Security – Finding all files in NTFS with specific user or group in ACL

access-control-listfile-permissionsntfspermissionsSecurity

Executive summary: I want to find all the directories and files a particular user or group has access to.

In more detail: I'm looking for a command-line tool to recursively search an NTFS directory for all files and directories where an ACE in the DACL contains a given user or group. If I wanted to modify permissions, I would use subinacl or SetACL. I thought I would be able to use one of these tools to search and display, too, but I'm having trouble finding a straight-forward solution.

I could use SetACL like so:

   setacl -on C:\SOME_DIR -ot file -actn list -lst "f:tab;w:d;i:y;" -rec cont

and then grep for the user of interest, but I'd like a more elegant solution. I'm probably missing something here. Any ideas?

Best Answer

Thanks, "unknown". Your PowerShell script doesn't work for me, but I hacked together something that does. I'm new to it, too, but after some trial and error:

Get-ChildItem "C:\SOME\DIR" -recurse | 
    ForEach-Object { 
        $fname = $_.FullName
        $acl = Get-Acl $fname
        foreach ($e in $acl.Access) {
            If ( -not $e.IsInherited -and
                 $e.AccessControlType -eq "Allow" -and 
                 $e.IdentityReference -eq "SOMEDOMAIN\Somegroup") 
            {
                Write-Host $fname
                break
            }
        }
    }

Somebody with PowerShell kungfu could probably clean this up a bit. Note that I have it ignore inherited entries, because I'm only interested in knowing where the access begins.

Related Topic