schilbiz Posted April 25, 2008 Share Posted April 25, 2008 (edited) I have to go through an old NT file server and locate all the shares and document who has permissions and then migrate them over to a win 2003 file server. Anyone who has done this will know how much of a hassle it can be. Anyone have a script or an idea on how this can be done other then the manual way? Thanks. Edit: spelling Edited April 25, 2008 by schilbiz Link to comment Share on other sites More sharing options...
rasim Posted April 25, 2008 Share Posted April 25, 2008 This? net share net use Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 (edited) This? net share net use I have looked at both net share and net use, I was actually thinking more along the lines of a registry save and export. I believe it can be located at: SYSTEM\CurrentControlSet\Services\LanmanServer\Shares, I am wondering if it is as simple as saving the registry key then exporting it.. Edited April 25, 2008 by schilbiz Link to comment Share on other sites More sharing options...
weaponx Posted April 25, 2008 Share Posted April 25, 2008 Dim $objWMIService = ObjGet("winmgmts:\\.\root\cimv2") Dim $colDrives = $objWMIService.ExecQuery ("Select * From Win32_LogicalDisk Where DriveType = 4") For $objDrive in $colDrives ConsoleWrite("Drive letter: " & $objDrive.DeviceID & @CRLF) ConsoleWrite("Network path: " & $objDrive.ProviderName & @CRLF) Next Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 Dim $objWMIService = ObjGet("winmgmts:\\.\root\cimv2") Dim $colDrives = $objWMIService.ExecQuery ("Select * From Win32_LogicalDisk Where DriveType = 4") For $objDrive in $colDrives ConsoleWrite("Drive letter: " & $objDrive.DeviceID & @CRLF) ConsoleWrite("Network path: " & $objDrive.ProviderName & @CRLF) Next Brilliant, it shows the drive letter and path, what about who has permissions tied to each share? Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 This? net share net use Net use shows the same information as weaponx's script, is there a way to use net use/share to show which user has permissons assigned to the share? Link to comment Share on other sites More sharing options...
weaponx Posted April 25, 2008 Share Posted April 25, 2008 Brilliant, it shows the drive letter and path, what about who has permissions tied to each share?Are you running this on each client? My code is meant to be run on the client, running on the server probably won't return anything. Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 Are you running this on each client? My code is meant to be run on the client, running on the server probably won't return anything.Yes I ran it on a client and it shows the network drive and the path, but nothing about which users have access to each share because its implicit to the user who is logged on. I am actually looking for something that can be ran on the old file server that will show each share and the path, and then what users have access to each share. Like if you were to access each share individually on the file server and look at who has permissions for it. Link to comment Share on other sites More sharing options...
ProgAndy Posted April 25, 2008 Share Posted April 25, 2008 Does this help? $strComputer = "." $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2") $colItems = $objWMIService.ExecQuery( _ "SELECT * FROM Win32_Share") For $objItem in $colItems $x = "" $x &=("-----------------------------------" &@CRLF) $x &=("Win32_Share instance"&@CRLF) $x &=("-----------------------------------" &@CRLF) $x &=("AccessMask: " & $objItem.AccessMask &@CRLF) $x &=("AllowMaximum: " & $objItem.AllowMaximum &@CRLF) $x &=("Caption: " & $objItem.Caption &@CRLF) $x &=("Description: " & $objItem.Description &@CRLF) $x &=("InstallDate: " & $objItem.InstallDate &@CRLF) $x &=("MaximumAllowed: " & $objItem.MaximumAllowed &@CRLF) $x &=("Name: " & $objItem.Name &@CRLF) $x &=("Path: " & $objItem.Path &@CRLF) $x &=("Status: " & $objItem.Status &@CRLF) $x &=("Type: " & $objItem.Type &@CRLF) ConsoleWrite($x & @CRLF) MsgBox(0, '', $x) Next *GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 Give me a little time ProgAndy I will test it out. Link to comment Share on other sites More sharing options...
weaponx Posted April 25, 2008 Share Posted April 25, 2008 Win32_share will show you all of the shared folders but not permissions. Link to comment Share on other sites More sharing options...
