Tip

Utility audits user access to files and directories

This tip originally appeared on SearchWinSystems.com, a sister site of SearchSMB.com.

One of the components of good security is awareness—for instance, knowing whether or not a given object is indeed accessible or inaccessible to a given

    Requires Free Membership to View

user or group. Admins typically audit accessibility through Explorer's Security tab, but it's much harder to do this for multiple objects or non-Explorer objects that have access control (such as services or registry keys).

But once again, those administrator lifesavers at Sysinternals.com, Mark Russinovich and Bryce Cogswell, have come to the rescue. Their new tool, AccessChk, is a simple but powerful command-line tool for auditing access controls against various objects, such as services, registry keys, files and folders.

An admin provides AccessChk with a user or group name and an object to audit. For instance, to audit all the services that the Power Users account has to Windows Services, you would use the command accesschk "power users" –c (note the use of quotes to demarcate an object with a space in the name). For a Registry key, use the –k switch: accesschk "power users" -k hklm\software. Adding the -s switch to any command makes it work recursively: It processes not only the object in question, but any objects under it (subfolders, subkeys, etc.). Full documentation of all the available command-line switches is contained in the program itself.

AccessChk has a few limitations. Right now you can only audit for one user or group at a time; you can't supply a list of groups to match. You also need to be careful when you audit against filenames or pathnames that have Unicode (non-ASCII) characters in their name -- the report returned will not list them correctly unless you are using the correct locale for the console. Also, the first time you run AccessChk you'll be prompted to click through a licensing agreement. But this only happens once.

More information from SearchWinSystems.com


This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.