File System Rights -- Part 2

In this code example, I expand upon the NTFS rights exercise in the my blog post, "File System Rights -- Part 1". We use the same bitwise and operation to determine rights. This version, however, provides the same information found in the advance tab of Security for the "allow". I will demonstrate in later posts how to determine if a "deny" is selected. This script returns a much better report to provide to the non-technical user than the information recorded in Part 1.

Now that you have this information regarding NTFS permissions for a file system object, you can do some interesting things. You can monitor for changes. Alter permissions based on logic derived from the results returned. Clone permissions between objects. Consolidate permissions in defined access groups to reduce access bloat and speed up access -- I find this on non-Windows based NAS devices all the time. All of these topics I will provide examples in future blog posts.

Function Get-AdvancedPermissions($fileSystemRights) {
 $permissions = @()
 
 if ($fileSystemRights -band 0x1 -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x2 -and $fileSystemRights -band 0x2 -and $fileSystemRights -band 0x4 -and $fileSystemRights -band 0x4 -and $fileSystemRights -band 0x8 -and $fileSystemRights -band 0x10 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x40 -and $fileSystemRights -band 0x80 -and $fileSystemRights -band 0x100 -and $fileSystemRights -band 0x116 -and $fileSystemRights -band 0x10000 -and $fileSystemRights -band 0x20000 -and $fileSystemRights -band 0x20089 -and $fileSystemRights -band 0x200a9 -and $fileSystemRights -band 0x301bf -and $fileSystemRights -band 0x40000 -and $fileSystemRights -band 0x80000 -and $fileSystemRights -band 0x100000 -and $fileSystemRights -band 0x1f01ff) {
  $permissions += "Full Control"
 } 
 
 if ($fileSystemRights -band 0x1 -and  $fileSystemRights -band 0x10 -and  $fileSystemRights -band 0x100 -and  $fileSystemRights -band 0x10000 -and  $fileSystemRights -band 0x100000 -and  $fileSystemRights -band 0x116 -and  $fileSystemRights -band 0x2 -and  $fileSystemRights -band 0x20 -and  $fileSystemRights -band 0x20000 -and  $fileSystemRights -band 0x20089 -and  $fileSystemRights -band 0x200a9 -and  $fileSystemRights -band 0x301bf -and  $fileSystemRights -band 0x4 -and  $fileSystemRights -band 0x8 -and  $fileSystemRights -band 0x80) {
  $permissions += "Modify"
 }

 if ($fileSystemRights -band 0x200a9 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x80 -and $fileSystemRights -band 0x8 -and $fileSystemRights -band 0x20000) { # -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x80 -and $fileSystemRights -band 0x80x8 -and $fileSystemRights -band 0x20000) {
  $permissions += "Read & Execute"
 }

 if ($fileSystemRights -band 0x1 -and $fileSystemRights -band 0x1 -and $fileSystemRights -band 0x8 -and $fileSystemRights -band 0x20 -and $fileSystemRights -band 0x20000) {
  $permissions += "List Folder Contents"
 }

 if ($fileSystemRights -band 0x20089) { $permissions += "Read" }
 if ($fileSystemRights -band 0x116) { $permissions += "Write" }
 if ($fileSystemRights -band 0x20) { $permissions += "Traverse Folder / Execute File" }
 if ($fileSystemRights -band 0x1) { $permissions += "List Folder / Read Data" }
 if ($fileSystemRights -band 0x80) { $permissions += "Read Attributes" }
 if ($fileSystemRights -band 0x8) { $permissions += "Read Extended Attriibutes" }
 if ($fileSystemRights -band 0x2) { $permissions += "Create Files / Write Data" }
 if ($fileSystemRights -band 0x4) { $permissions += "Create Folders / Append Data" }
 if ($fileSystemRights -band 0x100) { $permissions += "Write Attributes" }
 if ($fileSystemRights -band 0x10) { $permissions += "Write Extended Attributes" }
 if ($fileSystemRights -band 0x40) { $permissions += "Delete Subfolders and Files" }
 if ($fileSystemRights -band 0x10000) { $permissions += "Delete" }  
 if ($fileSystemRights -band 0x20000) { $permissions += "Read Permissions" }
 if ($fileSystemRights -band 0x40000) { $permissions += "Change Permissions" }
 if ($fileSystemRights -band 0x80000) { $permissions += "Take Ownership" }

 if($fileSystemRights -band 0x10000000) {
  $permissions += "Full Control"
  $permissions += "Modify"
  $permissions += "Read & Execute"
  $permissions += "List Folder Contents"
  $permissions += "Write"
  $permissions += "Traverse Folder / Execute File"
  $permissions += "List Folder / Read Data"
  $permissions += "Read Attributes"
  $permissions += "Read Extended Attriibutes" 
  $permissions += "Create Files / Write Data"
  $permissions += "Create Folders / Append Data"
  $permissions += "Write Attributes"
  $permissions += "Write Extended Attributes"
  $permissions += "Delete Subfolders and Files"
  $permissions += "Delete"
  $permissions += "Read Permissions"
  $permissions += "Change Permissions"
  $permissions += "Take Ownership"
 }

 return $permissions
}

$uncPath = "\\server.ad.mycompany.local\share\directory"
#$uncPath = "\\server.ad.mycompany.local\share\directory\file.txt"
if(Test-Path -path $uncPath) {
 Write-Host $uncPath -foregroundColor Yellow
 $acl = Get-Acl -path $uncPath
 $aces = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
 foreach($ace in $aces) {
  $identityReference = $ace.IdentityReference.Value
  Write-Host $identityReference -foregroundColor Green
  $permissions = Get-AdvancedPermissions $ace.FileSystemRights
  foreach($permission in $permissions) {
   Write-Host "`t$permission"
  }
  Write-Host ("-" * 70)
 }
}

File System Rights -- Part 1

A common request I receive is "Who has rights to this?". To know this, we need to know the access rights and access masks for the securable object. The access mask is a 32 bit value that we can determine the access rights. To obtain this information in PowerShell, we use the Get-Acl cmdlet to obtain the security of the file system object. In the code below, we use Get-Acl and query the access rules and perform bitwise and operations to obtain the masks for each identity. This is a good first start in understanding how to return the information for "Who has rights to this?" but that return might not be easily digestible to the typical user. In a future, I will supply a function that will return exactly what appears in the advanced permissions tab on a file or folder -- a little more english than techish.

