Check domain users access to sharedrive.

[Crayfish]

I have search all forum to see if there a good way to check if a domain users have access to share drive but no luck.

Can anyone help out.

I have tried mapping but windows will maps the share drive even though users had no access.

I want to trigger ERROR_ACCESS_DENIED and return 1 for true.

Please help.

#include

;Map drives as needed:

DriveMapAdd("K:", "contosoLA")

If @error = 1 Then
MsgBox(16, "", "Undefined / Other error.")
ElseIf @error = 2 Then
MsgBox(16, "", "Access to the remote share was denied")
ElseIf @error = 3 Then
MsgBox(16, "", "The device is already assigned.")
ElseIf @error = 4 Then
MsgBox(16, "", "Invalid device name.")
ElseIf @error = 5 Then
MsgBox(16, "", "Invalid remote share.")
ElseIf @error = 6 Then
MsgBox(16, "", "Invalid password.")
Else
MsgBox(64, "", "Good!", 1)
EndIf

#include <WinAPIex.au3>

If FileExists("contosoLA") Then
MsgBox(4096, "C: Dir ", "Exists")
Else
If @extended Then
MsgBox(64, "Test", _WinAPI_GetErrorMessage(@extended))
EndIf
EndIf

#include <UDFsWinAPIEx.au3>

Global Const $SFGAO_SHARE = 0x00020000
Global Const $SHGFI_ATTRIBUTES = 0x00000800
$sFolder = "contosoLA"
$tSHFILEINFO = DllStructCreate($tagSHFILEINFO)
_WinAPI_ShellGetFileInfo($sFolder, $SHGFI_ATTRIBUTES, 0, $tSHFILEINFO)
$iAttributes = DllStructGetData($tSHFILEINFO, "Attributes")
If BitAND($iAttributes, $SFGAO_SHARE) Then
$memo = ("Attributes = 0x" & Hex($iAttributes) & "; Shared!" & @LF)
Else
$memo = ("Attributes = 0x" & Hex($iAttributes) & "; NOT Shared!" & @LF)
EndIf

Edited October 14, 2012 by Crayfish

[Crayfish]

I still haven't figure out, can someone lend a hand?

[jazzyjeff]

Is this script for an end user to run, or is it for the Administrator's benefit?

Is the share drive hosted on a Windows machine or another OS platform? If it's a Windows OS, could you not just look at the share permissions on that machine?

[Crayfish]

Script ran by domain users to check if they have access to a share drive under same UO.

Pretty much I'm just looking for a way to tell if user have read/write access or not.

Run script > Current user do not have access to specific share drive.

> Current user have read/write access to specific share drive.

[Varian]

If this script will not harm your security, you can just try "_FileCreate" and "_TempFile" to create a file on the share. If it succeeds, immediately delete the file and continue accordingly. You can read @error for success/failure with _FileCreate

#include <File.au3>
Local $Sharename, $Tempfile
$Sharename = "ServerShare"
If Not FileExists($Sharename) Then Exit MsgBox(262208, 'Error', $Sharename & " does not exist")
$Tempfile = _TempFile($Sharename)

If _FileCreate($Tempfile) Then
  MsgBox(262208, 'Success', $Tempfile & " has been created")
  FileDelete($Tempfile)
Else
  MsgBox(262208, 'Error', $Tempfile & " was not created" & @LF & "Error code was " & @error)
EndIf

Edited October 16, 2012 by Varian

[water]

If you know which AD security groups can access the shared drive then you could use my Active Directory UDF to get the members of the groups.

[Crayfish]

Varian:

It would be my last resource and even then I wouldn't want to implement that way. I am looking of more none intrusive way to check valid of access.

water:

Love all your UDF!

So if I get you correctly, when script ran it fetch the whole list of users with access from AD and compare current user name with the list. If match found, user has access.

If no match, user doesn't have access.

Sound great. I have to read through your AD UDF to see how to go about doing so. I haven't got a clue how to start out other than logic. orz.

Edited October 16, 2012 by Crayfish

[water]

What I mean is the following:

In AD you create a security group and assign members (user accounts) to this group. All members have the same permissions granted by this group. Unfortunately AD doesn't hold the information on which system which permission is granted.

On the fileserver the admin clicks on a folder, assings one/multiple AD groups to the folder and sets the folder permissions.

To get the whole picture (who can access which folder) you have to query AD and the fileserver.

If you know the foldername and the AD groups assigned to the folder and the permissions then you can go to AD using my AD and get the list of members for this group(s) and combine everything.