VERSION 7 Getting Started Guide - GlobalSoft

ScriptLogic® Security Explorer®

VERSION 7 Getting Started Guide

SECURITY EXPLORER® II

UPDATED 17 MARCH 2010

© 2010 by ScriptLogic Corporation All rights reserved. This publication is protected by copyright and all rights are reserved by ScriptLogic Corporation. It may not, in whole or part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine‐readable form without prior consent, in writing, from ScriptLogic Corporation. This publication supports Security Explorer 7.x. It is possible that it may contain technical or typographical errors. ScriptLogic Corporation provides this publication “as is,” without warranty of any kind, either expressed or implied. ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida 33487‐2742 1.561.886.2400 www.scriptlogic.com Trademark Acknowledgements: ScriptLogic and Security Explorer are trademarks and registered trademarks of ScriptLogic Corporation. Quest and Quest Software are trademarks and registered trademarks of Quest Software, Inc. All other trademarks are property of their respective owners.

http://www.scriptlogic.com/

SECURITY EXPLORER® III


DOCUMENTATION CONVENTIONS

Typeface Conventions

Bold Indicates a button, menu selection, tab, dialog box title, text to type, selections from drop-down lists, or prompts on a dialog box.

CONTACTING SCRIPTLOGIC

ScriptLogic may be contacted about any questions, problems or concerns you might have at:

ScriptLogic Corporation 6000 Broken Sound Parkway NW Boca Raton, Florida 33487-2742

561.886.2400 Sales and General Inquiries 561.886.2450 Technical Support

561.886.2499 Fax

www.scriptlogic.com

SCRIPTLOGIC ON THE WEB

ScriptLogic can be found on the web at www.scriptlogic.com. Our web site offers customers a variety of information:

Download product updates, patches and/or evaluation products.

Locate product information and technical details.

Find out about Product Pricing.

Search the Knowledge Base for Technical Notes containing an extensive collection of technical articles, troubleshooting tips and white papers.

Search Frequently Asked Questions, for the answers to the most common non‐technical issues.

Participate in Discussion Forums to discuss problems or ideas with other users and ScriptLogic representatives.



SECURITY EXPLORER® IV


Contents INTRODUCTION............................................................................................................................................................1 INSTALLING SECURITY EXPLORER..............................................................................................................................7 MINIMUM SYSTEM REQUIREMENTS..........................................................................................................................7 Supported Versions of SharePoint for Security Explorer ........................................................................................7 Supported Versions of SQL Server for Security Explorer .......................................................................................8 Supported Versions of Microsoft Exchange for Security Explorer ..........................................................................8 User Privilege Requirements .................................................................................................................................12 Permission Requirements to Manage Microsoft Exchange in Security Explorer .................................................12 BEFORE YOU BEGIN ................................................................................................................................................14 Install Microsoft .NET Framework 3.5 .................................................................................................................14 RUNNING THE SETUP WIZARD...............................................................................................................................14 STARTING SECURITY EXPLORER FOR THE FIRST TIME............................................................................................18 Applying a License File .........................................................................................................................................18 Evaluating the Product..........................................................................................................................................19 VIEWING LICENSES .................................................................................................................................................20 Viewing License Details ........................................................................................................................................21 Removing a Server.................................................................................................................................................21 MANAGING NETWORK DRIVES..............................................................................................................................22 Mapping a Network Drive ....................................................................................................................................22 Disconnecting a Network Drive............................................................................................................................22

QUICK START.............................................................................................................................................................23 EXAMINING THE MAIN WINDOW ..........................................................................................................................23 Selecting Explorer Modules...................................................................................................................................24 Selecting Actions ...................................................................................................................................................25 MANAGING PERMISSIONS ......................................................................................................................................26 Creating Test Folders and Files .............................................................................................................................26 Granting Permissions............................................................................................................................................31 Copying Permissions .............................................................................................................................................34 Modifying Permissions..........................................................................................................................................36 Propagating Permissions.......................................................................................................................................38 Searching for Permissions .....................................................................................................................................39 Revoking Permissions............................................................................................................................................43 BACKING UP SECURITY...........................................................................................................................................46 MANAGING SERVICES.............................................................................................................................................47 MANAGING TASKS..................................................................................................................................................49 SUMMARY................................................................................................................................................................50

TROUBLESHOOTING ..................................................................................................................................................51 USING LOG FILES ....................................................................................................................................................51

INDEX..........................................................................................................................................................................52

SECURITY EXPLORER® 7 1


Introduction Security Explorer ™ is a powerful and intuitive solution that searches for and modifies Windows 2000/XP/2003/Vista and Windows Server 2008 security on NTFS drives, file shares, the registry, printers, services, tasks, groups and users, SharePoint servers, SQL servers, and Exchange servers. Security Explorer’s graphical interface increases administrator productivity and provides centralized control, simplifying and standardizing the management of the security of Windows server resources.

