Q: I periodically need to assess which files a user has access to. Is there any way to get a report of all the files and folders a specified user has access to on a given server?
A: Check out the AccessChk tool (formerly a Sysinternals tool) from Microsoft at http://www.microsoft.com/technet/sysinternals/Security/AccessChk.mspx. AccessChk is a simple command-line tool that requires no installation. Just download it, open a command prompt, and run AccessChk with the appropriate parameters to control which objects’ ACLs it analyzes and for which user. For example, to check mdemarco's permissions to a file server that has one volume (E) where all shared files are stored, open a command prompt and run the following command:
accesschk –s –d mdemarco e:\*.*
This command will return a report of every folder to which mdemarco has any type of access assigned either to his user account or to any group that he belongs to. The -s switch causes AccessChk to recurse the entire volume to analyze each subfolder, and the -d switch tells AccessChk to limit its scan to folders. If you want to include individual files in the report, just omit the -d switch. AccessChk uses R for read access and W for write access to report which permissions the user has for each object. As you can see in Figure 1, mdemarco has no access to E:\files\awyatt but has read and write access to everything else. You can use the -w switch to limit the report to only objects to which the user has write access. You can also use AccessChk to report permissions for other types of objects, including registry keys, services, and processes. Just run the command
accesschk /?
for more information.