Hello!
Here is the script for getting the full object security descriptor, including DACL and SACL.
The result is saved as a text file into C:\VBSreports\SDreport.txt.
------------------------------------------------------------------------------------------------------
'Vbscript
'#########################################################################################################
'
' FULL SECURITY DESCRIPTOR READER
'
' This script reads DACL and SACL of a file or a folder and outputs to C:\VBSreports.
'
'V 2.0 17.11.2010 Author: Michael Firsov
'#########################################################################################################
Dim strComputer, strObject
Dim strDirectory, FSO
Dim fso2, txtStreamOut, txtStreamOut2
Dim fso3, x
strDirectory = "c:\VBSreports"
set FSO = createobject("Scripting.FileSystemObject")
if FSO.FolderExists(strDirectory) = False then
FSO.CreateFolder strDirectory
end if
set FSO = Nothing
strComputer = "."
' ----- ACEflags for DACL and SACL ----------------------------
const OBJECT_INHERIT_ACE = 1
const CONTAINER_INHERIT_ACE = 2
const NO_PROPAGATE_INHERIT_ACE = 4
const INHERIT_ONLY_ACE = 8
const INHERITED_ACE = 16
const VALID_INHERIT_FLAGS = 31
const AUDIT_SUCCESSFUL_ACCESS = 64
const AUDIT_FAILED_ACCESS = 128
' ------ Permission MASK ---------------------------------------
const FILE_LIST_DIRECTORY = 1
const FILE_ADD_FILE = 2
const FILE_ADD_SUBDIRECTORY = 4
const FILE_READ_EA = 8
const FILE_WRITE_EA = 16
const FILE_TRAVERSE = 32
const FILE_DELETE_CHILD = 64
const FILE_READ_ATTRIBUTES = 128
const FILE_WRITE_ATTRIBUTES = 256
const DELETE = 65536
const READ_CONTROL = 131072
const WRITE_DAC = 262144
const WRITE_OWNER = 524288
const SYNCHRONIZE = 1048576
const ALL_ACCESS = 2032127
' -------- SD Control Flags --------------------------------------
const ACCESS_ALLOWED_ACE_TYPE = 0
const ACCESS_DENIED_ACE_TYPE = 1
const SYSTEM_AUDIT_ACE_TYPE = 2
const SE_DACL_PRESENT = 4
const SE_SACL_PRESENT = 16
const SE_DACL_PROTECTED = 4096
const SE_SACL_PROTECTED = 8192
textOW = ""
textCB = ""
textD = ""
textS = ""
textD = ""
textS = ""
textS = ""
textM = ""
strObject = ""
strObject = InputBox ("Please enter the full pathname to the object to process.", "SecurityDescriptorSTD")
if strObject = "" then
MsgBox "You didn't supply the object to process.", 16, "SecurityDescriptorFile.vbs"
Wscript.Quit
End if
'--------------- Checking the accuracy of user input ----------------
set FSO3 = createobject("Scripting.FileSystemObject")
if FSO3.FolderExists(strObject) = False then
IF FSO3.FileExists(strObject) = False then
MsgBox "The object you supplied does not exist!" & vbCrLf & vbCrLf & "Please check your spelling.", 16, "SecurityDescriptorFile.vbs"
Wscript.Quit
FSO3.CreateFolder strDirectory
End if
end if
set FSO3 = Nothing
'--------------- The end of checking the accuracy of user input ----------------
MsgBox "Security descriptor report will be placed in C:\VBSreports." & vbCrLf & vbCrLf & "In case the report already exists the new report will be appended to the previous one.", 48, "SecurityDescriptorFile.vbs"
'--------------- Checking the owner of the object -------------------------------
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objFile = objWMIService.Get ("Win32_LogicalFileSecuritySetting='" & strObject & "'")
'SD existance check
If objFile.GetSecurityDescriptor(objSD) = 0 Then
textOW = textOW & "Owner of the " & strObject & " is " & objSD.Owner.Domain & "\" & objSD.Owner.Name
