Fetching audit permission settings using VBScript..
If you are looking for a script to fetch audit permission settings on a folder, here it is:
===================================================================================================================
This is just a sample. It would require some modification to run it fully.
Const GENERIC_ALL = &H10000000
Const GENERIC_EXECUTE = &H20000000
Const GENERIC_READ = &H80000000
Const GENERIC_WRITE = &H40000000
Const OBJECT_INHERIT_ACE = 1
Const CONTAINER_INHERIT_ACE = 2
Const NO_PROPAGATE_INHERIT_ACE = 4
Const INHERIT_ONLY_ACE = 8
Const INHERITED_ACE = 16
Const AUDIT_ACE_TYPE = &H2
Const FAILED_ACCESS_ACE_FLAG = &H80
Const SUCCESSFUL_ACCESS_ACE_FLAG = &H40
Dim strComputer
strComputer = "."
Dim oShell
Dim sortie, ace, trustee,retVal, wmiSecurityDescriptor
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set WshShell = WScript.CreateObject("WScript.Shell")
getPermissions "C:\Test"
Sub getPermissions (name)
Set objFile = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & name & "'")
If objFile.GetSecurityDescriptor(objSD) = 0 Then
If isArray(objSD.SACL) Then
For Each objAce in objSD.SACL
If objAce.AceType = AUDIT_ACE_TYPE Then
strAceType = ""
If objAce.AceFlags And FAILED_ACCESS_ACE_FLAG Then
If objAce.AceFlags And SUCCESSFUL_ACCESS_ACE_FLAG Then
strAceType = "All"
Else
strAceType = "Fail"
End If
Else
If objAce.AceFlags And SUCCESSFUL_ACCESS_ACE_FLAG Then
strAceType = "Success"
Else
strAceType = "No"
End If
End If
Wscript.echo strAceType
Wscript.echo objAce.Trustee.Domain & "\" &objAce.Trustee.Name
If objAce.AceFlags And OBJECT_INHERIT_ACE Then
If objAce.AceFlags And CONTAINER_INHERIT_ACE Then
If objAce.AceFlags And INHERIT_ONLY_ACE Then
Wscript.echo "Subfolders and Files only"
Else
Wscript.echo "This Folder, Subfolders and Files"
End If
Else
If objAce.AceFlags And INHERIT_ONLY_ACE Then
Wscript.echo "Files Only"
Else
Wscript.echo "This Folder and Files"
End If
End If
Else
If objAce.AceFlags And CONTAINER_INHERIT_ACE Then
If objAce.AceFlags And INHERIT_ONLY_ACE Then
Wscript.echo "Subfolders only"
Else
Wscript.echo "This Folder and Subfolders"
End If
Else
Wscript.echo "This Folder Only"
End If
End If
Dim strPerm
strPerm = ""
If objAce.AccessMask AND 524288 Then
strPerm = strPerm & "Take Ownership;"
End If
If objAce.AccessMask AND 262144 Then
strPerm = strPerm & "Change Permissions;"
End If
If objAce.AccessMask AND 131072 Then
strPerm = strPerm & "Read Permissions;"
End If
If objAce.AccessMask AND 65536 Then
strPerm = strPerm & "Delete;"
End If
If objAce.AccessMask AND 256 Then
strPerm = strPerm & "Write Attributes;"
End If
If objAce.AccessMask AND 128 Then
strPerm = strPerm & "Read Attributes;"
End If
If objAce.AccessMask AND 64 Then
strPerm = strPerm & "Delete Subfolders and Files;"
End If
If objAce.AccessMask AND 32 Then
strPerm = strPerm & "Traverse Folder / Execute File;"
End If
If objAce.AccessMask AND 16 Then
strPerm = strPerm & "Write Extended Attributes;"
End If
If objAce.AccessMask AND 8 Then
strPerm = strPerm & "Read Extended Attributes;"
End If
If objAce.AccessMask AND 4 Then
strPerm = strPerm & "Create Folders / Append Data;"
End If
If objAce.AccessMask AND 2 Then
strPerm = strPerm & "Create Files / Write Data;"
End If
If objAce.AccessMask AND 1 Then
strPerm = strPerm & "List Folder / Read Data;"
End If
If objAce.AccessMask And GENERIC_ALL Then
strPerm = strPerm & "Generic All;"
End If
If objAce.AccessMask And GENERIC_EXECUTE Then
strPerm = strPerm & "Generic Execute;"
End If
If objAce.AccessMask And GENERIC_READ Then
strPerm = strPerm & "Generic Read;"
End If
If objAce.AccessMask And GENERIC_WRITE Then
strPerm = strPerm & "Generic Write;"
End If
Wscript.echo strPerm
End If
line = line + 1
Next
Else
Wscript.echo name & " doesn't have audit setting."
End If
End If
================================================================================================================================
Disclaimer: Above script is just for illustration purpose. Not recommended to run on production server without testing.
This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
Comments
- Anonymous
March 14, 2009
PingBack from http://www.anith.com/?p=19065