World: r3wp

I am trying to create primitive script, which investigates user/group/system 
rights on our filesystem (no Identity Management system here). The 
trouble is, that MS programmers have some weak days probably too 
:-) They forgot to add one stupid newline to the output of ICACLS, 
so I get following kind of outputs:

L:\Sprava\Personalni usek WALMARK\RUR:(OI)(CI)(F)
L:\Sprava\Personalni usek (OI)(CI)(F)
L:\Sprava\Personalni usek NT AUTHORITY\RUR:(OI)(CI)(F)
L:\Sprava\Personalni usek BUILTIN\RUR:(OI)(CI)(F)


I need to come-up with rules, which will allow me to filter out path 
from the first user/group/rights info. The problem is, that space 
is regular character in path. So how to easily create rule for above 
cases? The path is - "L:\Sprava\Personalni usek"

If you know the path ahead of time you can skip past its length plus 
one, then start parsing.

no, I have few megabytes, done from one call to ICACLS command line 
.... but never mind - ICACLS is not good tool. I just wanted to use 
REBOL here. I will have to start using VBScript for such stuff ...

The programmer which did the output has to be pretty much idiot though 
...

Agreed. I mean, each line starts with a path - is it the same path 
every time, or a different one?

different one ...

I don't want to put output here, as this group is web public ...

ICACLS L:\my-path\*. /T > result.txt ...... /T means recursion ... 
so it was easy job at first sight ...

but, how do you *know* where the path ends, then?

exactly :-) That is why I can see it as a bug on programmer's side. 
OK, here's one example:

L:\Some-path\Some subidr name here WALMARK\RUR:(OI)(CI)(F)
                          BUILTIN\Administrators:(OI)(CI)(F)
                          WALMARK\User1:(CI)(RX)
                          WALMARK\Some group:(OI)(CI)(M)

What info do you need, the path or what comes after it? If the data 
after it is only a limited set of possible answers, you can try to 
skip to those in turn.

So I start from right, making longer rule as [rights-section | doman-section 
user-section rights-section]

...makes no sense to define a rule, if you don't actually know where 
the path ends, as I see it

There is one exception - "NT AUTHORITY" ... I would break both hands 
of the designer, which allowed this one exception - space in domain 
name is not normally allowed :-)

parse/all/case line [[to "WALMARK" | to "BUILTIN"] a: (do something)]

aha, so, you actually know, where the path ends?, you didn't tell

Or to "NT AUTHORITY"

But you can define following rule: 

domain-chars: charset [#"A" - #"Z" "-"]
domain-rule: [
    "NT AUTHORITY\" (domain: "NT AUTHORITY")
    |
     copy domain some domain-chars "\"  
]


domain-user-rights: [rights-rule | domain-rule user-rule rights-rule]

So except the NT AUTHORITY, there can't be any space. So I filtered 
out the when there is only rights on the first line (OI)(CI) etc. 
and the second case - DOMAIN\USER-GROUP:(RIGHTS)

If you know the names of all the domains in your network, you can 
treat them as keywords. Just add "BUILTIN" and "NT AUTHORITY" to 
the list of keywords and you are set. No need to deal with character 
sets.

The rest should/Could be spaces or PATH

copy/part path find/reverse find/reverse find path "(" " " " "

BrianH: yes, but that would hardly be a challenge then :-) I wanted 
to have it flexible, hence being able to identify any domain ...

Flexibility is overrated :)

Paul - good one - I thought about reversing the string from reaching 
the newline too ...

Also, seriously, consider switching utilities to one that gives you 
better output.

there's none other utility in default console :-)

but - I could also not do it all with one ICACLS call, but instead 
to REBOL level recursion and using separate CALL to ICACLS for each 
dir separately ...

But that ICACLS output run for > 3 hours, so I don't want to repeat 
it :-)

Since this is a one-off for a known network, flexibility is *really* 
overrated here. Go with the known domains method this time, then 
you'll have time to come up with a general solution for the next 
run.

You first asked this question > 3 hours ago, anyways :)

NO :-)

Well, I don't have an NT server running locally here, so I can't 
generate test data or even check its command line options.

don't worry. I am mostly done. It can be "almost" done, but nevertheless 
we will switch to VBScript ....

do I understand correctly, that it can be done in VBScript?

You would use VBScript as a replacement for the command line tool.

It's either that or powershell.

Well, I saw some examples and although I don't fully understand them, 
there might not be the place for REBOL. You can do everything in 
VB script, and that is what I don't like :-)

Or other languages with ActiveX support, and there are many.

But - the easiest way probably was to use mixture of REBOL and ICACLS 
CALLS - traversing recursively directories and querying ICACLS. That 
way I would always know the path, so it would be easy to strip it 
from output. Now as CALL is fixed and no more opens black console 
windows, REBOL is good tool.

R3 with ActiveX support, yes, can't wait for it :-)

What question does icacls ask about the access control lists? I don't 
have the tool locally.

http://www.mydigitallife.info/2007/04/30/icacls-vista-command-prompt-tool-to-manage-acls/

Looks like AccessChk: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

It does not even have parameter to distinguish directory and file 
- what a lame tool. You have to use trick - icacls c:\some-dir\sub-dir-or-file*. 
, which is relict of 8.3 naming, so actually it will match and dir 
and file, not having suffix ....

What would lame MS do without buying Sysinternals guys escapes my 
mind ...

This is how they get their tech.

WTF :-) No I am upset about myself, as I use other SysInternal tools 
often, but dunno why I haven't looked for that tool mysel :-)

Haven't used it yet either.

ICACLS has a /save option - what does that output? It's supposed 
to be machine readable, unlike its stdout output.