What do you use to explore NTFS permissions?

[P1X3]

I have been dealing with folder redirection setup that is having odd permission issues. The range of issues is pretty wide, starting from owner not having permissions while other account does, inheritance on some is not applied, some users can't take back ownership or change permissions even though they should be able to based on permissions. Those folders are also replicated across three different servers. Anyhow, what I am after is a tool that could nicely show permissions, have some sort of filtering, and show it all in a nice way. NTFS permissions explorer so to speak. I have already found some, but if anyone has a favorite to vouch in for now is your time.

 

Seems I have left out the most important info.

 

Windows Server 2012 R2 with Active Directory setup.

[TidaLWaveZ]

What Operating System/Systems are in question? Do you have active directory setup?

[P1X3]

Just now, TidaLWaveZ said:

What Operating System/Systems are in question? Do you have active directory setup?

Sorry, left that out by mistake. Win2012R2 server with active directory.

[TidaLWaveZ]

Can't you just use the built in computer management on the server to grant your account supreme access?

[LAwLz]

Well... Windows has one built in. Have you tried that?

Right click folder -> Properties -> Security -> Advanced

[TidaLWaveZ]

Or just get on the server and run wmimgmt.msc, then change the permissions for the account you want.

[P1X3]

The built-in permissions manager is good, but when checking through multiple users and folder for weird cases is very tedious, hence why I was looking for something else.

Out of everything I have tried so far, Dell Security Explorer (Trial) is perfect for my scenario. Permissions are visible when folder/file is selected. Copying&pasting permissions is a piece of cake. Not something built-in permissions manager will do.

 

This software is great, but it is targeted towards bigger audience and is not free.

 

[leadeater]

If you have correctly followed the Microsoft recommendations on permissions for folder redirection you shouldn't be getting permission problems. You will need to go to the top level folder once you are sure it is set correctly and apply the permissions to all sub folders and files. This will overwrite all permissions so you have to also make sure the ownership of the folders and files is correct or users will lose access.

 

http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx

https://msdn.microsoft.com/en-us/library/cc736916(v=ws.10).aspx

 

Personally I use a user creator script that creates the AD accounts, folders, set permissions etc so I can have slightly stronger security on the top level folder.

 

I will put a permission correction script at the end of this post which will fix the permissions and set them correctly but there is a few things you must do first:

• Make sure the top level folder permissions are set as per Microsoft
• With my permissions this ACL is note required: Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
• Most critically read and understand what it does before running it
• Run it over a test folder group first
• Alter the script to put your domain name in in place of <DOMAIN>

The top part of the script sets special access mode to give you backup operator rights so you can not be blocked from changing file permissions, no matter what.This is above standard Administrator rights and any deny ACL rules will be ignored.

 

Edit: The script is powershell

 

#P/Invoke'd C# code to enable required privileges to take ownership and make changes when NTFS permissions are lacking
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;

 public class TokenManipulator
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
  public static bool RemovePrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_DISABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
 }
"@
add-type $AdjustTokenPrivileges
#Activate necessary admin privileges to make changes without NTFS perms
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions


Function SetFolderOwner($target, $user)
{
    $Folder = $target
    add-type $AdjustTokenPrivileges    
    #Activate necessary admin privileges to make changes without NTFS perms
    [void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
    [void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
    [void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions

    #Create a new ACL object for the sole purpose of defining a new owner, and apply that update to the existing folder's ACL
    $NewOwnerACL = New-Object System.Security.AccessControl.DirectorySecurity    
    $Owner = New-Object System.Security.Principal.NTAccount($user)
    $NewOwnerACL.SetOwner($Owner)
    #Merge the proposed changes (new owner) into the folder's actual ACL
    $Folder.SetAccessControl($NewOwnerACL)
}

Function SetFileOwner($target, $user)
{
    $File = $target
    add-type $AdjustTokenPrivileges    
    #Activate necessary admin privileges to make changes without NTFS perms
    [void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
    [void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
    [void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions

    #Create a new ACL object for the sole purpose of defining a new owner, and apply that update to the existing folder's ACL
    $NewOwnerACL = New-Object System.Security.AccessControl.FileSecurity    
    $Owner = New-Object System.Security.Principal.NTAccount($user)
    $NewOwnerACL.SetOwner($Owner)
    #Merge the proposed changes (new owner) into the folder's actual ACL
    $File.SetAccessControl($NewOwnerACL)
}

$MaxThreads = 20
$SleepTimer = 1000
$Path = "C:\Temp\Home"
$Admin = "BUILTIN\Administrators"

$HomeFolders = Get-ChildItem -Path $Path
$Count = 0
foreach ($HomeFolder in $HomeFolders)
{
    $Count = $Count + 1
    if ($HomeFolder.Attributes -eq "Directory")
    {
        
        takeown /f $HomeFolder.FullName /a /r /d y | Out-Null
        icacls $HomeFolder.FullName /reset /t /q

        $Items = Get-ChildItem -Path $HomeFolder.FullName -Recurse -Force            
                
        SetFolderOwner $HomeFolder $HomeFolder.Name
        foreach ($Item in $Items)
        {
            
            if ($Item.PSIsContainer)
            {
                SetFolderOwner $Item ("<DOMAIN>\" + $HomeFolder.Name)
                $acl = get-acl $Item.FullName;
                #Get SID of explicit ACL;
                $acl.Access | where{
                $_.isinherited -like $false} | foreach{
                #Foreach SID purge the SID from the ACL;
                $acl.purgeaccessrules($_.IdentityReference); 
                #Reapply ACL to file or folder without SID;
                Set-Acl -AclObject $acl -path $Item.FullName;
                }
            }
            else
            {
                SetFileOwner $Item ("<DOMAIN>\" + $HomeFolder.Name)
                $acl = get-acl $Item.FullName;
                #Get SID of explicit ACL;
                $acl.Access | where{
                $_.isinherited -like $false} | foreach{
                #Foreach SID purge the SID from the ACL;
                $acl.purgeaccessrules($_.IdentityReference); 
                #Reapply ACL to file or folder without SID;
                Set-Acl -AclObject $acl -path $Item.FullName;
                }
            }
        }

        $user = ("<DOMAIN>\" + $HomeFolder.Name) 
        icacls $HomeFolder.FullName /inheritance:e /grant:r "$($user):`(OI`)`(CI`)F"  /c /t /q       
    }
    
    echo ($Count.ToString() + " of " + $HomeFolders.Count.ToString() + ": " + $HomeFolder.Name)
}