3

I want to make a list of access denied files/folders for a given account. I'm aware "icacls" handles making lists of files/folders given an account name.

e.g. This command lists access denied per folder on screen:

icacls c:\*. /findsid "User" /T /C /L /Q > c:\results.txt

...but it doesn't list the access denied folders in the results file.

How can I do this?

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
whatever1234566
  • 159
  • 1
  • 11

1 Answers1

2

Nevermind, I figured it out. The issue was that there's two ways to output:

  1. Through "STDOUT"

  2. Through "STDERR"

https://support.microsoft.com/en-us/kb/110930#/en-us/kb/110930

So, I can just execute something like so:

icacls c:*. /findsid "User" /T /C /L /Q 2> c:\resultsFolders.txt

icacls c:*.* /findsid "User" /T /C /L /Q 2> c:\resultsFiles.txt

whatever1234566
  • 159
  • 1
  • 11
  • Wouldn't that be `icacls c:*.* /findsid "User" /T /C /L /Q > c:\updatedFiles.txt 2> c:\accessDeniedFiles.txt`..? Another thought is that using `c:*.` and `c:*.*` is not 100% accurate. You will get better (ie: more accurate) results if you use a `for (dir /AD)` statement.. – kodybrown Dec 19 '15 at 15:20
  • How's using wildcards any different? – whatever1234566 Dec 20 '15 at 01:54
  • Just that `*.` can pick up files and folders without an extension, just like `*.*` can pick up both files and folders with an extension. – kodybrown Dec 20 '15 at 03:33
  • 1
    Using `dir /ad` will only list directories and `dir /a-d` will only list files. Using them in a 'for' loop would look like this: `for /f %G in ('"dir /ad /b"') do @echo %G`.. (When using the for loop inside a batch file, be sure to use `%%G` instead of `%G`.) – kodybrown Dec 20 '15 at 03:48