ptrex Posted April 25, 2008 Share Posted April 25, 2008 @allLook for Win32_LogicalFileSecuritySettingregardsptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
weaponx Posted April 25, 2008 Share Posted April 25, 2008 @allLook for regardsptrexI shared a test folder and ran a query on this table, I assigned a new user permission to the folder and the query results did not change. Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 This script here will tell you the selected folder security settings with access settings. But I would have to run it for each individual share. I am trying to implement it into another script that will locate each share and have this run on each share then have it save the output to a log. expandcollapse popupDim $strFolderName = "C:\" Dim $SE_DACL_PRESENT = 0x4 Dim $ACCESS_ALLOWED_ACE_TYPE = 0x0 Dim $ACCESS_DENIED_ACE_TYPE = 0x1 Dim $FILE_ALL_ACCESS = 0x1f01ff Dim $FOLDER_ADD_SUBDIRECTORY = 0x000004 Dim $FILE_DELETE = 0x010000 Dim $FILE_DELETE_CHILD = 0x000040 Dim $FOLDER_TRAVERSE = 0x000020 Dim $FILE_READ_ATTRIBUTES = 0x000080 Dim $FILE_READ_CONTROL = 0x020000 Dim $FOLDER_LIST_DIRECTORY = 0x000001 Dim $FILE_READ_EA = 0x000008 Dim $FILE_SYNCHRONIZE = 0x100000 Dim $FILE_WRITE_ATTRIBUTES = 0x000100 Dim $FILE_WRITE_DAC = 0x040000 Dim $FOLDER_ADD_FILE = 0x000002 Dim $FILE_WRITE_EA = 0x000010 Dim $FILE_WRITE_OWNER = 0x080000 Dim $objWMIService = ObjGet("winmgmts:") Dim $objFolderSecuritySettings = $objWMIService.Get("Win32_LogicalFileSecuritySetting='" & $strFolderName & "'") Dim $objSD Dim $intRetVal = $objFolderSecuritySettings.GetSecurityDescriptor ($objSD) Dim $intControlFlags = $objSD.ControlFlags If $intControlFlags And $SE_DACL_PRESENT Then Dim $strMsg = "", $objACE Dim $arrACEs = $objSD.DACL For $objACE In $arrACEs $strMsg &= $objACE.Trustee.Domain & "\" & $objACE.Trustee.Name If $objACE.AceType = $ACCESS_ALLOWED_ACE_TYPE Then $strMsg &= @TAB & "Allowed:" & @CRLF ElseIf $objACE.AceType = $ACCESS_DENIED_ACE_TYPE Then $strMsg &= @TAB & "Denied:" & @CRLF EndIf If $objACE.AccessMask And $FILE_ALL_ACCESS Then $strMsg &= @TAB & @TAB & "FILE_ALL_ACCESS " & @CRLF If $objACE.AccessMask And $FOLDER_ADD_SUBDIRECTORY Then $strMsg &= @TAB & @TAB & "FOLDER_ADD_SUBDIRECTORY " & @CRLF If $objACE.AccessMask And $FILE_DELETE Then $strMsg &= @TAB & @TAB & "FILE_DELETE " & @CRLF If $objACE.AccessMask And $FILE_DELETE_CHILD Then $strMsg &= @TAB & @TAB & "FILE_DELETE_CHILD " & @CRLF If $objACE.AccessMask And $FOLDER_TRAVERSE Then $strMsg &= @TAB & @TAB & "FOLDER_TRAVERSE " & @CRLF If $objACE.AccessMask And $FILE_READ_ATTRIBUTES Then $strMsg &= @TAB & @TAB & "FILE_READ_ATTRIBUTES " & @CRLF If $objACE.AccessMask And $FILE_READ_CONTROL Then $strMsg &= @TAB & @TAB & "FILE_READ_CONTROL " & @CRLF If $objACE.AccessMask And $FOLDER_LIST_DIRECTORY Then $strMsg &= @TAB & @TAB & "FOLDER_LIST_DIRECTORY " & @CRLF If $objACE.AccessMask And $FILE_READ_EA Then $strMsg &= @TAB & @TAB & "FILE_READ_EA " & @CRLF If $objACE.AccessMask And $FILE_SYNCHRONIZE Then $strMsg &= @TAB & @TAB & "FILE_SYNCHRONIZE " & @CRLF If $objACE.AccessMask And $FILE_WRITE_ATTRIBUTES Then $strMsg &= @TAB & @TAB & "FILE_WRITE_ATTRIBUTES " & @CRLF If $objACE.AccessMask And $FILE_WRITE_DAC Then $strMsg &= @TAB & @TAB & "FILE_WRITE_DAC " & @CRLF If $objACE.AccessMask And $FOLDER_ADD_FILE Then $strMsg &= @TAB & @TAB & "FOLDER_ADD_FILE " & @CRLF If $objACE.AccessMask And $FILE_WRITE_EA Then $strMsg &= @TAB & @TAB & "FILE_WRITE_EA " & @CRLF If $objACE.AccessMask And $FILE_WRITE_OWNER Then $strMsg &= @TAB & @TAB & "FILE_WRITE_OWNER " & @CRLF Next Else $strMsg = "No DACL present in security descriptor" EndIf ConsoleWrite($strMsg) Link to comment Share on other sites More sharing options...