'Wscript.Echo textOW
'Wscript.Echo "ControlFlags of SD are: " & objSD.ControlFlags
textM = "ControlFlags of security descriptor are: " & objSD.ControlFlags & vbCrLf
'--------------- the START of ControlFlags parsing section ------------------------
textCB = textCB & "Control Flags for Security Descriptor:" & vbCrLf & vbCrLf
IF objSD.ControlFlags AND 4 Then
textCB = textCB & "Object DACL is PRESENT" & vbCrLf
Else
textCB = textCB & "Object DACL is NOT PRESENT" & vbCrLf
End IF
IF objSD.ControlFlags AND 16 Then
textCB = textCB & "Object Audit is TURNED ON" & vbCrLf
Else
textCB = textCB & "Object Audit is TURNED OFF" & vbCrLf
End IF
IF objSD.ControlFlags AND 4096 Then
textCB = textCB & "Inheritance of DACL is TURNED OFF!!!" & vbCrLf
ELSE
textCB = textCB & "DACL can be inherited" & vbCrLf
END IF
IF objSD.ControlFlags AND 8192 Then
textCB = textCB & "Inheritance of SACL is TURNED OFF!!!" & vbCrLf
ELSE
textCB = textCB & "SACL can be inherited" & vbCrLf
END IF
'Wscript.Echo textCB
'--------------the END of ControlFlags parsing section --------------------------
'--------------the START of DACL ACE Type, ACE Flags and MASK parsing sections --------------------------
'textD = textD & vbCrLf
For each objACE in objSD.DACL
'Wscript.Echo "ACE Type is " & objACE.ACEtype
textD = textD & vbCrLf & "DACL Ace Type for: " & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & " is " & vbCrLf & vbCrLf
IF objACE.ACEtype = 0 Then
textD = textD & "ACCESS_ALLOWED_ACE_TYPE" & vbCrLf
Else
IF objACE.ACEtype = 1 Then
textD = textD & "ACCESS_DENIED_ACE_TYPE" & vbCrLf
Else
textD = textD & "ACE_TYPE is " & objACE.ACEtype & vbCrLf & vbCrLf
End If
End IF
'-------------------The START of DACL ACE FLAGS section -------------------------------
textD = textD & vbCrLf & "DACL ACE FLAGS:" & vbCrLf & vbCrLf
If objAce.AceFlags AND 1 Then
textD = textD & "Child objects that are not containers inherit permissions." & vbCrLf
End If
If objAce.AceFlags AND 2 Then
textD = textD & "Child objects inherit and pass on permissions." & vbCrLf
End If
If objAce.AceFlags AND 4 Then
textD = textD & "Child objects inherit but do not pass on permissions." & vbCrLf
End If
If objAce.AceFlags AND 8 Then
textD = textD & "Object is not affected by but passes on permissions." & vbCrLf
End If
If objAce.AceFlags AND 16 Then
textD = textD & "Permission have been inherited." & vbCrLf
End If
IF objAce.AceFlags AND 31 THEN
textD = textD & "VALID_INHERIT_FLAGS" & vbCrLf
END IF
'-------------------------------- AccessMask -----------------------
textD = textD & vbCrLf & "AccessMask for Trustee " & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & ":" & vbCrLf & vbCrLf
If objAce.AccessMask AND 1048576 Then
textD = textD & vbtab & "Synchronize" & vbCrLf
End If
If objAce.AccessMask AND 524288 Then
WtextD = textD & vbtab & "Write owner" & vbCrLf
End If
If objAce.AccessMask AND 262144 Then
textD = textD & vbtab & "Write ACL" & vbCrLf
End If
If objAce.AccessMask AND 131072 Then
textD = textD & vbtab & "Read security" & vbCrLf
End If
If objAce.AccessMask AND 65536 Then
textD = textD & vbtab & "Delete" & vbCrLf
End If
If objAce.AccessMask AND 256 Then
textD = textD & vbtab & "Write attributes" & vbCrLf
End If
If objAce.AccessMask AND 128 Then
textD = textD & vbtab & "Read attributes" & vbCrLf
End If
If objAce.AccessMask AND 64 Then
textD = textD & vbtab & "Delete dir" & vbCrLf
End If
If objAce.AccessMask AND 32 Then
textD = textD & vbtab & "Execute" & vbCrLf