Security Explorer overcomes the difficulties encountered when using Explorer or command line tools to manage file security, services, and tasks. Comprehensive backup, restore, search, grant, revoke, clone and export functions take management of permissions to new levels. Tasks that were previously either impossible or extremely difficult are now as simple as Point, Click, Done!



Manage Permissions

Instant Access to Security and Permissions No more navigating through files, folders and registry keys selecting Properties and trying to find the Advanced button to see a complete security list! Security Explorerʹs interface allows for easy navigation of files, folders, registry keys, shares, printers, services, tasks, SQL servers, SharePoint servers, and Exchange servers, and instantly shows both assigned and inherited permissions.

Comprehensive Security Management Security Explorer lists the current security settings, and allows full granting, revoking and modifying of permissions on NTFS volumes, the registry, file shares and printers, as well as cloning permissions between accounts for domain.

Automated Clean‐up and Repair of Permissions Tighten security and eliminate orphaned permissions with automatic removal for unknown or deleted accounts. Update file and folder permissions with new SIDs and re‐assign orphaned permissions following migrations between domains or servers.

Search

Find security weaknesses and over‐privileged users as Security Explorer lets administrators search NTFS volumes for specific assignments to all types of user and group, including permissions received through group memberships and inheritance, or where a user or group does not have a specific permission.

Locate services and tasks on computers across your network.



Manage Security

Backup and Restore Permissions Recovery from accidental changes to security settings has never been easier! Security Explorer can backup complete sets of permissions for files and folders, without having to backup the data they contain. Security Explorer can also capture permissions for registry keys, shares and printers. Administrators can then select any combination of files, folders, registry keys, printers and shares to recover those permissions, without affecting the underlying data or resources.

Export Security Settings in Multiple Formats Security Explorer can export a database or spreadsheet listing the permissions on files or folders anywhere in the directory tree.

Manage Objects

Administrative Override No more ʺAccess Deniedʺ when setting permissions! Security Explorer can instantly modify the security settings of file and folders that administrators would normally have to change to go through multiple steps to access.

Assign Ownership Administrators can use Security Explorer to assign ownership to files and folders without the need for the Take Ownership right.

Command Line Management Security Explorer has a full command line interface so you can script and schedule permission management.

Integrated with Windows Explorer Many Security Explorer functions are integrated into the right‐click menu in Windows Explorer. Additionally, more Windows Explorer functions are now available within Security Explorer, which means much less switching between windows!



Manage Services and Tasks With the Service Security and Task Management modules, you can manage services and tasks across your network.

Manage Groups and Users With the Groups and Users Management module, you can create, modify, and delete groups and users. You also can change user passwords.



Manage SharePoint Servers With the SharePoint Server Security module, you can manage your SharePoint servers.

Manage SQL Servers With the SQL Server Security module, you can manage permissions on SQL databases, modify logins, and add logins to Server Roles.



Manage Exchange Servers With the Exchange Server module, you can manage permissions on Exchange servers.

Manager Quest® Access Manager Servers You can manage permissions on Quest Access Manager Servers using basic NTFS Security module functionality and a Permission Wizard unique to Access Manager.



Installing Security Explorer Security Explorer is provided in a Windows Installer package format, which allows for robust, self‐repairing of application files, and ease of installation and software distribution. The Windows Installer service is included with Windows 2000 and later.

MINIMUM SYSTEM REQUIREMENTS

Important: The minimum system requirements listed are for the computer on which Security Explorer is installed. Security Explorer can be used to manage permissions on other computers that have Windows NT or Windows 2000 as an operating system.

Processor: Pentium 600MHz or faster

Operating Systems:

Windows XP

Windows Vista

Windows 7

Windows Server 2003

Windows Server 2008

Microsoft .NET Framework 3.5 SP1

Disk Space: 50 MB

Memory: 256 MB

Screen resolution: 1024 x 769

Supported Versions of SharePoint for Security Explorer

Microsoft Office SharePoint Server 2007

Microsoft Office SharePoint (MOSS)

Windows SharePoint Server (WSS)



Supported Versions of SQL Server for Security Explorer

SQL Server 2000

SQL Server 2005

SQL Server Express 2005

SQL Server 2008

Microsoft SQL Server Desktop Engine (MSDE)

Supported Versions of Microsoft Exchange for Security Explorer

Exchange 2000/2003

Client Type Prerequisites

32 Bit OS: Windows Vista 32 bit Windows XP 32 bit; Windows 2003 Server 32 bit Windows 2000 Server Windows 2000 Professional

MAPI Installer is included with Security Explorer 7, but can be installed from ExchangeMapiCdo.MSI.

