OK, So most of the day today I was trying to create a vbscript to list all the shares on a server with the access control entries on each share's ACL.
I'm not talking about the share permissions, but the actual security permissions. (The ACE's in the DACL's.)
I was trying psexec in my script and I got it to work somewhat, except the script would just randomly stop. I kept thinking to myself "There must be a built-in WMI object that can read and print out the ACE's in the DACL's!!!!"
Well a bit more poking around found me the wonderful win32_logicalFileSecuritySetting.
Before I paste the code in here, I have to admit something. I have no idea how the wmiSecurityDescriptor part of the code works. Really. It makes no sense to me. I read the documentation on MSDN and I got even more confused. If anyone can explain it to me in plain English, please do so. I'll post it on the site.
Here is the code. Run it from the command line with the server name you need to view as the argument. Make sure Cscript is your default runtime environment. Otherwise you will get a lot of popups. (Do this from the command line cscript //H:cscript) Oh, and don't put a "\\" before the server name.
strComputer = WScript.Arguments(0)
Set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMI.ExecQuery("Select * from win32_share")
For Each i In colItems
strDir = i.path
WScript.Echo "Share Name: " & i.name
strDir = Replace(strDir,"\","\\")
Set colItems = objWMI.ExecQuery("Select * from win32_logicalFileSecuritySetting WHERE Path='" & strDir & "'",,48)
for each objItem in colItems
If objItem.GetSecurityDescriptor(wmiSecurityDescriptor) Then
WScript.Echo "GetSecurityDescriptor failed"
DisplayFileSecurity = False
WScript.Quit
End If
For each wmiAce in wmiSecurityDescriptor.DACL
strACE = wmiAce.Trustee.Domain & "\" & wmiAce.Trustee.Name
'If instr(strACE,".") then
wscript.echo " " & strACE
'end If
Next
Next
Next