End If
If objAce.AccessMask AND 16 Then
textD = textD & vbtab & "Write extended attributes" & vbCrLf
End If
If objAce.AccessMask AND 8 Then
textD = textD & vbtab & "Read extended attributes" & vbCrLf
End If
If objAce.AccessMask AND 4 Then
textD = textD & vbtab & "Append" & vbCrLf
End If
If objAce.AccessMask AND 2 Then
textD = textD & vbtab & "Write" & vbCrLf
End If
If objAce.AccessMask AND 1 Then
textD = textD & vbtab & "Read" & vbCrLf
End If
Next
'-------------------The END of DACL TYPE AND ACE FLAGS AND MASK sections ! -------------------------------
'------------------------------- SACL section ----------------------------------------------------
'Wscript.Echo "SACL Section:"
'---------------------------- Check for SACL -----------------------------
if IsNull(objSD.SACL) then
textS = "Audit for the " & strObject & " is not enabled!" & vbCrLf & vbCrLf
Else
For each objACE in objSD.SACL
'------------------------------- the START of SACL ACE Type section ----------------------------------------------------
textS = textS & vbCrLf & "SACL TYPE:" & vbCrLf
IF objACE.ACEtype AND 2 Then
textS = textS & "Audit for trustee " & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & " is TURNED ON" & vbCrLf
Else
textS = textS & "Audit for trustee " & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & " is TURNED OFF" & vbCrLf
End IF
'------------------------------- the END of SACL ACE Type section ----------------------------------------------------
' --------------- the START of SACL ACE Flags parsing section ------------------------
textS= textS & vbCrLf
'For each objACE in objSD.SACL
textS = textS & vbCrLf & "SACL FLAGS for trustee: " & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & vbCrLf & vbCrLf
IF objAce.AceFlags AND 128 THEN
textS = textS & "AUDIT_FAILED_ACCESS" & vbCrLf & vbCrLf
End if
IF objAce.AceFlags AND 64 THEN
textS = textS & "AUDIT_SUCCESSFUL_ACCESS" & vbCrLf & vbCrLf
END IF
IF objAce.AceFlags AND 31 THEN
textS = textS & "VALID_INHERIT_FLAGS" & vbCrLf
END IF
IF objAce.AceFlags AND 16 THEN
textS = textS & "Permission have been inherited." & vbCrLf
END IF
IF objAce.AceFlags AND 8 THEN
textS = textS & "Object is not affected by but passes on permissions." & vbCrLf
END IF
IF objAce.AceFlags AND 4 THEN
textS = textS & "Child objects inherit but do not pass on permissions." & vbCrLf
END IF
IF objAce.AceFlags AND 2 THEN
textS = textS & "Child objects inherit and pass on permissions." & vbCrLf
END IF
IF objAce.AceFlags AND 1 THEN
textS = textS & "Child objects that are not containers inherit permissions." & vbCrLf
END IF
'--------------the END of SACL Flags parsing section --------------------------
'--------------the START of SACL MASK parsing section --------------------------
textS = textS & vbCrLf & vbCrLf
textS = textS & "AUDIT Mask of the object " & strObject & " for Trustee " & objACE.Trustee.Domain & "\" & objACE.Trustee.Name & " is:" & vbCrLf & vbCrLf
If objAce.AccessMask AND 1048576 Then
textS = textS & vbtab & "Synchronize" & vbCrLf
End If
If objAce.AccessMask AND 524288 Then
WtextS = textS & vbtab & "Write owner" & vbCrLf
End If
If objAce.AccessMask AND 262144 Then
textS = textS & vbtab & "Write ACL" & vbCrLf
End If
If objAce.AccessMask AND 131072 Then
textS = textS & vbtab & "Read security" & vbCrLf
End If
If objAce.AccessMask AND 65536 Then
textS = textS & vbtab & "Delete" & vbCrLf
End If
If objAce.AccessMask AND 256 Then
textS = textS & vbtab & "Write attributes" & vbCrLf
