Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
Table 10.22 lists the authorization troubleshooting and administration tools that are shipped with Windows Server 2003 or as part of the Windows Server 2003 resource kit or the Windows Server 2003 support tools.
Tool | Explanation |
---|---|
Windows Server 2003 | |
cacls | A command-line tools to view and update file system ACLs. |
Whoami | Can be used to look at the content of a user’s access token (use the /all switch). |
Resource Kit Tools | |
Showpriv | A command-line tool that displays the privileges granted to users and groups. |
ntrights | A command-line tool that can be used to grant or revoke Windows 2000 rights for a user or group. |
permcopy | A command-line tool that copies share permissions and file ACLs from one share to another. |
showacls | A command-line tool that enumerates access rights for files, folders, and trees. |
subinacl | A command-line tool to transfer security information from user to user, from local or global group to group, and from domain to domain. |
showmbrs | A command-line tool that shows the user names of members of a given group. |
Support Tools | |
Acldiag | A command-line tool that helps diagnose and troubleshoot problems with permissions on Active Directory objects. |
ADSIEdit | Very useful tool to administer the permissions on AD objects. |
Dsacls | A command-line tool to manage the ACLs of AD objects. |
Ldp | A GUI-based tool that can display the raw content of an AD object’s security descriptor (in the SDDL format). |
Sidwalker | Sidwalker consists of three separate programs. Two of these, Showaccs and Sidwalk, are commandline tools for examining and changing ACEs. The third, Security Migration Editor, is MMC snap-in for editing mapping between old and new SIDs. |
Sdcheck | A command-line tool that displays the security descriptor for any AD object. |
xcacls | A command-line tool that can be used to set all file-system security options accessible in Windows Explorer from the command line. |
More Information on Managing Windows Authorization Settings Using Scripting and WMI It is possible to automate the security descriptor configuration with scripts instead of using the ACL Editor. Leveraging WMI Scripting by Alain Lissoir (Digital Press, 2003) demonstrates how this can be achieved for the registry, the file system (files and folders), the WMI CIM repository, Active Directory, and Exchange 200x mailboxes. The 210 pages of WMI and ADSI security scripting techniques are dedicated to help administrators understand and automate this complex configuration. More information can be found at http://www.lissware.net.
Категории