Obtain reason for AccessCheck failure RRS feed

  • Question

  • As a specific user on a specific file object, requesting file read and read security permissions on said file results in an access check failure. I wish to dive in to the actual reason why the access check failed.

    Is there a script or cmdlet out there that performs AccessCheck on a SE_FILE_OBJECT so that I may figure out the specific reason for the failure? Like, is there an ACE that denies access? If so, what's the ACE? Does the ACL not contain any SID for the user or any group the user is in? If so, what are the SIDs of the user and the user's groups? Et cetera.

    I'm quite versed in PowerShell and can read scripts. I'd love a PowerShell answer, if there is one. I know AccessCheck is a complex function and asking for a PowerShell equivalent is a stretch, but we need to figure out why we can't access certain directories.

    Background for those interested in the whole story:

    I work at a backup company and occasionally we try to back up files and directories with nonstandard permissions. When this happens, we can no longer access the files or directories in question, even with backup semantics, SE_BACKUP_NAME and SE_RESTORE_NAME. In our status and state files we have the security descriptor of the files and directories in question, in SDDL form. We lack the full information required to perform the AccessCheck by hand, and would like a script to help us out.

    • Moved by Bill_Stewart Wednesday, June 25, 2014 4:13 PM Question outside forum scope
    Monday, January 20, 2014 11:13 PM

All replies

  • These are all fundamental Windows file system questions and really have nothing to do with scripting.  You need to spend tim eelaaring how WIndow file access security is designed.

    On the GUI file security wizard there is a tab that lets you test effective access rights.

    Note that any "deny" ACE supersedes any "allow" ACE if that helps.


    Monday, January 20, 2014 11:24 PM
  • You can also look into SubInAcls to test access at a prompt.

    There is no script that does what you ask.  Your requirement is very custom to your situation. You are free to write one.  I doubt that anyone here has one like you are asking for.


    Monday, January 20, 2014 11:26 PM
  • Peter - this, again, is a case where you are asking a question that gets lost because you are using technical terms that you are not sure of.

    I still recommend hiring a consultant or a full time MCSE to assist with getting your systems configured and working.  You will not easily or correctly guess your way through this.


    Monday, January 20, 2014 11:30 PM
  • Here is a commandline version to the wizard.

    Again - this is not a scripting issue.


    Monday, January 20, 2014 11:50 PM