weaponx Posted April 25, 2008 Share Posted April 25, 2008 I found this VB script which I was able to convert:http://www.dbforums.com/showthread.php?t=892948With some lines from:http://cwashington.netreach.net/depo/view.asp?Index=1115expandcollapse popup$strComputer = "." $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2") $colItems = $objWMIService.ExecQuery('SELECT * FROM Win32_LogicalShareSecuritySetting', "WQL", 48) For $objItem in $colItems $strShareName = $objItem.name Dim $wmiSecurityDescriptor $wmiFileSecSetting = ObjGet("winmgmts:{impersonationLevel=impersonate}!//" & $strComputer & "/root/cimv2:Win32_LogicalShareSecuritySetting.Name='" & $strShareName & "'") $RetVal = $wmiFileSecSetting.GetSecurityDescriptor($wmiSecurityDescriptor) If @Error Then ConsoleWrite("GetSecurityDescriptor failed on " & $strShareName & @CRLF) Else ConsoleWrite("GetSecurityDescriptor succeeded for " & $strShareName & @CRLF) EndIf ; Retrieve the DACL array of Win32_ACE objects. $DACL = $wmiSecurityDescriptor.DACL $strsid = "" For $wmiAce in $DACL ConsoleWrite( "-----------------------" & @CRLF) ConsoleWrite("Found ACE" & @CRLF) ConsoleWrite( "-----------------------" & @CRLF) ConsoleWrite( "Access Mask: " & $wmiAce.AccessMask & @CRLF) ConsoleWrite( "ACE Type: " & $wmiAce.AceType & @CRLF) ; Get Win32_Trustee object from ACE $Trustee = $wmiAce.Trustee ConsoleWrite( "Trustee Domain: " & $Trustee.Domain & @CRLF) ConsoleWrite( "Trustee Name: " & $Trustee.Name & @CRLF) ; Get SID as array from Trustee $SID = $Trustee.SID For $i = 0 To UBound($SID) - 1 $strsid &= $SID[$i] & "," Next ConsoleWrite( "Trustee SID: {" & $strsid & "}" & @CRLF) ConsoleWrite(@CRLF) Next Next Link to comment Share on other sites More sharing options...
zorphnog Posted April 25, 2008 Share Posted April 25, 2008 Personally, I don't think you are going to be able to do this from the client side. The server where the share resides is where all the ACLs are maintained. I mean think about it, it would be quite a security vulnerability if any remote user was able to see user account names and ACLs for any share. Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 Personally, I don't think you are going to be able to do this from the client side. The server where the share resides is where all the ACLs are maintained. I mean think about it, it would be quite a security vulnerability if any remote user was able to see user account names and ACLs for any share.The plan is to run it from the server side once I get it working. The shares reside on the file server. Link to comment Share on other sites More sharing options...
weaponx Posted April 25, 2008 Share Posted April 25, 2008 (edited) Here is a combination of my script and your script: expandcollapse popupConst $SE_DACL_PRESENT = 0x4 Const $ACCESS_ALLOWED_ACE_TYPE = 0x0 Const $ACCESS_DENIED_ACE_TYPE = 0x1 Const $FILE_ALL_ACCESS = 0x1f01ff Const $FOLDER_ADD_SUBDIRECTORY = 0x000004 Const $FILE_DELETE = 0x010000 Const $FILE_DELETE_CHILD = 0x000040 Const $FOLDER_TRAVERSE = 0x000020 Const $FILE_READ_ATTRIBUTES = 0x000080 Const $FILE_READ_CONTROL = 0x020000 Const $FOLDER_LIST_DIRECTORY = 0x000001 Const $FILE_READ_EA = 0x000008 Const $FILE_SYNCHRONIZE = 0x100000 Const $FILE_WRITE_ATTRIBUTES = 0x000100 Const $FILE_WRITE_DAC = 0x040000 Const $FOLDER_ADD_FILE = 0x000002 Const $FILE_WRITE_EA = 0x000010 Const $FILE_WRITE_OWNER = 0x080000 ;Retrieve shares $strComputer = "." $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2") $colItems = $objWMIService.ExecQuery('SELECT * FROM Win32_LogicalShareSecuritySetting', "WQL", 48) For $objItem in $colItems $strShareName = $objItem.name $wmiFileSecSetting = ObjGet("winmgmts:{impersonationLevel=impersonate}!