CDOXEM Can be installed with Microsoft Exchange 2003 Management Tool, which comes from Microsoft Exchange Server 2003 distributive or from Microsoft Exchange Server 2003 Service Pack 2 (http://www.microsoft.com/downloads/details.aspx?FamilyID=535bef85-3096-45f8-aa43-60f1f58b3c40&DisplayLang=en) For Vista: http://www.microsoft.com/downloads/details.aspx?familyid=3403d74e-8942-421b-8738-b3664559e46f&displaylang=en To install Microsoft Exchange 2003 Management Tool, IIS and Windows Administrative Tools Pack are required, so to install CDOEXM the following are needed:

Microsoft Exchange 2003 Management Tool

IIS

Windows Administrative Tools Pack

Windows 2008 server 32 bit Not supported. Please see Exchange System Manager for Windows Vista - Release Notes.doc

64 Bit OS: Windows XP 64 bit Windows Vista 64 bit Windows 2003 Server 64 bit Windows 2008 Server 64 bit

Security Explorer cannot manage Exchange 2003 if Security Explorer is installed on a 64 bit operating system. There is no CDOEXM version for a 64 bit operating system and Security Explorer requires CDOEXM.

http://www.microsoft.com/downloads/details.aspx?FamilyID=535bef85-3096-45f8-aa43-60f1f58b3c40&DisplayLang=en


http://www.microsoft.com/downloads/details.aspx?familyid=3403d74e-8942-421b-8738-b3664559e46f&displaylang=en




Exchange 2007


Windows XP 32 bit Windows XP 64 bit Windows Server 2003 32 bit Windows Server 2003 64 bit

MAPI Installer is included with Security Explorer 7, but can be installed from ExchangeMapiCdo.MSI.

Exchange 2007 Management Tools

32 bit version can be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=6be38633-7248-4532-929b-76e9c677e802&displaylang=en#AffinityDownloads

64 bit version comes from Microsoft Exchange Server 2007

To install Exchange 2007 Management Tools, the following must be installed:

IIS

.NET Framework 3.5 SP1

Microsoft Management Console (MMC) 3.0 http://www.microsoft.com/downloads/details.aspx?familyid=61FC1C66-06F2-463C-82A2-CF20902FFAE0&displaylang=en

Windows PowerShell http://www.microsoft.com/downloads/details.aspx?familyid=6CCB7E0D-8F1D-4B97-A397-47BCC8BA3806&displaylang=en

Windows Vista 32 bit Windows Vista 64 bit Windows 2008 Server 32 bit Windows 2008 Server 64 bit

MAPI Installer included with Security Explorer 7, but can be installed from ExchangeMapiCdo.MSI.

Exchange 2007 Management Tools SP1



Before installing Exchange 2007 Management Tools, the following must be installed:

IIS (IIS 6 Management Console, IIS 6 Metabase and IIS 6 configuration compatibility are mandatory)


To manage Exchange 2007 if SXP is installed on 32 bit or 64 bit Vista (with or without SP1) then the SP1 Exchange 2007 tools must be installed. Security Explorer cannot manage Exchange 2007 from Vista if a previous version of the tools is installed. See http://support.microsoft.com/kb/931903

http://www.microsoft.com/downloads/details.aspx?familyid=6be38633-7248-4532-929b-76e9c677e802&displaylang=en#AffinityDownloads



http://www.microsoft.com/downloads/details.aspx?familyid=61FC1C66-06F2-463C-82A2-CF20902FFAE0&displaylang=en


http://www.microsoft.com/downloads/details.aspx?familyid=6CCB7E0D-8F1D-4B97-A397-47BCC8BA3806&displaylang=en







http://support.microsoft.com/kb/931903



Exchange2003 – Exchange2007 (Mixed Mode)


32 bit OS: Windows XP32 bit Windows Server 2003 32 bit

MAPI Installer included with Security Explorer 7, but can be installed from ExchangeMapiCdo.MSI.

