3 Replies Latest reply on Mar 20, 2017 12:46 PM by Bill Robinson

    Audit Windows permissions

    Nick Chard Nov 24, 2015 6:41 AM

      Hi,

       

      Can anyone offer some advice on snapshot and auditing Windows permissions?

       

      I want to snapshot the permissions on a Windows folder, then create an audit job to run against other servers that contain the same folder. If the permissions are different I want to Sync With Master and use the same permission on the folder from the snapshot.

       

      I've created a snapshot job, and selected my folder in the Server Objects tabs. In the snapshot/audit options I have selected:

       

      Directory Inherit Auditing ACL (Windows NTFS) (Windows) true

      Directory Inherit Permission ACL (Windows NTFS) (Windows) true

      Directory Permission ACL  (Windows NTFS) (Windows) true

       

      nothing else is selected. In the includes/excludes section I have left Recurse subfolders unticked.

       

      I have created an audit job with exactly the same settings. When I run the audit job, it shows the differences in acl's and it also shows the differences in the contents of the folder I am auditing. If I run a SyncWithMaster, the package that is created adds/removes the permissions, but it also adds/removes the contents of the folder to make it the same as the master.

       

      How can I prevent the contents from being synced? For the purposes of this audit I only want the permissions on the folder to be the same. The folder contents are expected to be different so I want them to be ignored?

        • 1. Re: Audit Windows permissions
          Justan Suss
          Justan Suss Mar 17, 2017 3:26 PM (in response to Nick Chard)

          This is my exact experience as well. I'm using BSA 8.7, any info is appreciated.

          • 2. Re: Audit Windows permissions
            Justan Suss
            Justan Suss Mar 20, 2017 9:13 AM (in response to Nick Chard)

            Hey Nick,

             

            Not sure where you're at with this. For now I seem to be having success with simply doing a *.* in the EXCLUDES of the affected parts in my component template I'm using for the audit job.

             

            I don't know if this is something I can do for files with no extension in that I don't know if BSA can tell the difference between a windows file and a windows folder / directory, but this has got me through my immediate task.

             

            I would prefer a filter to be applicable to the REMEDIATON job. that'd let me use 1 template for simple drift reporting AND for remediation, but I don't see anything that gives me that flexibility... hoping I'm wrong though.

            • 3. Re: Audit Windows permissions
              Bill Robinson
              Bill Robinson Moderator Mar 20, 2017 12:46 PM (in response to Justan Suss)

              the same template can be used for compliance and change tracking - just enable each operation on the part.