EnCase EnScript to list and resolve all the file permissions on a drive
I recently had a need to create a list of users who had data on a disk. One of the solutions I came up with was to go through every file on the disk and look at the owner permission. Once I had the owner's SID, I wanted to get the corresponding username so I used the PsGetSid utility from Sysinternals.
To automate this, I created an EnScript wrapper to recurse through all the files on a disk, get a list of unique SIDs, then pass the SID to the PsGetSid utility, then create a Excel spreadsheet with the SID, username, total number of files that user has and the total number of bytes those files occupy.
The first time you run the EnScript it will ask where the PsGetSid executable is and then remember that for the future. The command line options are in case you are running this EnScript on a non-domain machine, but want to resolve domain SIDs. You can then specify a domain machine to query against by specifying a \\computername -u username -p password option as articulated in the psgetsid syntax help:
Usage: psgetsid [\\computer[,computer2[,...] | @file] [-u Username [-p Password]]] [account | SID]
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
account PsGetSid will report the SID for the specified user account
rather than the computer.
SID PsGetSid will report the account for the specified SID.
computer Direct PsGetSid to perform the command on the remote
computer or computers specified. If you omit the computer
name PsGetSid runs the command on the local system,
and if you specify a wildcard (\\*), PsGetSid runs the
command on all computers in the current domain.
@file PsGetSid will execute the command on each of the computers listed
in the file.
To automate this, I created an EnScript wrapper to recurse through all the files on a disk, get a list of unique SIDs, then pass the SID to the PsGetSid utility, then create a Excel spreadsheet with the SID, username, total number of files that user has and the total number of bytes those files occupy.
The first time you run the EnScript it will ask where the PsGetSid executable is and then remember that for the future. The command line options are in case you are running this EnScript on a non-domain machine, but want to resolve domain SIDs. You can then specify a domain machine to query against by specifying a \\computername -u username -p password option as articulated in the psgetsid syntax help:
Usage: psgetsid [\\computer[,computer2[,...] | @file] [-u Username [-p Password]]] [account | SID]
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
account PsGetSid will report the SID for the specified user account
rather than the computer.
SID PsGetSid will report the account for the specified SID.
computer Direct PsGetSid to perform the command on the remote
computer or computers specified. If you omit the computer
name PsGetSid runs the command on the local system,
and if you specify a wildcard (\\*), PsGetSid runs the
command on all computers in the current domain.
@file PsGetSid will execute the command on each of the computers listed
in the file.
To run:
Select (blue check) the files you want to process, then run. Once completed, the output will be in the console tab and it can then be selected and pasted into Excel (it's tab delimited). It will look similar to this:
0 comments:
Post a Comment