GET ACL NTFS reports including folders with no access

Question

I need to generate an ACL Report for NAS Shares, even for folders where the local administrators group has been removed from those files.

Some application can use the privilege to bypass traverse checking and or bypass ntfs permissions, similar to what robocopy does.

Treesize is a tool I used but it does not work in the way I need, it would only get the ntfs acls correctly for the first level of the folder where I do not have access, but if there are other subfolders, it will fail to obtain the information.

Subinacl seems to work fine, but here is my question has anyone share idea how to manipulate data so this can be accomplished using this tool. The report is not showing the permissions directly instead it is showing hex codes representing the actual permissions.

I read that powershell might also be able to do this but I have no idea or I could not find any code related to this.

Answer 1

If you have a good reason to see those permissions, hopefully someone with access can help, or at least grant you the Read permissions permission.

Parsing the text from subinacl will take work , as you've noticed. (Scroll down to the permission element for translations of those codes you're asking about.) I've never used ShareEnum from Sysinternals, but maybe that's a step in the right direction.

PowerShell's Get-Acl returns objects, maybe easier to report from. But before Get-Acl will see those subfolders, you might need to change object ownership. PowerShell can do that, depending on the context, but the admins might prefer a friendly knock before you start picking locks, if you catch my drift. Here is some guidance from Server Fault.