Exchange 2007 Management Tools



CDOXEM Can be installed with Microsoft Exchange 2003 Management Tool, which comes from Microsoft Exchange Server 2003 distributive or from Microsoft Exchange Server 2003 Service Pack 2 (http://www.microsoft.com/downloads/details.aspx?FamilyID=535bef85-3096-45f8-aa43-60f1f58b3c40&DisplayLang=en)

Important: Exchange 2007 Management Tools should be installed before Exchange 2003 Management Tools. Order is important.


IIS

.NET Framework 3.5 SP1

Microsoft Management Console (MMC) 3.0 http://www.microsoft.com/downloads/details.aspx?familyid=61FC1C66-06F2-463C-82A2-CF20902FFAE0&displaylang=en


To install Microsoft Exchange 2003 Management Tool, IIS and Windows Administrative Tool Pack are required, so to install CDOEXM the following are needed:


IIS














Win Vista 32 bit MAPI Installer included with Security Explorer 7, but can be installed from ExchangeMapiCdo.MSI.

Exchange 2007 Management Tools SP1



CDOEXM Can be installed with Microsoft Exchange 2003 Management Tool. http://www.microsoft.com/downloads/details.aspx?familyid=3403d74e-8942-421b-8738-b3664559e46f&displaylang=en (see also Exchange System Manager for Windows Vista - Release Notes.doc. There are some restrictions.)

Important: Exchange 2007 Management Tools should be installed before Exchange 2003 Management Tools. Order is important.


IIS 6 (II6Management Compatibility: IIS 6 Metabase Compatibility and IIS 6 Management Console are mandatory

Windows PowerShell

To install Microsoft Exchange 2003 Management Tool, IIS and Windows Administrative Tool Pack are required, so to install CDOEXM the following are needed:


IIS


Note: Exchange 2007 Management Tools SP1 must be installed. Security Explorer cannot manage Exchange 2007 from Vista of a previous version of the tools is installed.

Win 2008 server 32 bit Not supported There is no CDOEXM version. Please see Exchange System Manager for Windows Vista - Release Notes.doc

64bit OS: Windows XP 64 bit Windows Vista 64 bit Windows 2003 Server 64 bit Windows 2008 Server 64 bit

Not supported There is no CDOEXM version for a 64 bit operating system and Security Explorer requires CDOEXM if there is Exchange Server 2003 in Organization..








User Privilege Requirements

To start Security Explorer, a user must be a member of the local Administrators, otherwise errors messages display.

Permission Requirements to Manage Microsoft Exchange in Security Explorer

To connect to an Exchange Server, a user must be a domain user, have mailbox on one of the Exchange Servers, and be an Exchange Administrator.

To connect to an Exchange 2003 Organization, a user must be a domain user, have a mailbox on one of the Exchange 2003 Servers, and have been delegated Exchange Full Administrator rights on Exchange Organization level.

To connect to an Exchange 2007 Organization or Exchange 2003‐2007 Organization (Mixed Mode), a user must be a domain user, have a mailbox on one of the Exchange Servers, and be a member of the Exchange Organization group.

Only a user who is a Domain Administrator and Exchange admin has no restrictions for mailbox management in Security Explorer. There are possible restrictions in Security Explorer for mailbox management.

Note: In Exchange 2007, the Exchange Organization Administrator is also a Domain Administrator.

If a user uses Run As to start Security Explorer and that user does not have enough privileges and enters valid Alternative Credentials (Domain User, Exchange Administrator, Local Administrator, or Has Mailbox), there are some restrictions with mailbox management in Security Explorer.

Exchange 2000/2003 Privileges for user entered in Run as window

Privileges used to connect to Exchange Server

Possible actions in Security Explorer

Windows Authentication No restrictions Domain Administrator Full Exchange Administrator Valid Alternative Credential* Cannot create and delete

mailboxes

Windows Authentication Domain User Full Exchange Administrator

Valid Alternative Credential

Can enumerate mailboxes Can manage client permissions Cannot manage Active Directory permissions (View only mode) Cannot create and delete mailboxes

Windows Authentication Cannot connect to Exchange

Domain User Valid Alternative Credential

Can enumerate mailboxes Can manage client permissions Cannot manage Active Directory permissions (View only mode) Cannot create and delete mailboxes



Exchange 2007 Privileges for user entered in Run as window



Windows Authentication Domain Administrator Exchange Organization Administrator Valid Alternative Credential

No restrictions

Windows Authentication Domain User Exchange Organization Administrator Valid Alternative Credential

No restrictions



Can enumerate mailboxes Can manage client permissions Cannot view Active Directory permissions Cannot create and delete mailboxes

