Thursday, February 10, 2011

File System Rights -- Part 2

In this code example, I expand upon the NTFS rights exercise in the my blog post, "File System Rights -- Part 1". We use the same bitwise and operation to determine rights. This version, however, provides the same information found in the advance tab of Security for the "allow". I will demonstrate in later posts how to determine if a "deny" is selected. This script returns a much better report to provide to the non-technical user than the information recorded in Part 1.

Now that you have this information regarding NTFS permissions for a file system object, you can do some interesting things. You can monitor for changes. Alter permissions based on logic derived from the results returned. Clone permissions between objects. Consolidate permissions in defined access groups to reduce access bloat and speed up access -- I find this on non-Windows based NAS devices all the time. All of these topics I will provide examples in future blog posts.
Function Get-AdvancedPermissions($fileSystemRights) {
 $permissions = @()
 if ($fileSystemRights -band 0x1 -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x2 -and $fileSystemRights -band 0x2 -and $fileSystemRights -band 0x4 -and $fileSystemRights -band 0x4 -and $fileSystemRights -band 0x8 -and $fileSystemRights -band 0x10 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x40 -and $fileSystemRights -band 0x80 -and $fileSystemRights -band 0x100 -and $fileSystemRights -band 0x116 -and $fileSystemRights -band 0x10000 -and $fileSystemRights -band 0x20000 -and $fileSystemRights -band 0x20089 -and $fileSystemRights -band 0x200a9 -and $fileSystemRights -band 0x301bf -and $fileSystemRights -band 0x40000 -and $fileSystemRights -band 0x80000 -and $fileSystemRights -band 0x100000 -and $fileSystemRights -band 0x1f01ff) {
  $permissions += "Full Control"
 if ($fileSystemRights -band 0x1 -and  $fileSystemRights -band 0x10 -and  $fileSystemRights -band 0x100 -and  $fileSystemRights -band 0x10000 -and  $fileSystemRights -band 0x100000 -and  $fileSystemRights -band 0x116 -and  $fileSystemRights -band 0x2 -and  $fileSystemRights -band 0x20 -and  $fileSystemRights -band 0x20000 -and  $fileSystemRights -band 0x20089 -and  $fileSystemRights -band 0x200a9 -and  $fileSystemRights -band 0x301bf -and  $fileSystemRights -band 0x4 -and  $fileSystemRights -band 0x8 -and  $fileSystemRights -band 0x80) {
  $permissions += "Modify"

 if ($fileSystemRights -band 0x200a9 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x80 -and $fileSystemRights -band 0x8 -and $fileSystemRights -band 0x20000) { # -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x80 -and $fileSystemRights -band 0x80x8 -and $fileSystemRights -band 0x20000) {
  $permissions += "Read & Execute"

 if ($fileSystemRights -band 0x1 -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x8 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x20000) {
  $permissions += "List Folder Contents"

 if ($fileSystemRights -band 0x20089) { $permissions += "Read" }
 if ($fileSystemRights -band 0x116) { $permissions += "Write" }
 if ($fileSystemRights -band 0x20) { $permissions += "Traverse Folder / Execute File" }
 if ($fileSystemRights -band 0x1) { $permissions += "List Folder / Read Data" }
 if ($fileSystemRights -band 0x80) { $permissions += "Read Attributes" }
 if ($fileSystemRights -band 0x8) { $permissions += "Read Extended Attriibutes" }
 if ($fileSystemRights -band 0x2) { $permissions += "Create Files / Write Data" }
 if ($fileSystemRights -band 0x4) { $permissions += "Create Folders / Append Data" }
 if ($fileSystemRights -band 0x100) { $permissions += "Write Attributes" }
 if ($fileSystemRights -band 0x10) { $permissions += "Write Extended Attributes" }
 if ($fileSystemRights -band 0x40) { $permissions += "Delete Subfolders and Files" }
 if ($fileSystemRights -band 0x10000) { $permissions += "Delete" }  
 if ($fileSystemRights -band 0x20000) { $permissions += "Read Permissions" }
 if ($fileSystemRights -band 0x40000) { $permissions += "Change Permissions" }
 if ($fileSystemRights -band 0x80000) { $permissions += "Take Ownership" }

 if($fileSystemRights -band 0x10000000) {
  $permissions += "Full Control"
  $permissions += "Modify"
  $permissions += "Read & Execute"
  $permissions += "List Folder Contents"
  $permissions += "Write"
  $permissions += "Traverse Folder / Execute File"
  $permissions += "List Folder / Read Data"
  $permissions += "Read Attributes"
  $permissions += "Read Extended Attriibutes" 
  $permissions += "Create Files / Write Data"
  $permissions += "Create Folders / Append Data"
  $permissions += "Write Attributes"
  $permissions += "Write Extended Attributes"
  $permissions += "Delete Subfolders and Files"
  $permissions += "Delete"
  $permissions += "Read Permissions"
  $permissions += "Change Permissions"
  $permissions += "Take Ownership"

 return $permissions

$uncPath = "\\\share\directory"
#$uncPath = "\\\share\directory\file.txt"
if(Test-Path -path $uncPath) {
 Write-Host $uncPath -foregroundColor Yellow
 $acl = Get-Acl -path $uncPath
 $aces = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
 foreach($ace in $aces) {
  $identityReference = $ace.IdentityReference.Value
  Write-Host $identityReference -foregroundColor Green
  $permissions = Get-AdvancedPermissions $ace.FileSystemRights
  foreach($permission in $permissions) {
   Write-Host "`t$permission"
  Write-Host ("-" * 70)

No comments:

Post a Comment