This script uses WMI to enumerate each access control entry in an NTFS access control list, looking for explicit entries, that is, entries that are not inherited.
If SECURITY_PRINCIPAL is blank the script will return all explicit rights beneath granted from base path down. The script attempts to provide a summary for common rights.
Option Explicit
' Looks for a Trustee containing the SECURITY_PRINCIPAL string on
' the file system. Recurses from BASE_PATH down (file and folders).
' Set these values for the search.
Const BASE_PATH = "C:"
Const SECURITY_PRINCIPAL = "Chris"
Sub FSRecurse(strPath)
' Simple FS recursion
Dim objFolder, objFile, objSubFolder
Set objFolder = objFileSystem.GetFolder(strPath)
For Each objFile in objFolder.Files
CheckDescriptor objFile.Path
Next
For Each objSubFolder in objFolder.SubFolders
CheckDescriptor objSubFolder.Path
FSRecurse objSubFolder.Path
Next
Set objFolder = Nothing
End Sub
Sub CheckDescriptor(strPath)
' Look for the Trustee in the Security Descriptor and filter out
' inherited ACEs
Const ACE_FLAG_INHERITED = &H10 ' 16
Dim objSecuritySettings, objSecurityDescriptor, objACE, objTrustee
Set objSecuritySettings = objWMIService.Get("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
objSecuritySettings.GetSecurityDescriptor objSecurityDescriptor
For Each objACE in objSecurityDescriptor.dACL
If InStr(1, objACE.Trustee.Name, SECURITY_PRINCIPAL, VbTextCompare) > 0 Then
' ACEFlags is binary. Must perform binary comparison.
If objACE.ACEFlags And ACE_FLAG_INHERITED Then
' Problems with negation of the above.
' This is just easier.
Else
EnumAccess strPath, objACE
End If
End If
Next
End Sub
Sub EnumAccess(strPath, objACE)
' Most access mask values have matching Folder versions. These are not
' numerically different, they only differ when interpreted.
' ACE Type
Const ACCESS_ALLOWED_ACE_TYPE = &H0
Const ACCESS_DENIED_ACE_TYPE = &H1
' Base Access Mask values
Const FILE_READ_DATA = &H1
Const FILE_WRITE_DATA = &H2
Const FILE_APPEND_DATA = &H4
Const FILE_READ_EA = &H8
Const FILE_WRITE_EA = &H10
Const FILE_EXECUTE = &H20
Const FILE_DELETE_CHILD = &H40
Const FILE_READ_ATTRIBUTES = &H80
Const FILE_WRITE_ATTRIBUTES = &H100
Const FOLDER_DELETE = &H10000
Const READ_CONTROL = &H20000
Const WRITE_DAC = &H40000
Const WRITE_OWNER = &H80000
Const SYNCHRONIZE = &H100000
' Constructed Access Masks
Dim FULL_CONTROL
FULL_CONTROL = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _
FILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + FILE_DELETE_CHILD + _
FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + _
READ_CONTROL + WRITE_DAC + WRITE_OWNER + SYNCHRONIZE
Dim READ_ONLY
READ_ONLY = FILE_READ_DATA + FILE_READ_EA + FILE_EXECUTE + _
FILE_READ_ATTRIBUTES + READ_CONTROL + SYNCHRONIZE
Dim MODIFY
MODIFY = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _
FILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + _
FILE_READ_ATTRIBUTES + _
FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + READ_CONTROL + SYNCHRONIZE
Dim strRights
Dim intAccessMask
WScript.Echo "Path: " & strPath
WScript.Echo "Username: " & objACE.Trustee.Name
WScript.Echo "Domain: " & objACE.Trustee.Domain
WScript.Echo "ACE Flags (Decimal): " & objACE.ACEFlags
' ACE Type
If objACE.ACEType = ACCESS_ALLOWED_ACE_TYPE Then
WScript.Echo "ACE Type: Allow"
Else
WScript.Echo "ACE Type: Deny"
End If
' Attempt to generate a basic summary of access rights
strRights = ""
intAccessMask = objACE.AccessMask
If intAccessMask = FULL_CONTROL Then
strRights = " (FullControl)"
ElseIf intAccessMask = MODIFY Then
strRights = " (Modify)"
ElseIf intAccessMask = READ_ONLY Then
strRights = " (ReadOnly)"
End If
' Echo the decimal mask with any summarised rights
WScript.Echo "Access Mask (Decimal): " & intAccessMask & strRights
WScript.Echo
End Sub
'
' Main code block
'
Dim objFileSystem, objWMIService
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
' WMI Connection to the local machine
Set objWMIService = GetObject("winmgmts:\\")
FSRecurse BASE_PATH
Set objWMIService = Nothing
Set objFileSystem = Nothing