Mixed mode (Exchange 2003 + 2007) Privileges for user entered in Run as window



Windows Authentication No restrictions Domain Administrator Exchange Organization Admin (2007) Valid Alternative Credential Cannot create and delete mailboxes

on Exchange 2003

Windows Authentication No restrictions Domain User Exchange Organization Admin (2007) Valid Alternative Credential Cannot create and delete mailboxes

on Exchange 2003



Can enumerate mailboxes Can manage client permissions Cannot view Active Directory permissions for Exchange 2007 mailboxes Cannot manage Active Directory permissions (View only mode) for Exchange 2003 mailboxes Cannot create and delete mailboxes

Using Microsoft Outlook

If Security Explorer is installed on computer where Outlook 2003 or Outlook 2007 is present, you do not need to install MAPI. Outlook’s MAPI is used. In this scenario, if a user uses Run As to start Security Explorer, Exchange 2007 mailboxes and public folders are inaccessible.

If Outlook is present, configure Default Gateway in TCP/IP properties. If it is not configured, Outlook cannot create a profile for Security Explorer.



BEFORE YOU BEGIN

Download the latest version of Security Explorer from the ScriptLogic Web site:

http://www.scriptlogic.com/support

Install Microsoft .NET Framework 3.5

If you do not have Microsoft .NET Framework 3.5 on the computer where you want to install Security Explorer, the Security Explorer installation process provides an opportunity to download and install Microsoft .NET Framework 3.5.

You must restart the install process once Microsoft .NET Framework 3.5 is installed, so to avoid this you might want to install it before you begin the installation of Security Explorer.

RUNNING THE SETUP WIZARD

Important: If you are running Active Administrator on the same computer as Security Explorer, exit Active Administrator and stop all Active Administrator services before upgrading to Security Explorer.

1. After downloading Security Explorer, double‐click the .msi file. The Welcome box appears.




2. Click Next. The License Agreement box appears.

3. Select I accept the terms in the license agreement, and then click Next. The Customer

Information box appears.



4. If necessary, change the default values in the User Name and Organization boxes. Also choose whether to permit access to all users or just yourself. Click Next. The Destination Folder box displays the default installation path.

To change the installation path, click Change, and then select a new path.

5. Click Next. The Ready to Install box appears.



6. Click Install. A progress bar displays the installation process.

When the installation is complete, the final box appears.

7. Click Finish.



STARTING SECURITY EXPLORER FOR THE FIRST TIME

Depending on your system, choose one of these ways to start Security Explorer:

Click Start, point to All Programs > ScriptLogic Corporation > Security Explorer 7, and then select Security Explorer 7.

Click Start, and then click

Each time you run the program you are greeted by the splash screen, which displays program version and copyright information. To view more detail about the version of Security Explorer in use, choose About from the Help menu.

Applying a License File

The first time you start Security Explorer after installation, you see the New Installation box, which allows you to choose whether to apply a license file for full functionality, or evaluate the full product.



Security Explorer requires a valid license file in order to function properly. If you have a company license file or were provided with an evaluation or temporary license file, you must enter the location and filename in the License File box.

The license file is approximately 1KB in size and has a .lic file extension. Your Sales account executive or License Team specialist should have emailed this file to you as an attachment.

Click to locate the license file, and then click Apply License File.

Evaluating the Product

Note: The full and evaluation versions of are identical. The license file is the sole determinant of program functionality. In the File and Print Management modules (NTFS Security, Share Security, and Printer Security) you are limited to two servers and 2,500 files, folders, printers, or shares. In all other modules, you have unlimited searching with no changes. Extended evaluations with more functionality are available upon request.

If you are evaluating the software and would like to use the preset values for the number of licenses, objects, and evaluation days, click Begin Evaluation.

The evaluation countdown displays at the bottom of the box. The countdown begins on the day you click Begin Evaluation. You can apply a license at any time by choosing Help View License Dashboard.



VIEWING LICENSES

When Security Explorer opens, the License Dashboard displays which modules are enabled or disabled, the license or evaluation expiration date, the number of licenses used and available, and any restrictions on the license or evaluation.

Note: To see the complete list of restrictions on a license or evaluation, click . See Viewing License Details.

Show this dialog when Security Explorer first starts

By default, the License Dashboard displays each time you start Security Explorer. To suppress the display, clear the check box. To display the License Dashboard, select View License Dashboard from the Help menu.

Button Description

Run a disabled module in evaluation mode. Unavailable if no modules are disabled.

View details about a license or remove a server from the license. See Viewing License Details or Removing a Server.

