SysInternals – AccessCheck – Querying Folder\File Permissions

Background

Wanted to document how to use access SysInternal’s accesschk to review NTFS permissions.

 

Premise

This effort was brought to bear by a question asked by desmando on the Windows SysInternals forum.

Question

The question is here

Image

accesschk64-desmando

Textual

I’m trying to look for files and folders and I don’t have access to. To test, I created a folder on my desktop and removed all rights to it. I then ran the following command:

accesschk64.exe -nsd "domain\username" c:\Users\username\Desktop\

It came back saying “No matching objects found.”

Is this not the right tool? Am I not using it right?

Environment Provisioning

File Security Assignment

We have three files.  And, they are in E:\BAK folder.

Our file names are File1.txt, File2.txt, and File3.txt

  1. For files 1 and 2, we are the owner
  2. On File 3
    1. Unchained it from the Folder permission set
    2. And, assigned ownerships to someone else

File List

File2.txt

File2.txt – Properties

securitysettings-security-file2

 

File2.txt – Advanced Setting Properties

advancedsecuritysettings-file2

 

File3.txt

File3.txt – Properties

securitysettings-security-file3

 

File3.txt – Advanced Security Settings

securitysettings-file3-advancedsecuritysettings

 

Script

Logged On user

Code


rem **********************************************************
rem -q Omit Banner
rem -nobanner No banner
rem -v Verbose
rem **********************************************************


set _folder=E:\BAK

set _principalSelf=%USERDOMAIN%\%USERNAME%

rem List all permissions on this folder
AccessChk -nobanner -d "%_folder%"

REM User me has access
AccessChk -nobanner "%_principalSelf%" "%_folder%"

REM User me has no access ( -n )
AccessChk -nobanner -n "%_principalSelf%" "%_folder%"



Output

 

filepermissionforself-20170126-0109pm

Explanation

  1. Used %USERDOMAIN%\%USERNAME% to get current logon’s Domain and User
  2. Retrieve permissions at folder level using -d
  3. Retrieve permission for user against all files
    • Listed 3 files
    • file1.txt and file2.txt we have permissions ( RW :- Read and Write )
    • file3.txt we do not have permission ( File name still listed but without permission set )
  4. Listed files that we do not have permission ( E:\BAK\file3.txt )

 

Another User

This other user does not have access

Script


rem **********************************************************
rem -q Omit Banner
rem -nobanner No banner
rem -v Verbose
rem **********************************************************


set _folder=E:\BAK

set _principal=AD\bpolakam

rem List all permissions on this folder
AccessChk -nobanner -d "%_folder%"

REM User me has access
AccessChk -nobanner "%_principal%" "%_folder%"

REM User me has no access ( -n )
AccessChk -nobanner -n "%_principal%" "%_folder%"



Output

filepermissionforanother-20170126-0119pm

Explanation

  1. Specified full domain name using Domain\Principal syntax
  2. Retrieve permissions at folder level using -d
  3. Retrieve permission for user against all files
    • Listed 3 files
    • file1.txt, file2.txt, and file3.txt  are all listed
      • File names still listed but without permission set
  4. Listed all 3 files as user does not have permission to any of the files

 

References

  1. By Aaron Margosis and Mark E. Russinovich – Windows Sysinternals Administrator’s Reference: Security Utilities
    Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s