Wednesday, January 19, 2011

File System Rights -- Part 1

A common request I receive is "Who has rights to this?". To know this, we need to know the access rights and access masks for the securable object. The access mask is a 32 bit value that we can determine the access rights. To obtain this information in PowerShell, we use the Get-Acl cmdlet to obtain the security of the file system object. In the code below, we use Get-Acl and query the access rules and perform bitwise and operations to obtain the masks for each identity. This is a good first start in understanding how to return the information for "Who has rights to this?" but that return might not be easily digestible to the typical user. In a future, I will supply a function that will return exactly what appears in the advanced permissions tab on a file or folder -- a little more english than techish.
Function Get-Permissions($fileSystemRights) {

 $permissions = @()

# Read access
 if($fileSystemRights -band 0x80000000) { $permissions += "GENERIC_READ" }
 
# Write access
 if($fileSystemRights -band 0x40000000) { $permissions += "GENERIC_WRITE" }
 
# Execute access
 if($fileSystemRights -band 0x20000000) { $permissions += "GENERIC_EXECUTE" }
 
# Read, write, and execute access
 if($fileSystemRights -band 0x10000000) { $permissions += "GENERIC_ALL" }

 if($fileSystemRights -band 0x8000000) { $permissions += "RESERVED_1" }
 if($fileSystemRights -band 0x4000000) { $permissions += "RESERVED_2" }
 if($fileSystemRights -band 0x2000000) { $permissions += "MAXIMUM_ALLOWED" }
 if($fileSystemRights -band 0x1000000) { $permissions += "ACCESS_SYSTEM_SECURITY" }
 if($fileSystemRights -band 0x800000) { $permissions += "UNKNOWN" }
 if($fileSystemRights -band 0x400000) { $permissions += "UNKNOWN" }
 if($fileSystemRights -band 0x200000) { $permissions += "UNKNOWN" }
 
# Essentially Full Control
 if($fileSystemRights -band 0x1F01FF) { $permissions += "FILE_ALL_ACCESS" }
 
# Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access.
 if($fileSystemRights -band 0x1F0000) { $permissions += "STANDARD_RIGHTS_ALL" }

# Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access. 
 if($fileSystemRights -band 0xF0000) { $permissions += "STANDARD_RIGHTS_REQUIRED" }

# Read
 if($fileSystemRights -band 0x120089) { $permissions += "FILE_GENERIC_READ" }
 if($fileSystemRights -band 0x12010E) { $permissions += "FILE_GENERIC_WRITE" }
 if($fileSystemRights -band 0x1200A0) { $permissions += "FILE_GENERIC_EXECUTE" }
 
# Currently defined to equal READ_CONTROL.
 if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_READ" }
 
# Currently defined to equal READ_CONTROL.
 if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_WRITE" }
 
# Currently defined to equal READ_CONTROL.
 if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_EXECUTE" }
 if($fileSystemRights -band 0xFFFF) { $permissions += "SPECIFIC_RIGHTS_ALL" }

#  permission to synchronize
#  bit indicating permission to perform synchronize operation, used sometimes during file access
#  this permission is automaticaly granted with read and write access and revoked when read or write access is denied. 
#  it is not displayed in the list of permissions in Windows UI
 if($fileSystemRights -band 0x100000) { $permissions += "SYNCHRONIZE" }
 
#  permission to assign owner
#  corresponds to Take Ownership permissions in Windows UI
 if($fileSystemRights -band 0x80000) { $permissions += "WRITE_OWNER" }
 
#  permission to change discretionary ACL
#  corresponds to Change Permissions permissions in Windows UI
 if($fileSystemRights -band 0x40000) { $permissions += "WRITE_DAC" }
 
#  permission to read security descriptor
#  corresponds to Read Permissions permissions in Windows UI
 if($fileSystemRights -band 0x20000) { $permissions += "READ_CONTROL" }
 
#  permission to delete file or folder
#  corresponds to Delete permissions in Windows UI
 if($fileSystemRights -band 0x10000) { $permissions += "DELETE" }
 if($fileSystemRights -band 0x10000) { $permissions += "FILE_DELETE" }
 
#  permission to change file or folder attributes
#  corresponds to Write Attributes permissions in Windows UI
 if($fileSystemRights -band 0x100) { $permissions += "FILE_WRITE_ATTRIBUTES" }
 
#  permission to read file or folder attributes
#  corresponds to Read Attributes permissions in Windows UI
 if($fileSystemRights -band 0x80) { $permissions += "FILE_READ_ATTRIBUTES" }
 
#  permission to delete directory and all files it contains
#  corresponds to Delete Subfolders and Files permissions in Windows UI
 if($fileSystemRights -band 0x40) { $permissions += "FILE_DELETE_CHILD" }

#  permission to execute file or traverse directory
#  corresponds to Traverse Folder / Execute File permissions in Windows UI
 if($fileSystemRights -band 0x20) { $permissions += "FILE_EXECUTE" }
 if($fileSystemRights -band 0x20) { $permissions += "FILE_TRAVERSE" }
 
#  permission to write extended attributes
#  corresponds to Write Extended Attributes permissions in Windows UI
 if($fileSystemRights -band 0x10) { $permissions += "FILE_WRITE_EA" }
 
#  permission to read extended attributes
#  corresponds to Read Extended Attributes permissions in Windows UI
 if($fileSystemRights -band 0x8) { $permissions += "FILE_READ_EA" }

#  permission to append data to file or to create subdirectory
#  corresponds to Create Folders / Append Data permissions in Windows UI
 if($fileSystemRights -band 0x4) { $permissions += "FILE_APPEND_DATA" }
 if($fileSystemRights -band 0x4) { $permissions += "FILE_ADD_SUBDIRECTORY" }
 
#  permission to write data to file or create file in directory
#  corresponds to Create Files / Write Data permissions in Windows UI
 if($fileSystemRights -band 0x2) { $permissions += "FILE_WRITE_DATA" }
 if($fileSystemRights -band 0x2) { $permissions += "FILE_ADD_FILE" }
 
#  permission to read data from file or list contents of directory
#  corresponds to List Folder / Read Data permissions in Windows UI
 if($fileSystemRights -band 0x1) { $permissions += "FILE_READ_DATA" }
 if($fileSystemRights -band 0x1) { $permissions += "FILE_LIST_DIRECTORY" }

 return $permissions
}

$uncPath = "\\server.ad.mycompany.local\share\directory"
#$uncPath = "\\server.ad.mycompany.local\share\directory\file.txt"
if(Test-Path -path $uncPath) {
 Write-Host $uncPath -foregroundColor Yellow
 $acl = Get-Acl -path $uncPath 
 $aces = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
 foreach($ace in $aces) {
  $identityReference = $ace.IdentityReference.Value
  Write-Host $identityReference -foregroundColor Green
  $permissions = Get-Permissions $ace.FileSystemRights
  foreach($permission in $permissions) {
   Write-Host "`t$permission"
  }
  Write-Host ("-" * 70)
 }
}

No comments:

Post a Comment