Apply a new license file (*.lic)



Button Description

Export the selected license file to a text file (*.txt)

Open the Transaction Product Agreement (*.rtf)

Viewing License Details

In the Server list, select the server, and then click . The Other license restrictions area details the restrictions on the license or evaluation.

Removing a Server

1. Send an email to the Support Team at ScriptLogic ([email protected]) with the name of the server and the reason for the removal.

2. Select View License Dashboard from the Help menu.

3. In the Server list, select the server, and then click .

4. In the Authorization Code box, type the code that you obtained from the Support Team.

5. Click .

mailto:[email protected]



MANAGING NETWORK DRIVES

Security Explorer lets you access Windows functionality to help you manage your network drives easily.

Note: The Mapping Network Drive function is available only in the NTFS Security and Share Security modules, or All Management Targets.

Mapping a Network Drive

1. Click . Alternatively, choose Map Network Drives from the Tools menu. The Windows Map Network Drive wizard appears.

2. Map the drive, and then click Finish.

Disconnecting a Network Drive

1. Click . Alternatively, choose Disconnect Network Drives from the Tools menu. The Windows Disconnect Network Drive window appears.

2. Select the drive to disconnect, and then click OK.



Quick Start In this section you are taken step‐by‐step through managing permissions, services, and tasks.

Important: This tutorial assumes that you completed the installation process.

EXAMINING THE MAIN WINDOW 1. If you haven’t already done so, start Security Explorer.

The main window is organized into three panes where you can select and view information.

The Navigation pane contains the tree for the selected module. You can browse the tree and select an object to display in the Objects pane.

The Objects pane displays the folders, files, and objects for the selected item in the Navigation pane. You also can type a path in the Path box to view the contents of a folder, or the services and tasks on a computer.



The Permissions pane displays the permissions for the selected object. The Task Management module does not have a Permissions pane.

Other components of the main window are optional and can be hidden from view. The Menu Bar and Tool Bar provide options and icons to perform functions in Security Explorer and to adjust to the selected explorer module. The Loading Progress Bar displays the progress of loading permissions and allows you to stop the load if necessary. The Status Bar displays messages and the count of the selected objects and permissions.

Selecting Explorer Modules

Security Explorer is organized around explorer modules: NTFS Security, Share Security, Registry Security, Printer Security, Service Security, Task Management, Group and User Management, SharePoint Security, SQL Server Security, and Exchange Security. Each explorer is represented by a button in the Navigation pane.

By default, All Management Targets is selected. To change to a different explorer module, click the corresponding button in the Navigation pane.

1. Open the Share Security module. Notice the change in titles for the Navigation and Objects pane. The menus, Tool Bar icons, Control Buttons, and shortcut menus change for each module.

For this exercise, you will be working in the NTFS module.

2. Open the NTFS Security module.



Selecting Actions

The main window offers many choices for ease of use. Depending on your preference, select options from the menus, click icons on the Tool Bar, click Control Buttons, use keyboard shortcuts, or right‐click to access shortcut menus.

1. Pass the cursor over the Tool Bar icons to view the ToolTips.

2. Examine the menus.

3. Right‐click an item in the Navigation pane to view a shortcut menu.

Now that you’ve looked around the main window, you will use the NTFS Security module to grant, copy, modify, search for, and revoke permissions.



MANAGING PERMISSIONS

So that you can explore Security Explorer without affecting your system, you will create test folders and files. Next, you will grant permissions to that folder, copy a permission to another folder, modify that permission, search for a user’s permission, and then revoke a permission.

Creating Test Folders and Files

1. From the Help menu, choose Create Test Folders and Files. The Create Test Folders and Files box appears.

2. In the Starting Folder box, type a path to where you want to place the test folder, or click

to designate a location.

3. Click Create Evaluation Folders and Files. A message box appears asking if you want to apply a standard set of permissions to the folders and files.

4. Click Yes to apply the permissions.



5. To make it easier to see the directory tree in the Navigation pane, click and drag the split bar down to minimize the module buttons.



6. In the Navigation pane, locate and click the securityexplorer.try folder. The Objects pane displays the contents and the Permissions pane displays the permissions assigned to the currently selected item.

Because Securityexplorer.try is the parent folder, the permissions are in full color. The Show Permissions check box is selected so the permissions display. If you are browsing around the network, you might want to uncheck this box to speed up loading objects.

Note: If you see in the tree in the Navigation pane, the item was loaded from the cache, which is also indicated by CACHE in the status bar.



7. In the Navigation pane, click to expand the securityexplorer.try folder, and then expand the dir01.try folder. Notice that the contents of the Objects and Permissions panes do not change focus until you select an object.



