AccessChk is a small, but powerful, security utility available for free from Sysinternals. It is a command line utility designed to allow administrators to see exactly what rights a particular group has to a specific resource. This type of functionality may not seem all that helpful. After all, you can look at an Access Control List and tell instantly what permissions a user or group has been assigned. However, AccessChk gives you much more granular results.
For example, suppose for a moment that I wanted to see what rights the Users group had over my server's C:\ folder. To do so, I could use the AccessChk command along with a couple of parameters that specify the group and the location for which I want to check the permissions. The actual syntax would look something like this:
AccessChk "Users" c:\
And the result is similar to what's shown in Figure A. As you can see in the figure, AccessChk lists every file and folder in the location specified and tells what rights the specified group has. One thing worth mentioning is that the AccessChk command is case sensitive. If I had used a lowercase U when I typed Users, the command would not have worked.
AccessChk lists the rights associated with every file and directory in the location specified.
Being able to look at granular file permissions is a good start, but AccessChk is not a one-trick pony. AccessChk is actually very flexible. You can use it to check what rights a particular user or group has to any file, folder, Registry key or service.
In the previous example, I showed you how to use AccessChk to see what rights the Users group has over the C:\ folder. You could easily change the command, however, to see what permissions the Users group has over the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Registry key. The syntax looks like this:
AccessChk –k "Users" hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The command's output looks something like what you see in Figure B.
AccessChk allows you to check rights to Registry keys.
Now that I have shown you a couple of examples of what you can do with AccessChk, let's look at the syntax. The syntax is as follows:
AccessChk [-q] [-s] [-r] [-w] [-n] [-v] [-k] [-c]
-Q Quiet mode, no banner is displayed
-S Recursive mode
-R Show only objects that have read access
-W Show only objects that have write access
-N Show only objects that have no access
-V Verbose output
-K The specified resource is a registry key
-C The specified name is a Windows Service (you can also omit the name to display all services.
What I like best about it (other than the price) is that it is such a light-weight utility. The executable file is only about 49 KB in size (the download is a 20 KB zip file). Unlike most of the more powerful commands, like utilities, this one is actually easy to use. It has a limited set of options, which prevents the utility's syntax from being overly complex. However, the utility does not sacrifice power or flexibility in the name of simplicity. In short, if you have to verify permissions on your network, you can't go wrong with AccessChk.
For more information:
- Local permissions
- NTFS permissions
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.