End If
If objAce.AccessMask AND 128 Then
textS = textS & vbtab & "Read attributes" & vbCrLf
End If
If objAce.AccessMask AND 64 Then
textS = textS & vbtab & "Delete dir" & vbCrLf
End If
If objAce.AccessMask AND 32 Then
textS = textS & vbtab & "Execute" & vbCrLf
End If
If objAce.AccessMask AND 16 Then
textS = textS & vbtab & "Write extended attributes" & vbCrLf
End If
If objAce.AccessMask AND 8 Then
textS = textS & vbtab & "Read extended attributes" & vbCrLf
End If
If objAce.AccessMask AND 4 Then
textS = textS & vbtab & "Append" & vbCrLf
End If
If objAce.AccessMask AND 2 Then
textS = textS & vbtab & "Write" & vbCrLf
End If
If objAce.AccessMask AND 1 Then
textS = textS & vbtab & "Read" & vbCrLf
End If
NEXT
END If
'---------- The START of File creation section -------------------------------
Set fso2 = CreateObject("Scripting.FileSystemObject")
If Fso2.FileExists (strDirectory & "\SDreport.txt") Then
Set txtStreamOut = fso2.OpenTextFile(strDirectory & "\SDreport.txt", 8, False)
txtStreamOut.WriteBlankLines 2
txtStreamOut.WriteLine "------------------------------------------------------------------ The next report ----------------------------------------------------------------------"
txtStreamOut.WriteBlankLines 2
txtStreamOut.WriteLine "Object:" & VBtab & strObject & VBtab & "Security descriptor report generated at " & (now)
txtStreamOut.WriteBlankLines 2
txtStreamOut.Write TextOW
txtStreamOut.WriteLine ()
txtStreamOut.WriteLine ()
txtStreamOut.Write TextM
txtStreamOut.WriteLine ()
txtStreamOut.WriteLine ()
txtStreamOut.Write TextCB
txtStreamOut.WriteLine ()
txtStreamOut.WriteLine ()
txtStreamOut.WriteLine " DACL Section:"
txtStreamOut.WriteLine ()
txtStreamOut.Write textD
txtStreamOut.WriteLine ()
txtStreamOut.WriteLine ()
txtStreamOut.WriteLine " SACL Section:"
txtStreamOut.WriteLine ()
txtStreamOut.Write textS
txtStreamOut.Close
Else
Set txtStreamOut2 = fso2.CreateTextFile (strDirectory & "\SDreport.txt")
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine "Object:" & VBtab & strObject & VBtab & "Security descriptor report generated at " & (now)
txtStreamOut2.WriteBlankLines 2
txtStreamOut2.WriteLine TextOW
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine TextM
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine TextCB
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine " DACL Section:"
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine textD
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine " SACL Section:"
txtStreamOut2.WriteLine ()
txtStreamOut2.WriteLine textS
txtStreamOut2.Close
End if
'---------- The END of File creation section -------------------------------
Set objSD = nothing
Set fso2 = nothing
Set objFile = nothing
Set objWMIService = nothing
x = MsgBox ("The report for object " & strObject & " is ready." & vbCrLf & vbCrLf & "Would you like to read it now?", 36, "SecurityDescriptorFile.vbs")
Select Case x
Case 6
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "%windir%\notepad " & strDirectory & "\SDreport.txt", 3
Case 7
MsgBox "You can read the report later from the " & strDirectory & " folder.",64,"SecurityDescriptorFile.vbs"
End Select
'------------------------ The last ELSE and END IF -----------------------------------------
Else
MsgBox "Can't read a security descriptor for the object " & strObject & " !" & vbCrLf & vbCrLf & "Note: you must have administrative priviledges on target PC.", 16, "SecurityDescriptorFile.vbs"
End IF