching our requirements at this stage but I thought I would check to see if anyone at AO had seen or used such a tool.

    At this stage we are considering:
    Develop script that outputs results to HTML - run by Admins
    Develop a tool that can be run by clients that is much more graphical.

    There is a few issues still to be solved such as:
    Who will run the tool
    What permissions they will need on AD and the ACL (which will help determine Who will run the tool)
    but what I am after is any ideas on tools that may already be out there for this purpose

    Thanks

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I personally really like SuperCACLS

    http://www.trustedsystems.com/scaclsintro.htm

    It'll give you nice printouts, and is quite useful in overall ACL management.

    cheers,

    catch

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Have a look at AccessEnum
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I assumed AccessEnum would cover 2 too.. but it doesn't..

    I was actually looking for another program but couldn't find it..

    I was looking for DumpSec.. http://www.somarsoft.com
    It still doesn't do exactly what you want.. but it can enumerate nearly everything..
    You might have more luck with hyena (wich is also in the dumpsec download)
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I would agree with SirDice, as I was going to mention Hyena as well. Very nice tool and it sounds more like what you would be looking for. If I'm not mistaken, DumpSec will giev you an "external" enumeration of a box. Correct me if I'm wrong.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  6. #6
    Member
    Join Date
    Aug 2005
    Posts
    98
    Dumpsec and Hyena are the closest I have found so far, tried those a couple of days ago. The problem I am having is the:

    Needs to produce output that is easily readable and understandable for non IT Savvy users - Which in our organisation means technophobes

    Probably the best option I have found so far though is DSRAZOR for Windows http://www.visualclick.com/content/productcvm.htm
    which is put out by visual click software, this is pretty good, you can download a free 7 day demo (which returns limited results) but seems really good. It is not free software, not sure on the costing yet - I will be looking at that next week but you get a quote based on # user objects in domain.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    If it was me I'd script something together with perl and Win32::FileSecurity and Win32API::Net..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Member
    Join Date
    Aug 2005
    Posts
    98
    If it was me I'd script something together with perl and Win32::FileSecurity and Win32API::Net..
    That will more likely then not be what happens, either that or a simple VbScript that outputs simple html

    Thanks everyone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •