Scott, Thanks for the info. I did originally write a nested FOR loop which also worked well. I guess I've certainly learned the power of PowerShell having squashed this down to a line or two.
I'll look into the links you've provided but may have to resurrect the FOR loops :( On 10 Sep 2010, at 17:47, Scott Webster <[email protected]> wrote: > Jason, > > You have a difficult road ahead of you. > > Take a look at this: > http://gallery.technet.microsoft.com/ScriptCenter/en-us/a7f4694d-c71b-4b47-a > 781-4c4f832e87d7 > > and use this to make the changes to look for the specific ACE you have. > > http://msdn.microsoft.com/en-us/library/aa394063(VS.85).aspx > > Also pay attention to the ACEType, there you will find your Denied entries. > > You may want to consider using one of the tools mentioned before combined > with psexec with the -c switch to copy the exe to the remote computer. > > OR just use CACLS to enumerate the ACE's. You could even take text output > and parse it. It may be easier then writing the WMI/WMIC code. > > Good luck, > > Scott > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Jason Jarvis > Sent: Friday, September 10, 2010 8:39 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] WMIC guru's - come in! > > > Sorry I should have said, in true Ed style I want to be able to use built in > tools. > > > On 10 Sep 2010, at 16:32, Bugbear <[email protected]> wrote: > >> oldie bu goodie >> >> DumpSec , its free, will allow you to filter for specific user or >> group, and only dump sub folders/files that differ from root folder >> >> http://www.systemtools.com/download/dumpacl.zip >> >> >> >> On Fri, Sep 10, 2010 at 10:01 AM, Pommerening, Jeremy >> <[email protected]> wrote: >>> Take a look at accessenum and shareenum and see if they'll do what you > want. They're part of the sysinternals tool suite. >>> >>> http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx >>> >>> >>> >>> Jeremy Pommerening >>> MGR, Information Security >>> Symbion, Inc. >>> GIAC - GCFA GPEN GAWN GCFW >>> GIAC Advisory Board Member >>> MCSE Win2K, MCSE NT4, >>> CompTia SERVER+, HP APS >>> >>> >>> -----Original Message----- >>> From: [email protected] > [mailto:[email protected]] On Behalf Of k41zen Me >>> Sent: Friday, September 10, 2010 5:10 AM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: [Pauldotcom] WMIC guru's - come in! >>> >>> I need to conduct folder permissions audit on folders with specific names > and then check to make sure that a specific group is explicitly denied. >>> >>> I produced some powershell code to do that and was fairly happy: >>> >>> Get-Childitem -path S: -recurse -include > *classified*,*sensitive*,restricted* -exclude *notsensitive* | where { > $_.Attributes -match "d" } | Get-Acl | where { $_.AccessToString -notmatch > "DOMAIN\\GROUP" } | select PSPath, AccessToString | export-csv > outputfilename.csv >>> >>> This works a treat until I realised that there are 140 remote locations > where I don't have powershell installed. Considering the time to get this > deployed and the latest Dave Kennedy/Josh Kelly work, this may not be the > ideal solution. I do have WMI to hand though. >>> >>> Before I begin to fry my brain with working out how to do this, has > anyone done something similar in WMIC? I know some of the commandlinekungfu > kings are on this list. >>> >>> Grateful for any help. >>> >>> k41zen >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> Disclaimer: The email and files transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they are > addressed. If you are not the original recipient or the person responsible > for the delivering the email to the intended recipient, be advised that you > have received this email in error, and that any use, dissemination, > forwarding, printing or copying of this email is strictly prohibited. If > you received this email in error, please delete it from your system without > copying it, and notify the sender by reply email so that our address record > can be corrected. Thank you. Symbion, Inc. >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