8. In the Objects pane, click the dir01.try folder. Notice the Allow inheritable permissions from parent to propagate to this object check box is now selected. The BUILTIN\Administrators group and Everyone user permissions are inherited from the parent folder as indicated by the gray color and the (I) in the Type column.

Next, you will grant a permission to this folder.



Granting Permissions

You need to grant permission to the dir01.try folder to a new user. For this folder, the user will have full control.

1. On the Tool Bar, click . The Grant Folder Permissions dialog box displays the path, and the associated groups and users for the current object.

2. Click Advanced User Selection. The Select Users, Computers, or Groups box displays.

3. Select a user, perhaps yourself. You can add other users and groups, but only one name is needed for this exercise.

4. Click OK. The user displays in the Group/User box. The default permission is Full Control, which is acceptable for this exercise.



5. Click Add to add the user to the List of users and groups to grant list. At this stage, you could continue to add more groups and users to the list.

6. To grant the permission to the folder, click OK. When the grant process completes, the

Grant Completed box indicates how many objects were changed, the length of time for the process to complete, and any errors that occurred.



7. Click Close. The user is added to the list of permissions. Since the user does not have permissions to the parent folder, securityexplorer.try, the icon is full color.

8. In the Navigation pane, click the subdir01.try subfolder. Notice the user permission is

now inherited.

You also want to grant this user permission to the dir02.try folder. Instead of repeating the Grant process, you will copy the permission.



Copying Permissions

You decide now that you want this user to have the same permissions in the dir02.try folder. To save time, you can copy and paste permissions.

1. In the Permissions pane, right‐click the user, and then choose Copy Permission.

2. In the Navigation pane, select dir02.try, right‐click in the Permissions pane, and then

choose Paste Permission.



The Grant Folder Permissions dialog box opens showing the pasted permission in the List of users and groups to grant list.

3. Click OK. When the grant process completes, the Grant Completed box indicates how

many objects were changed, the length of time for the process to complete, and any errors that occurred.

9. Click Close. The pasted permission displays in the Permissions pane. Again, since the user does not have permission granted to the parent folder, securityexplorer.try, the permission is not inherited.

You decide that the user shouldn’t have Full Control to this folder, so you will modify this permission.



Modifying Permissions

You have decided that the user should have only Read permission to the dir02.try folder.

1. In the Permissions pane, select the user, and then click . The Modify Permission dialog box displays the current permission settings.

2. From the Permissions lists, select the Deny box for Full control (All), and then click the

Allow box for Read. The associated permissions are checked as well.



3. Click OK.

4. When the Modify process is complete, click Close. The Permissions pane reflects the changes made to the user’s permissions. The Deny permission type is considered a Special permission.

If you want to see what the abbreviations represent, double‐click the permission to open the Modify box. If the permission is inherited, the box will be Read‐Only as you cannot modify an inherited permission.



Propagating Permissions

You want to propagate the permission for the user down the files in the dir02.try folder.

1. In the Objects pane, click file01.try. Notice that the user does not have permission to the file01.try file even though you gave them permission to the folder that contains the file.

2. Select the Allow inheritable permissions from parent to propagate to this object check

box. A message box appears to show you the permissions that will be inherited.

3. Click Yes.



4. Click Close. The inherited permissions are added to the list.

You could repeat the process for each file in the folder, or select all the files and propagate to them all at the same time. Before you do that, you should check the files’ permissions to make sure existing permissions are not affected.

Searching for Permissions

Now that you’ve granted permissions, you want to search the network to see all the permissions for this user.

1. In the Navigation pane, select securityexplorer.try, and then click . The Search tab opens showing securityexplorer.try in the Search Scope area. The Search Scope is the path that will be searched.



2. Click Advanced User Selection. The Select Users, Computers, or Groups box appears. In the top box, select the user you granted permission to in the previous sections, and then click Add to add the user to the bottom box.

3. Click OK. The user displays in the Group/User box.

You can choose to include other groups and users in the search as indicated by the check boxes. For this exercise, you will just search for the one permission.



4. Open the Permission Search Criteria tab. By default, the Discretionary Access Control List (DACL) is searched for any allow or deny permissions. Inherited and explicit permissions are included.

5. If necessary, click to scroll right. Open the Folder and File Search Criteria tab. Here you can decide whether to search for folder and/or file permissions, how far down the tree to apply the search, and to use a wildcard. The settings are fine, so you can proceed with the search.



