Function Get-Permissions($fileSystemRights) { $permissions = @() # Read access if($fileSystemRights -band 0x80000000) { $permissions += "GENERIC_READ" } # Write access if($fileSystemRights -band 0x40000000) { $permissions += "GENERIC_WRITE" } # Execute access if($fileSystemRights -band 0x20000000) { $permissions += "GENERIC_EXECUTE" } # Read, write, and execute access if($fileSystemRights -band 0x10000000) { $permissions += "GENERIC_ALL" } if($fileSystemRights -band 0x8000000) { $permissions += "RESERVED_1" } if($fileSystemRights -band 0x4000000) { $permissions += "RESERVED_2" } if($fileSystemRights -band 0x2000000) { $permissions += "MAXIMUM_ALLOWED" } if($fileSystemRights -band 0x1000000) { $permissions += "ACCESS_SYSTEM_SECURITY" } if($fileSystemRights -band 0x800000) { $permissions += "UNKNOWN" } if($fileSystemRights -band 0x400000) { $permissions += "UNKNOWN" } if($fileSystemRights -band 0x200000) { $permissions += "UNKNOWN" } # Essentially Full Control if($fileSystemRights -band 0x1F01FF) { $permissions += "FILE_ALL_ACCESS" } # Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access. if($fileSystemRights -band 0x1F0000) { $permissions += "STANDARD_RIGHTS_ALL" } # Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access. if($fileSystemRights -band 0xF0000) { $permissions += "STANDARD_RIGHTS_REQUIRED" } # Read if($fileSystemRights -band 0x120089) { $permissions += "FILE_GENERIC_READ" } if($fileSystemRights -band 0x12010E) { $permissions += "FILE_GENERIC_WRITE" } if($fileSystemRights -band 0x1200A0) { $permissions += "FILE_GENERIC_EXECUTE" } # Currently defined to equal READ_CONTROL. if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_READ" } # Currently defined to equal READ_CONTROL. if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_WRITE" } # Currently defined to equal READ_CONTROL. if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_EXECUTE" } if($fileSystemRights -band 0xFFFF) { $permissions += "SPECIFIC_RIGHTS_ALL" } # permission to synchronize # bit indicating permission to perform synchronize operation, used sometimes during file access # this permission is automaticaly granted with read and write access and revoked when read or write access is denied. # it is not displayed in the list of permissions in Windows UI if($fileSystemRights -band 0x100000) { $permissions += "SYNCHRONIZE" } # permission to assign owner # corresponds to Take Ownership permissions in Windows UI if($fileSystemRights -band 0x80000) { $permissions += "WRITE_OWNER" } # permission to change discretionary ACL # corresponds to Change Permissions permissions in Windows UI if($fileSystemRights -band 0x40000) { $permissions += "WRITE_DAC" } # permission to read security descriptor # corresponds to Read Permissions permissions in Windows UI if($fileSystemRights -band 0x20000) { $permissions += "READ_CONTROL" } # permission to delete file or folder # corresponds to Delete permissions in Windows UI if($fileSystemRights -band 0x10000) { $permissions += "DELETE" } if($fileSystemRights -band 0x10000) { $permissions += "FILE_DELETE" } # permission to change file or folder attributes # corresponds to Write Attributes permissions in Windows UI if($fileSystemRights -band 0x100) { $permissions += "FILE_WRITE_ATTRIBUTES" } # permission to read file or folder attributes # corresponds to Read Attributes permissions in Windows UI if($fileSystemRights -band 0x80) { $permissions += "FILE_READ_ATTRIBUTES" } # permission to delete directory and all files it contains # corresponds to Delete Subfolders and Files permissions in Windows UI if($fileSystemRights -band 0x40) { $permissions += "FILE_DELETE_CHILD" } # permission to execute file or traverse directory # corresponds to Traverse Folder / Execute File permissions in Windows UI if($fileSystemRights -band 0x20) { $permissions += "FILE_EXECUTE" } if($fileSystemRights -band 0x20) { $permissions += "FILE_TRAVERSE" } # permission to write extended attributes # corresponds to Write Extended Attributes permissions in Windows UI if($fileSystemRights -band 0x10) { $permissions += "FILE_WRITE_EA" } # permission to read extended attributes # corresponds to Read Extended Attributes permissions in Windows UI if($fileSystemRights -band 0x8) { $permissions += "FILE_READ_EA" } # permission to append data to file or to create subdirectory # corresponds to Create Folders / Append Data permissions in Windows UI if($fileSystemRights -band 0x4) { $permissions += "FILE_APPEND_DATA" } if($fileSystemRights -band 0x4) { $permissions += "FILE_ADD_SUBDIRECTORY" } # permission to write data to file or create file in directory # corresponds to Create Files / Write Data permissions in Windows UI if($fileSystemRights -band 0x2) { $permissions += "FILE_WRITE_DATA" } if($fileSystemRights -band 0x2) { $permissions += "FILE_ADD_FILE" } # permission to read data from file or list contents of directory # corresponds to List Folder / Read Data permissions in Windows UI if($fileSystemRights -band 0x1) { $permissions += "FILE_READ_DATA" } if($fileSystemRights -band 0x1) { $permissions += "FILE_LIST_DIRECTORY" } return $permissions } $uncPath = "\\server.ad.mycompany.local\share\directory" #$uncPath = "\\server.ad.mycompany.local\share\directory\file.txt" if(Test-Path -path $uncPath) { Write-Host $uncPath -foregroundColor Yellow $acl = Get-Acl -path $uncPath $aces = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount]) foreach($ace in $aces) { $identityReference = $ace.IdentityReference.Value Write-Host $identityReference -foregroundColor Green $permissions = Get-Permissions $ace.FileSystemRights foreach($permission in $permissions) { Write-Host "`t$permission" } Write-Host ("-" * 70) } }
Wednesday, January 19, 2011
File System Rights -- Part 1
A common request I receive is "Who has rights to this?". To know this, we need to know the access rights and access masks for the securable object. The access mask is a 32 bit value that we can determine the access rights. To obtain this information in PowerShell, we use the Get-Acl cmdlet to obtain the security of the file system object. In the code below, we use Get-Acl and query the access rules and perform bitwise and operations to obtain the masks for each identity. This is a good first start in understanding how to return the information for "Who has rights to this?" but that return might not be easily digestible to the typical user. In a future, I will supply a function that will return exactly what appears in the advanced permissions tab on a file or folder -- a little more english than techish.
Labels:
Bitwise Operations,
File System,
PowerShell
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment