ACL scanning and analyzing

Posted March 3rd, 2013

Today I’m gonna talk about a piece of functionality that we’re really proud of, because, far as we know, it didn’t exist before we created it. It’s called ACL scanning.

What, ACL scanning? You mean, like making a list of the existing ACLs on my file systems? Yes, that of course — and more. Or rather, different.

Extracting file system rights has been around for, well, probably for as long as there’ve been file systems. There’s CACLS, and there’s Powershell, and then there’s scripting. The one thing these all have in common is the conviction that this functionality is somehow best served by command line and export: a filter is constructed and the data is exported to some format or other, like excel or txt. From there you’re on your own.

But interpreting exported ACL data, especially of larger file systems, can easily make your head spin. The only solution, really, is some sort of GUI that allows you to refine your filter after the data has been gathered. This is the GUI we have developed, but the fact that it’s something new, especially in the ACL context, poses a problem: people don’t recognize it for what it is.

Some customers have been using ADUCAdminPlus for years, and still we have to point out this functionality to them. They’d seen the ‘Connect to File System for ACLs’ option but immediately dismissed it: “Ok, you can alter rights on a file system, so what?” But the funny thing is, changing ACLs is the one thing you cannot do with ADUC AdminPlus. But I’ll get back to that later.

First, here’s what you can do:

  1. As with any functionality in ADUC AdminPlus, you can reach the ACL scanning functionality by simply right clicking on a computer object in your active directory. When choosing ‘Connect/To File System for ACL’ an explorer like interface opens up.
  2. Next, by right clicking on a drive, share or folder, you can scan the computer’s file system up to ten levels deep. By doing this, all ACL information is collected. By the way, if rights are appointed more than ten levels deep you should seriously consider harassing your boss for ‘changes’ — if you can still remember his name, that is. I’m pretty sure that administering such a file system doesn’t leave room for sane thoughts. But that’s a different topic altogether.
  3. Next there are five basic filter options:
  • filtering on inherited or explicit rights.
  • filtering on found groups and users. By selecting a particular group, you can see instantly which rights have been appointed to which drives, folders or shares.
  • filtering on any AD user or group. You can enter the name of a user or group object, and filter out the effective rights of this object. In this option, first the total effective group memberships of the given object are calculated, and this list is compared to the users and groups found during the scan.
  • filtering on a list of users and/or groups. You can, for instance, compare fifty groups in your Active Directory against the found ACLs. So, let’s say you have a department with two hundred employees and a hundred security groups, and you want to find out which groups are no longer present in the ACLs of your a file system. You can select these groups in ADUC AdminPlus, export their AD names to a txt file, import them into the ACL scanning interface and check which groups are present or not.
  • filtering on security level. For instance, you can show all users and groups that have Full Control rights anywhere on the file system. Or are denied write access anywhere on the file system.

The added value, of course, is that it’s very easy to combine all these filters, and prevent yourself from drowning in the collected data. In fact, the interface offers such a flexible way of filtering that you ‘see’ things you didn’t even realise existed. You can do some serious cleaning up, while remaining confident about your files system rights (you know, be confident that end users don’t start screaming about how they can suddenly no longer reach ‘That file that I’ve been working on all week!’).

Okay, that leaves changing the actual rights with ADUC AdminPlus, which, like I said, is the one thing you cannot do. Not because it difficult to build, because it isn’t, but because it can potentially lay waste to your file system rights.

Under the windows platform, ACLs are set on each individual folder and file. This means that if you change an ACL on a top level folder, it can take a long time for all ACLs to be set (don’t we know it). If you somehow interrupt this process, you end up with a corrupt rights system. So we would have to lock ADUC AdminPlus until such a process is finished, which is something we dislike in other tools, and hate in ours.

So, unfortunately, best practice remains setting file system rights on the computer on which that file system resides, if only because that’s much faster. You can add and remove members from groups that have been appointed rights to you file systems, but you cannot change the rights on that file system itself with ADUC AdminPlus.

The GUI is pretty cool, though. By no means rocket science, but pretty cool nonetheless. Oh, and by the way, you can also scan the ACLs on your Active Directory itself, with pretty much the same interface and the same options…







Tags: , , , , , , , ,

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.


+31 20 893 2017