ACL Viewer

 

Overview
ACLViewer provides a quick and simple way to browse the Windows file permissions that have been assigned to a folder structure and it can also be used to determine if a user has access to a specified folder structure.  ACLViewer makes use of the Windows User Rights\Privileges to enable the browsing and viewing of the permissions set on the file system.  The folder structure can be browsed irrespective of the permissions that have been assigned on the file system, as long as the user is a member of the local administrators group with the Backup rights is assigned.

Features

        • Can be used to view local or remote folder structures
        • Familiar Windows Explorer style interface
        • Provides a graphical representation of the permissions inheritance in the file structure
        • Provides a graphical representation of the folders that a selected trustee can access
        • Perform recursive searches of a folder structure to identify any sub folders that do not inherit permissions
        • Two modes of use - Permissions Mode and Trustee Mode

Interface
The picture below shows the elements of the user interface

If the program is run without administrator rights or the user context does not have the Backup user right, the following error message is displayed on the status bar at the bottom of the screen when the program starts.

Mode of Use
When using ACLViewer the program must be run with Run As Administrator permissions or some of the folders and ACLs may be inaccessible.
Enter the path in the Path field, this can be a local drive or a network share and click Go and the directory structure will be displayed in the Directory pane.  By clicking on a folder, the permissions assigned to the folder are displayed in the ACL pane.  By clicking on one of the individual ACE in the ACL pane the rights assigned to that ACE are displayed in the ACE pane.

Context Menu
The directory pane has a context menu that provides several additional options.

Copy Path - copies the path of the current selected folder to the clipboard
Display Blocked Inheritance - this option is only available in Permissions Mode.  When selected it will enumerate all subfolders of the selected folder and expand and display any folders that don't inherit permissions from the parent folder.  This feature is useful when trying to find any subfolders that will not inherit changes made that are assigned to folder higher up the tree.
Properties - Display the Windows Explorer file properties dialog for the currently selected folder

Permissions Mode (PM)
Permissions mode allows you to view what permissions are assigned and inherited down the file structure. Permissions Mode is selected by default when the program is started. Enter the path and click Go, the directory pane will display the specified folder and the user can browse the directory structure.  If there is an issue accessing the specified path the corresponding error will be displayed in the bottom status bar. The inheritance of permissions down the folder structure is represented by the icons used in the Directory pane, see the Icons section for the meanings. 

While Permissions Mode is used to browse the folder structures, it can also be used to view the permissions on individual files, however you are not able to browse to files, you have to specify the full path of the file in the Path field.

Trustee Mode (TM)
The Trustee mode allows you to select a trustee (user, group, or computer) and then the Directory pane will indicate if the selected trustee has permissions assigned on the folder.  Trustee Mode may not be 100% representative of the trustee’s access rights, as the trustee may receive more or different rights based on the how the trustee accesses the folder, also the permissions on a share may block the trustee’s access.

ACLViewer doesn't use the user's account to check if access is available, instead it builds an access token with the list of groups that the trustee is a member of and then ACLViewer uses this generated access token to check if there are corresponding ACE assigned on the folder which relevant to the trustee.  The list of groups in the generated access token is derived by querying the AD for the trustee's TokenGroups attribute which contains all the trustee's AD group memberships.  Based on the configuration options selected the well-known SID are also added to the generated access token.  It will then query the local groups of the selected computer to determine if the trustee has any local groups assigned and these will be added to the generated access token.  

You can view the SIDs in the generated access token by double clicking on the trustee name displayed next to the Trustee button.

To select Trustee Mode, click on the Trustee button and the following dialog will be displayed:

The Computer section provides the ability to select the local computer or a remote computer, if the remote computer option is selected, the local group on the select computer will be used to determine the trustee's group membership.

The Trustee section lets you select the user, group, or computer to be used. If the domain is not specified, the current domain of the machine running ACLViewer is used.

The Configuration section let you select the method the user will use to access the specified path, this defines which additional Well-Known SID will be added to the trustee's generated access token.  The Connection Type has the following options:
            Network
            Terminal Server (RDP)
            Interactive
            Batch
            Service
            Dialup

When the directory structure is browsed the trustee's generated access token is used to check if one of the entries provides the trustee with access to the folder.  The icon of the folder will signify if the ACL of the has an ACE associated to the trustee, see the Icon section for details on their meanings.  The icon is used to represent if the user has rights, it doesn't differentiate what access the user has i.e. read, write or full control, you need to check the permissions assigned to the folder to determine the level of access the user has. 

When the ACL displayed any ACEs that match an entry in the trustee list of groups the icon has a green tick. You can then review what permissions the trustee will be granted or deny on the folder

To return to Permissions Mode, click on the Clear button. 

This is a screenshot of the Trustee Mode:

Icons
The table below shows the meaning of the icons that are used in ACLViewer, PM and TM signifies in which mode the icon is used.

ACL - Icons