Fetching audit permission settings using VBScript..


If you are looking for a script to fetch audit permission settings on a folder, here it is:


===================================================================================================================


This is just a sample. It would require some modification to run it fully.


Const GENERIC_ALL = &H10000000
Const GENERIC_EXECUTE = &H20000000
Const GENERIC_READ = &H80000000
Const GENERIC_WRITE = &H40000000


Const OBJECT_INHERIT_ACE = 1
Const CONTAINER_INHERIT_ACE = 2
Const NO_PROPAGATE_INHERIT_ACE = 4
Const INHERIT_ONLY_ACE = 8
Const INHERITED_ACE = 16


Const AUDIT_ACE_TYPE  = &H2 


Const FAILED_ACCESS_ACE_FLAG = &H80
Const SUCCESSFUL_ACCESS_ACE_FLAG = &H40


Dim strComputer
strComputer = "."


Dim oShell
Dim sortie, ace, trustee,retVal, wmiSecurityDescriptor


Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" _
    & strComputer & "\root\cimv2")


Set WshShell = WScript.CreateObject("WScript.Shell")


getPermissions "C:\Test"


Sub getPermissions (name)


Set objFile = objWMIService.Get("Win32_LogicalFileSecuritySetting='" & name & "'")


If objFile.GetSecurityDescriptor(objSD) = 0 Then


If isArray(objSD.SACL) Then



    For Each objAce in objSD.SACL


  If objAce.AceType = AUDIT_ACE_TYPE Then
  
   
  strAceType = ""
  
  If objAce.AceFlags And FAILED_ACCESS_ACE_FLAG Then
   If objAce.AceFlags And SUCCESSFUL_ACCESS_ACE_FLAG Then
    strAceType = "All"
   Else
    strAceType = "Fail"
   End If
  Else
   If objAce.AceFlags And SUCCESSFUL_ACCESS_ACE_FLAG Then
    strAceType = "Success"
   Else
    strAceType = "No"
   End If
  End If
  


 Wscript.echo strAceType
 Wscript.echo objAce.Trustee.Domain & "\" &objAce.Trustee.Name


  If objAce.AceFlags And OBJECT_INHERIT_ACE Then
   If objAce.AceFlags And CONTAINER_INHERIT_ACE Then
    If objAce.AceFlags And INHERIT_ONLY_ACE Then
      Wscript.echo "Subfolders and Files only"
    Else
      Wscript.echo "This Folder, Subfolders and Files"
    End If
   Else


    If objAce.AceFlags And INHERIT_ONLY_ACE Then
      Wscript.echo "Files Only"
    Else
      Wscript.echo "This Folder and Files"
    End If
   End If


  Else
  
   If objAce.AceFlags And CONTAINER_INHERIT_ACE Then
    If objAce.AceFlags And INHERIT_ONLY_ACE Then
      Wscript.echo "Subfolders only"
    Else
      Wscript.echo "This Folder and Subfolders"
    End If
   Else
     Wscript.echo "This Folder Only"
   End If


  End If



  Dim strPerm
  strPerm = ""


  If objAce.AccessMask AND 524288 Then
   strPerm = strPerm & "Take Ownership;"
  End If
  If objAce.AccessMask AND 262144 Then
   strPerm = strPerm & "Change Permissions;"
  End If
  If objAce.AccessMask AND 131072 Then
   strPerm = strPerm & "Read Permissions;"
  End If
  If objAce.AccessMask AND 65536 Then
   strPerm = strPerm & "Delete;"
  End If
  If objAce.AccessMask AND 256 Then
   strPerm = strPerm & "Write Attributes;"
  End If
  If objAce.AccessMask AND 128 Then
   strPerm = strPerm & "Read Attributes;"
  End If
  If objAce.AccessMask AND 64 Then
   strPerm = strPerm & "Delete Subfolders and Files;"
  End If
  If objAce.AccessMask AND 32 Then
   strPerm = strPerm & "Traverse Folder / Execute File;"
  End If
  If objAce.AccessMask AND 16 Then
   strPerm = strPerm & "Write Extended Attributes;"
  End If
  If objAce.AccessMask AND 8 Then
   strPerm = strPerm & "Read Extended Attributes;"
  End If
  If objAce.AccessMask AND 4 Then
   strPerm = strPerm & "Create Folders / Append Data;"
  End If


  If objAce.AccessMask AND 2 Then
   strPerm = strPerm & "Create Files / Write Data;"
  End If


  If objAce.AccessMask AND 1 Then
   strPerm = strPerm & "List Folder / Read Data;"
  End If


  If objAce.AccessMask And GENERIC_ALL Then
   strPerm = strPerm & "Generic All;"
  End If


  If objAce.AccessMask And GENERIC_EXECUTE Then
   strPerm = strPerm & "Generic Execute;"
  End If


  If objAce.AccessMask And GENERIC_READ Then
   strPerm = strPerm & "Generic Read;"
  End If


  If objAce.AccessMask And GENERIC_WRITE Then
   strPerm = strPerm & "Generic Write;"
  End If


  Wscript.echo strPerm


  End If


  line = line + 1
    Next


Else


 Wscript.echo name & " doesn't have audit setting."


End If
End If


================================================================================================================================


Disclaimer: Above script is just for illustration purpose. Not recommended to run on production server without testing.


                 This is a personal weblog. The opinions expressed here represent my own and not those of my employer.


 


Skip to main content