|
| |
Welcome to
NetworkCert.NET
Aids and Tools for Networking
Certifications
SHOWACLS.EXE
(from Windows 2000 Resource Kit Help)
This command-line tool enumerates access rights
for files, folders, and trees. It allows masking to enumerate only specific
ACLs.
ShowACLs works on NTFS partitions only.
The most useful feature of ShowACLs is the
ability to show permissions for a particular user. The method that ShowACLs uses
to perform this is by enumerating the local and global groups that the
particular user belongs to and matching the users security identifier (SID) and
the SIDs of the groups the users belongs to, to the SIDs in each ACE entry.
NTFS uses Access Control Lists (ACLs) to set
permissions for users and groups on objects. ACLs are made up of Access Control
Entries (ACEs). Each ACE entry has information that controls the permissions for
a specific user or group. There are currently four ACE type defined; Access
Allowed, Access Denied, System Alarm and System Audit. Each ACE entry has a
common ACE header and unique data structure. The SID associated with each ACE
entry is contained in the data following the ACE header.
One of the problems with a command-line tool
like ShowACLs is the amount of information that is contained in the ACL. The
first version of ShowACLs attempted to display all the data in the access mask,
which was very confusing. The latest version has adopted the "standard"
permissions, Full, Change and Read-Only where appropriate. If a mask does not
match these predefined values, the a raw dump of the mask is performed.
showacls [/s] [/u:domain\user]
[filespec]
- /s includes
sub-directories
- /u:domain\user
specifies domain\user
| ACE header values |
| 0x1 |
Object Inherit ACE |
| 0x2 |
Container Inherit ACE |
| 0x4 |
No Propagate Inherit ACE |
| 0x8 |
Inherit Only ACE |
| Access mask values |
| Delete. Allows or denies deleting the file
or folder. If you don't have Delete permission on a file or folder, you can
still delete it if you have been granted the Delete Subfolders and Files
permission on the parent folder. |
D |
| File Append. Append Data allows or denies
making changes to the end of the file but not changing, deleting, or
overwriting existing data (applies to files only). |
a |
| File Execute. Execute File allows or denies
running program files (applies to files only). |
fx |
| File Read. File Read allows or denies
viewing the attributes of a file or folder, such as read-only and hidden.
Attributes are defined by NTFS. |
r |
| File Write. Write Data allows or denies
making changes to the file and overwriting existing content (applies to
files only). |
w |
| Generic All |
A |
| Generic Execute. Execute File allows or
denies running program files (applies to files only). |
X |
| Generic Read. Allows or denies viewing the
attributes of a file or folder, such as read-only and hidden. Attributes are
defined by NTFS. |
R |
| Generic Write. Allows or denies changing
the attributes of a file or folder, such as read-only or hidden. Attributes
are defined by NTFS. |
W |
| List Directory. List Folder allows or
denies viewing file names and subfolder names within the folder (applies to
folders only). |
l |
| Read Data. Read Data allows or denies
viewing data in files (applies to files only). |
d |
| Read EA. Allows or denies viewing the
extended attributes of a file or folder. Extended attributes are defined by
programs and may vary. |
rE |
| Synchronize. Allows or denies different
threads to wait on the handle for the file or folder and synchronize with
another thread that may signal it. This permission applies only to
multithreaded, multiprocess programs. |
S |
| Write EA. Allows or denies changing the
extended attributes of a file or folder. Extended attributes are defined by
programs and may vary. |
rW |
|