Monday, June 27, 2011

Listing ACL of a share in Windows Server.

Sponsored Links

We usually view the Access Control List or List of permission sets attached to a folder or file, though Properties -> Security tab of the Share. But this method doesn't help to  generate a list of these permissions sets for backup purpose etc.

Microsoft utility called 'showacls' helps to list the ACL in command mode and it can be copied and saved. It is useful to compare the permissions applied to different shares or to keep a backup of current permission sets applied to a particular share.

'Showacls' utility is included in the Windows Server 2003 Resource Kit Tools provided by Microsoft.You have to download and install this Resource kit (rktools.exe) to enable 'Showascls'. If you don't have Windows Server 2003 Resource Kit Tools installed on your server, you can download and install it form Microsoft Download Center.

Once RKTools.exe is installed on the server you can start using 'Showacls' as shown in the example below:

Go Run -> CMD and type showacls \\servername\sharename and hit enter.
The output will be as shown in the below screenshot:

 

The output will display list of Groups/Users permitted to access the share along with the type of the permissions such as Full Control, Read Only etc. 

Additionally, you can list the ACLs of Shares as well as its sub-directories using /s switch, as seen in the below example:

showacls /s \\srv1\shared-resources

its output will looks like:
\\srv1\shared-resources
                BUILTIN\Administrators    Full Control [ALL]
                CREATOR OWNER             Full Control [ALL]
                TEST\CSV-USERS            Read Only [R]
                TEST\Domain Admins        Change [RWXD]
                TEST\global-mg-operators  Change [RWXD]
                NT AUTHORITY\SYSTEM       Full Control [ALL]
                TEST\VM-GROUP2            Read [RX]

\\srv1\shared-resources\test1
                BUILTIN\Administrators    Full Control [ALL]
                CREATOR OWNER             Full Control [ALL]
                TEST\CSV-USERS            Read Only [R]
                TEST\Domain Admins        Change [RWXD]
                TEST\global-mg-operators  Change [RWXD]
                NT AUTHORITY\SYSTEM       Full Control [ALL]
                TEST\VM-GROUP2            Read [RX]

\\srv1\shared-resources\test4
                BUILTIN\Administrators    Full Control [ALL]
                CREATOR OWNER             Full Control [ALL]
                TEST\CSV-USERS            Read Only [R]
                TEST\Domain Admins        Change [RWXD]
                TEST\global-mg-operators  Change [RWXD]
                NT AUTHORITY\SYSTEM       Full Control [ALL]
                TEST\VM-GROUP2            Read [RX]

 You can find the type of access indicated by the abbreviation from the below list:

A - Generic All       l - List Directory
R - Generic Read      d - Read Data
W - Generic Write     S -  Synchronize
X -  Generic Execute   r - File Read
w - File Write        a - File Append
fx - File Execute      D - Delete
rE - Read EA           rW - Write EA

Hope this helped you. If any questions, you can ask in the below comment column.

blog comments powered by Disqus
Related Posts Plugin for WordPress, Blogger...