6. Click Start Search. The results and any errors that occur display in the Search Results area. The status bar displays the number of objects searched and permissions/services/tasks found.

Within the Search Results area when searching for permissions, you can use the buttons along the bottom, the toolbar icons, or the menus to grant, revoke, clone, modify, delete, or print the permissions.

7. Click in the Title Bar to close the Search window.



Revoking Permissions

You need to remove the Everyone permission from the dir05.try folder.

1. In the Navigation pane, select dir05.try, and then click .

The Revoke Folder Permissions dialog box displays the path to dir05.try, and the associated groups and users.



2. Select the Everyone group. The user displays in the Group/User box.

3. To add the user to the List of users and groups to revoke list, click Add.

4. Click OK. When the revoke process completes, the Revoke Completed box indicates

how many objects were changed, the length of time for the process to complete, and any errors that occurred.



5. Click Close. The Everyone group permission is removed from the dir05.try folder.



BACKING UP SECURITY

Before modifying any security permissions, make a backup in case you need to restore the permissions to their original state. You also can back up permissions on files for which you donʹt have access. As long as you are an administrator, or have the Backup files and directories user right, you can back up and restore permissions on all files, which is helpful when backing up and restoring a userʹs home directories.

1. From the Navigation pane, select the securityexplorer.try folder, and then click .

2. In the Backup File Name box, click to locate a path and name the backup file.

3. Click Backup Security. At the end of the backup process, the Backup Completed box

displays the errors, objects changed, and elapsed time.



MANAGING SERVICES

In addition to managing permissions on services, you can pause, stop, start, or restart a service using the Service Security module.

1. Open the Service Security module. Notice the icons in the Tool Bar that allow you to manage services.

2. In the Navigation pane, select your local computer. In the Objects pane, select a service. The permissions for the service display in the Permissions pane.

If you want to change the startup type of a service, you can do it directly from Security Explorer.



3. Click to open the Properties for the service. Take a few moments to examine the tabs.

4. Click Cancel.

Next, we’ll take a look at the Task Management module.



MANAGING TASKS

Using the Task Management module, you can run a task, create a new task, schedule a task, copy a task, or remove a task.

1. Open the Task Management module.

2. In the Navigation pane, select your local computer. The tasks for the computer display in the Objects pane.



3. Select a task in the Objects pane, and then click . The Properties window for the selected object appears. Take a few moments to examine the tabs. Here is where you can schedule a task

4. Click Cancel.

SUMMARY

In this Quick Start you managed permissions, services, and tasks. To learn more about Security Explorer, please consult online help or the User Guide.



Troubleshooting In its Knowledge Base, ScriptLogic Corporation has a library of articles that may provide an answer to a problem you are experiencing. Before calling technical support, check to see if your problem is documented here. You might also browse the Discussion Forums to see if anyone else is experiencing the same issue.


USING LOG FILES

By default, there is one log file written to the Security Explorer installation directory. To get more log information run Security Explorer.exe with /d key to write two log files to the installation directory. C:\Program Files\ScriptLogic Corporation\Security Explorer 7 \SecurityExplorer.exe /d

For the Exchange Security module, the ExchangeAccess log files contain Exchange module log data.




Index .

.log, 51

.NET Framework 3.5, 14

A adding

search scope, 39 authorization code, 21

B backing up

security, 46 buttons

modules, 24

C cache

disable/enable, 28 copying

permissions, 34

D disabling

cache, 28 disconnecting

network drives, 22

E enabling

cache, 28

G granting

permissions, 31

L license, 18 licenses

viewing, 20 loading progress bar, 24 log files, 51

M main window, 23 managing

tasks, 49 managing services, 47 mapping

network drives, 22 menu bar, 24 modifying

permissions, 36 modules

buttons, 24 icons, 24

N Navigation pane, 23 network drives

disconnecting, 22 mapping, 22

O Objects pane, 23 opening

Security Explorer, 23

P panes

Navigation, 23 Objects, 23 Permissions, 24

pasting permissions, 34

permissions backing up, 46 copying, 34 granting, 31 modifying, 36 pasting, 34 revoking, 43

Permissions pane, 24 privledges

user, 12

R removing servers, 21



revoking permissions, 43

S search scope

adding, 39 searching

adding a scope, 39 security

backing up, 46 Security Explorer

starting, 23 servers

licenses, 20 removing, 21

service

managing, 47 shorcut menus, 25 starting

Security Explorer, 23 status bar, 24

T tasks

managing, 49 tool bar, 24

V viewing

licenses, 20

Documents

VERSION 7 Getting Started Guide - GlobalSoft