NT4.0 Migration to Windows 2003: Using PERMS.EXE

上海isp

PERMS.EXE  

1.1         Perms.exe: User File Permissions

User File Permissions (Perms) is a command-line tool that displays user access permissions for a file or directory on an NTFS file system volume.  Perms queries the permissions associated with a specific access control entry (ACE)
(ACE)
An entry in an object's discretionary access control list (DACL) that grants permissions to a user or group.  An ACE is also an entry in an object's system access control list (SACL) that specifies the security events to be audited for a user or group, displaying only those permissions granted by that particular access control entry ACE.

1.1.1              Corresponding Operating System Features

　　You can also use Windows Explorer to view effective permissions on files and folders.
To view permissions with Windows Explorer:
1.      Right-click the file or folder, and then click Properties.  
2.      Click Security.  
3.      Click Advanced to view the Advanced Security Settings dialog box.  
4.      Click Effective Permissions.  
5.      Click Select to open the Select User or Group dialog box.  
6.      Type the name of the user name or group name for which you would like to view permissions and click OK.  

1.1.2              Concepts

The ability of an operating system to access files on a volume depends on the file system with which the volume was formatted.  The major types of formatting are File Allocation Table (FAT)16, FAT32, and NTFS.
The file allocation table in the FAT file system is located at the beginning of a logical volume.  FAT was designed for small disks and simple folder structures.  Two copies of the file allocation table are stored in the volume.  In the event that one copy of the file allocation table is corrupt, the other file allocation table is used.
The NTFS file system provides performance, reliability, and functionality not found in FAT.  Some of the new features are Active Directory directory service and the storage features based on reparse points.  NTFS also includes security features required for file servers and high-end personal computers in a corporate environment, and data access control and ownership privileges important for data integrity.

1.2        System Requirements

There is one system requirement for this tool: Windows Server 2003
Permissions:
·         Membership in the Administrators group for the domain or computer where the account of the user is defined.  
·         Backup files and folders privileges on the computer where the files are stored.  

1.3        File Required

·         Perms.exe
For more information on file systems, see File Systems in Microsoft Windows 2000 Server Operations Guide in the Microsoft Windows 2000 Server Resource Kit (or see "File Systems"(http://go.microsoft.com/fwlink/?LinkID=12636) at http://www.microsoft.com/reskit).  

1.4        Perms Remarks

1.4.1              Setting Permissions

NTFS is the primary Windows Server 2003 file system.  Partitions formatted with NTFS can have their files and folders secured using NTFS permissions.  You can set file permissions on files and folders that specify which groups and users have access to them, and what level of access is permitted.  NTFS file and folder permissions apply both to users working at the computer where the file is stored and to users accessing the file over the network where the file is in a shared folder.  You can also use file attributes (read-only, hidden, system) to limit file access.
Yet another feature for managing security is the use of inheritable permissions.  The Security dialog box offers the option to Allow inheritable permissions from parent to propagate to this file object and it is enabled by default.  This feature significantly reduces the time and input and output work required to change the permissions of many files and subfolders.  For example, suppose a user wants to change the permissions on a tree consisting of several thousand files.  With Windows NT 4.0, each file and folder needs to be individually changed.  However, with subsequent releases of Windows, if the folders and files inherit permissions, they only need to be set for the top-level folder.
Note: The FAT16 and FAT32 file system are not recommended for most purposes because they lack the permissions feature.  
To configure NTFS permissions on a file, folder, or NTFS volume, you must be a member of the Administrators group, have full control permission or be the owner of the file, folder, or volume.  NTFS permissions must be explicitly applied to a file or folder to grant a user access to it.  If a file has no permissions specified for a particular user or for the groups to which the user belongs, the user does not have access to the file.
When you assign permissions to an existing folder, all subfolders and files within the parent folder inherit, by default, the permissions assigned to the parent.  When you create a new file or folder on an NTFS volume, the new file or folder automatically inherits the permissions assigned to its parent folder.  If you assign a user or group permission on a folder, the user of group is granted, by default, read and execute, List Folder Contents, and Read permissions for the folder.  You can then change these permissions to whatever kind of access you want the user or group to have.  Similarly, if you assign a user or group permission on a file, the user or group is granted, by default, two permissions for the file: Read, and Execute and Read.  You can change these permissions to whatever kind of access you want the user or group to have.  When you assign a particular NTFS permission to a file or folder, you can either explicitly allow the permission to grant the user or group access to the object, or you can explicitly deny the permission to prevent the user or group from accessing it.  For more information on permissions, see "File Systems" in Microsoft Windows 2000 Server Operations Guide in the Microsoft Windows 2000 Server Resource Kit (or see "File Systems(http://go.microsoft.com/fwlink/?LinkID=12636)" on the Web at http://www.microsoft.com/reskit).

1.4.2              Interpreting Access Masks in Perms Output

The following masks are used in Perms output:

Access Mask	Description
R	Read.  Allows or denies the viewing of attributes of a file or folder, such as read-only and hidden.  Attributes are defined by NTFS.
W	Write.  Allows or denies changes to attributes of a file or folder, such as read-only or hidden.  Attributes are defined by NTFS.
X	Execute.  Allows or denies the running of program files (applies to files only).
D	Delete.  Allows or denies deletion of a file or folder.  If you do not have Delete permission on a file or folder, you can still delete it if you have been granted the Delete Subfolders and Files permission on the parent folder.
P	Change Permissions.  Allows or denies changes to permissions for the file or folder, such as Full Control, Read, and Write.
O	Take Ownership.  Allows or denies the taking of ownership of the file or folder.  The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
A	General All.
-	No Access.
*	The specified user is the owner of the file or directory.
#	A group the user is a member of owns the file or directory.
?	The access permissions of the user cannot be determined.

1.5        Perms Syntax

Perms uses the following syntax:
·         perms [Domain\|Computer\]UserName [Path\]FileName [/?]

Parameters

Domain\|Computer\UserName
Specifies the name of user whose permissions are to be checked, in the Domain\Username or Computer\UserName or local UserName format.  
[Path\]FileName
Specifies the path and name of a file or folder in any legal format, including the Universal Naming Convention (UNC)(\\) .  You can use the * or ? wildcard characters.  
/i
Indicates that the specified user is logged on interactively to the computer where the file or folder resides.  If the /i parameter is omitted, Perms assumes that the user is a logged on over the network and is a member of the Network security group.  
/s
Checks permissions on files in subdirectories.  
/?
Displays command-line usage.  

1.6        Perms Examples

1.6.1          Example: View Permissions for a File

　　To view the permissions granted by the ACE to rkt-harndom\administrator, type the following at the command line:
　　perms rkt-harndom\administrator "C:\Program Files\Windows Server 2003 Resource Kit\tmp"
　　Press ENTER.  The following output is displayed:
C:\Program Files\Windows Server 2003 Resource Kit\tmp\         perms: #-------
　　This output means that another member of a group, of which rkt-harndom\administrator is a member, owns the file, but that rkt-harndom\administrator does not have access to the file.