6 Replies Latest reply on Sep 10, 2012 3:00 PM by Bill Robinson

    Compliance on FileSystem permissions in Windows

      Hi,

      I need to check FS permissions on Windows with a Compliance Job.

      How to define a rule?

      I'm not getting the properties associated to a Windows folder that can help me set these permissions.

      For example, I need to verify that only Administrators have read, write and execute permissions on filesystem C:.

       

      Regards,

      Stefano

        • 1. Re: Compliance on FileSystem permissions in Windows
          Ashitosh Wagh

          Hi Stefano,

           

          Easy way to do this create NSH script like below  and create NSH JOB and execute on targets.

           

           

          #!/bin/nsh

          host=$NSH_RUNCMD_HOST

           

          Drive=C:\

          filename=C:\temp

          echo "Checking $filename permission on $host"

           

              nexec $host cacls "C:\temp" | grep  Administrators

           

          ## Here I am just checking Administrator has permission or not

          ## For other condition like other than administrator has permission then retrun non zero value 

          ##  & check that value in if condition in short modify above command as per ur requirement.

           

              if [ $? -eq 0 ];then

              echo " Administrator user has Permission on $filename On Machine: $host"

              exit 0

              else

              echo " Administrator is not having Permissions on $filename On Machine: $host"

              exit 1

              fi

           

          Import this NSH script in depot and create NSH job and execute.

           

          Mark the answer as Correct if it solves your Problem.

           

          Thanks

          Ashitosh

          1 of 1 people found this helpful
          • 2. Re: Compliance on FileSystem permissions in Windows
            Ashitosh Wagh

            Hi Stefano,

             

            If you want to Use Compliance Job for this, you need to use Extended Object.

            Add NSH script as Extended Object, Create Rule using that extended Object.

            Discover Coponents and create Compliance Job and execute it.

             

            Mark the answer as Correct if it solves your Problem.

             

            Thanks

            Ashitosh

            • 3. Re: Compliance on FileSystem permissions in Windows

              NSH is a way, but I don't like how it outputs the result.

              Is it possible to create compliance rules on template?

              • 4. Re: Compliance on FileSystem permissions in Windows
                Ashitosh Wagh

                Hi Stefano,

                 

                You can create Compliance Rule on Template.

                Open template in which you want to add Compliance Rule.

                Go to Parts Tab on Template and Click on + sign to add part. Traverse to any added Server -> Filesystem->temp

                Directory and add that part to template.(Select dir on which you want to check permission..I selected temp)

                 

                After adding double click on Part and enable it for Compliance,Browse etc.

                Then, Click on Compliance tab on Template ...Part just added is listed there.

                Now, Add rule  for this Part with following condition.

                 

                "Directory:/C/temp"."ACL Owner (Windows NTFS) (Windows)" = "BUILTIN\Administrators"

                 

                save Rule and template.

                 

                Create Compliance Job and execute on number of targets  you want to execute.

                 

                There are different permission options available while adding Rule ...you need to choose as per your requirement and compare with valid condition.

                 

                As per your requirement modify condition.

                 

                Thanks

                Ashitosh

                • 5. Re: Compliance on FileSystem permissions in Windows

                  Ok Ashitosh, thanks.

                  I hoped there was another way to check that..

                  Regards,

                  Stefano

                  • 6. Re: Compliance on FileSystem permissions in Windows
                    Bill Robinson

                    what other way were you looking for?  or how else did you envision this working ?