Today I’m gonna talk about a piece of functionality that we’re really proud of, because, far as we know, it didn’t exist before we created it. It’s called ACL scanning.
What, ACL scanning? You mean, like making a list of the existing ACLs on my file systems? Yes, that of course — and more. Or rather, different.
Extracting file system rights has been around for, well, probably for as long as there’ve been file systems. There’s CACLS, and there’s Powershell, and then there’s scripting. The one thing these all have in common is the conviction that this functionality is somehow best served by command line and export: a filter is constructed and the data is exported to some format or other, like excel or txt. From there you’re on your own.
But interpreting exported ACL data, especially of larger file systems, can easily make your head spin. The only solution, really, is some sort of GUI that allows you to refine your filter after the data has been gathered. This is the GUI we have developed, but the fact that it’s something new, especially in the ACL context, poses a problem: people don’t recognize it for what it is.
Some customers have been using ADUCAdminPlus for years, and still we have to point out this functionality to them. They’d seen the ‘Connect to File System for ACLs’ option but immediately dismissed it: “Ok, you can alter rights on a file system, so what?” But the funny thing is, changing ACLs is the one thing you cannot do with ADUC AdminPlus. But I’ll get back to that later.
First, here’s what you can do:
The added value, of course, is that it’s very easy to combine all these filters, and prevent yourself from drowning in the collected data. In fact, the interface offers such a flexible way of filtering that you ‘see’ things you didn’t even realise existed. You can do some serious cleaning up, while remaining confident about your files system rights (you know, be confident that end users don’t start screaming about how they can suddenly no longer reach ‘That file that I’ve been working on all week!’).
Okay, that leaves changing the actual rights with ADUC AdminPlus, which, like I said, is the one thing you cannot do. Not because it difficult to build, because it isn’t, but because it can potentially lay waste to your file system rights.
Under the windows platform, ACLs are set on each individual folder and file. This means that if you change an ACL on a top level folder, it can take a long time for all ACLs to be set (don’t we know it). If you somehow interrupt this process, you end up with a corrupt rights system. So we would have to lock ADUC AdminPlus until such a process is finished, which is something we dislike in other tools, and hate in ours.
So, unfortunately, best practice remains setting file system rights on the computer on which that file system resides, if only because that’s much faster. You can add and remove members from groups that have been appointed rights to you file systems, but you cannot change the rights on that file system itself with ADUC AdminPlus.
The GUI is pretty cool, though. By no means rocket science, but pretty cool nonetheless. Oh, and by the way, you can also scan the ACLs on your Active Directory itself, with pretty much the same interface and the same options…
Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.
Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.