//" & $strComputer & "/root/cimv2:Win32_LogicalShareSecuritySetting.Name='" & $strShareName & "'") ;Retrieve security descriptor by reference Dim $wmiSecurityDescriptor $RetVal = $wmiFileSecSetting.GetSecurityDescriptor($wmiSecurityDescriptor) If @Error Then ConsoleWrite("GetSecurityDescriptor failed on " & $strShareName & @CRLF) Else ConsoleWrite( "-----------------------" & @CRLF) ConsoleWrite("Share name: " & $strShareName & @CRLF) ConsoleWrite( "-----------------------" & @CRLF) EndIf ; Retrieve the DACL array of Win32_ACE objects. $DACL = $wmiSecurityDescriptor.DACL For $wmiAce in $DACL $strMsg = "" $strMsg &= "Access Mask: " & $wmiAce.AccessMask & @CRLF $strMsg &= "ACE Type: " & $wmiAce.AceType & @CRLF ; Get Win32_Trustee object from ACE $Trustee = $wmiAce.Trustee $strMsg &= "Trustee Domain: " & $Trustee.Domain & @CRLF $strMsg &= "Trustee Name: " & $Trustee.Name & @CRLF ; Get SID as array from Trustee $SID = $Trustee.SID $strsid = "" For $i = 0 To UBound($SID) - 1 $strsid &= $SID[$i] & "," Next If $wmiAce.AccessMask And $FILE_ALL_ACCESS Then $strMsg &= @TAB & "FILE_ALL_ACCESS " & @CRLF If $wmiAce.AccessMask And $FOLDER_ADD_SUBDIRECTORY Then $strMsg &= @TAB & "FOLDER_ADD_SUBDIRECTORY " & @CRLF If $wmiAce.AccessMask And $FILE_DELETE Then $strMsg &= @TAB & "FILE_DELETE " & @CRLF If $wmiAce.AccessMask And $FILE_DELETE_CHILD Then $strMsg &= @TAB & "FILE_DELETE_CHILD " & @CRLF If $wmiAce.AccessMask And $FOLDER_TRAVERSE Then $strMsg &= @TAB & "FOLDER_TRAVERSE " & @CRLF If $wmiAce.AccessMask And $FILE_READ_ATTRIBUTES Then $strMsg &= @TAB & "FILE_READ_ATTRIBUTES " & @CRLF If $wmiAce.AccessMask And $FILE_READ_CONTROL Then $strMsg &= @TAB & "FILE_READ_CONTROL " & @CRLF If $wmiAce.AccessMask And $FOLDER_LIST_DIRECTORY Then $strMsg &= @TAB & "FOLDER_LIST_DIRECTORY " & @CRLF If $wmiAce.AccessMask And $FILE_READ_EA Then $strMsg &= @TAB & "FILE_READ_EA " & @CRLF If $wmiAce.AccessMask And $FILE_SYNCHRONIZE Then $strMsg &= @TAB & "FILE_SYNCHRONIZE " & @CRLF If $wmiAce.AccessMask And $FILE_WRITE_ATTRIBUTES Then $strMsg &= @TAB & "FILE_WRITE_ATTRIBUTES " & @CRLF If $wmiAce.AccessMask And $FILE_WRITE_DAC Then $strMsg &= @TAB & "FILE_WRITE_DAC " & @CRLF If $wmiAce.AccessMask And $FOLDER_ADD_FILE Then $strMsg &= @TAB & "FOLDER_ADD_FILE " & @CRLF If $wmiAce.AccessMask And $FILE_WRITE_EA Then $strMsg &= @TAB & "FILE_WRITE_EA " & @CRLF If $wmiAce.AccessMask And $FILE_WRITE_OWNER Then $strMsg &= @TAB & "FILE_WRITE_OWNER " & @CRLF $strMsg &= "Trustee SID: {" & $strsid & "}" & @CRLF ConsoleWrite($strMsg & @CRLF) Next Next I'm not sure if its just me, if a user is Read Only it shows the same thing as a user with Full Control. Edited April 25, 2008 by weaponx hugomito 1 Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 Nice I think I can get this to work with a little tweaking and some output added. Thanks a lot for all the help and ideas. Link to comment Share on other sites More sharing options...
schilbiz Posted April 25, 2008 Author Share Posted April 25, 2008 (edited) In windows XP there is a user level cache that is stored for fast load times, which is different then win 2000. You have to disable it via group policy at the local level in order to have it load the network information before the cached data loads. That is if you primarily use shared/FC on "everyone" and use NTFS security to manage your files/folders. Then sometimes you just need to reboot/log off a couple times to see share/security changes. Edited April 25, 2008 by schilbiz Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now