This tip originally appeared on SearchWinSystems.com, a sister site of SearchSMB.com.
One of the components of good security is awareness—for instance, knowing whether or not a given object is indeed accessible or inaccessible to a given user or group. Admins typically audit accessibility through Explorer's Security tab, but it's much harder to do this for multiple objects or non-Explorer objects that have access control (such as services or registry keys).
But once again, those administrator lifesavers at Sysinternals.com, Mark Russinovich and Bryce Cogswell, have come to the rescue. Their new tool, AccessChk, is a simple but powerful command-line tool for auditing access controls against various objects, such as services, registry keys, files and folders.
An admin provides AccessChk with a user or group name and an object to audit. For instance, to audit all the services that the Power Users account has to Windows Services, you would use the command accesschk "power users" –c (note the use of quotes to demarcate an object with a space in the name). For a Registry key, use the –k switch: accesschk "power users" -k hklm\software. Adding the -s switch to any command makes it work recursively: It processes not only the object in question, but any objects under it (subfolders, subkeys, etc.). Full documentation of all the available command-line switches is contained in the program itself.
AccessChk has a few limitations. Right now you can only audit for one user or group at a time; you can't supply a list of groups to match. You also need to be careful when you audit against filenames or pathnames that have Unicode (non-ASCII) characters in their name -- the report returned will not list them correctly unless you are using the correct locale for the console. Also, the first time you run AccessChk you'll be prompted to click through a licensing agreement. But this only happens once.
More information from SearchWinSystems.com