Function Get-Permissions($fileSystemRights) {

 $permissions = @()

# Read access
 if($fileSystemRights -band 0x80000000) { $permissions += "GENERIC_READ" }
 
# Write access
 if($fileSystemRights -band 0x40000000) { $permissions += "GENERIC_WRITE" }
 
# Execute access
 if($fileSystemRights -band 0x20000000) { $permissions += "GENERIC_EXECUTE" }
 
# Read, write, and execute access
 if($fileSystemRights -band 0x10000000) { $permissions += "GENERIC_ALL" }

 if($fileSystemRights -band 0x8000000) { $permissions += "RESERVED_1" }
 if($fileSystemRights -band 0x4000000) { $permissions += "RESERVED_2" }
 if($fileSystemRights -band 0x2000000) { $permissions += "MAXIMUM_ALLOWED" }
 if($fileSystemRights -band 0x1000000) { $permissions += "ACCESS_SYSTEM_SECURITY" }
 if($fileSystemRights -band 0x800000) { $permissions += "UNKNOWN" }
 if($fileSystemRights -band 0x400000) { $permissions += "UNKNOWN" }
 if($fileSystemRights -band 0x200000) { $permissions += "UNKNOWN" }
 
# Essentially Full Control
 if($fileSystemRights -band 0x1F01FF) { $permissions += "FILE_ALL_ACCESS" }
 
# Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access.
 if($fileSystemRights -band 0x1F0000) { $permissions += "STANDARD_RIGHTS_ALL" }

# Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access. 
 if($fileSystemRights -band 0xF0000) { $permissions += "STANDARD_RIGHTS_REQUIRED" }

# Read
 if($fileSystemRights -band 0x120089) { $permissions += "FILE_GENERIC_READ" }
 if($fileSystemRights -band 0x12010E) { $permissions += "FILE_GENERIC_WRITE" }
 if($fileSystemRights -band 0x1200A0) { $permissions += "FILE_GENERIC_EXECUTE" }
 
# Currently defined to equal READ_CONTROL.
 if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_READ" }
 
# Currently defined to equal READ_CONTROL.
 if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_WRITE" }
 
# Currently defined to equal READ_CONTROL.
 if($fileSystemRights -band 0x20000) { $permissions += "STANDARD_RIGHTS_EXECUTE" }
 if($fileSystemRights -band 0xFFFF) { $permissions += "SPECIFIC_RIGHTS_ALL" }

#  permission to synchronize
#  bit indicating permission to perform synchronize operation, used sometimes during file access
#  this permission is automaticaly granted with read and write access and revoked when read or write access is denied. 
#  it is not displayed in the list of permissions in Windows UI
 if($fileSystemRights -band 0x100000) { $permissions += "SYNCHRONIZE" }
 
#  permission to assign owner
#  corresponds to Take Ownership permissions in Windows UI
 if($fileSystemRights -band 0x80000) { $permissions += "WRITE_OWNER" }
 
#  permission to change discretionary ACL
#  corresponds to Change Permissions permissions in Windows UI
 if($fileSystemRights -band 0x40000) { $permissions += "WRITE_DAC" }
 
#  permission to read security descriptor
#  corresponds to Read Permissions permissions in Windows UI
 if($fileSystemRights -band 0x20000) { $permissions += "READ_CONTROL" }
 
#  permission to delete file or folder
#  corresponds to Delete permissions in Windows UI
 if($fileSystemRights -band 0x10000) { $permissions += "DELETE" }
 if($fileSystemRights -band 0x10000) { $permissions += "FILE_DELETE" }
 
#  permission to change file or folder attributes
#  corresponds to Write Attributes permissions in Windows UI
 if($fileSystemRights -band 0x100) { $permissions += "FILE_WRITE_ATTRIBUTES" }
 
#  permission to read file or folder attributes
#  corresponds to Read Attributes permissions in Windows UI
 if($fileSystemRights -band 0x80) { $permissions += "FILE_READ_ATTRIBUTES" }
 
#  permission to delete directory and all files it contains
#  corresponds to Delete Subfolders and Files permissions in Windows UI
 if($fileSystemRights -band 0x40) { $permissions += "FILE_DELETE_CHILD" }

#  permission to execute file or traverse directory
#  corresponds to Traverse Folder / Execute File permissions in Windows UI
 if($fileSystemRights -band 0x20) { $permissions += "FILE_EXECUTE" }
 if($fileSystemRights -band 0x20) { $permissions += "FILE_TRAVERSE" }
 
#  permission to write extended attributes
#  corresponds to Write Extended Attributes permissions in Windows UI
 if($fileSystemRights -band 0x10) { $permissions += "FILE_WRITE_EA" }
 
#  permission to read extended attributes
#  corresponds to Read Extended Attributes permissions in Windows UI
 if($fileSystemRights -band 0x8) { $permissions += "FILE_READ_EA" }

#  permission to append data to file or to create subdirectory
#  corresponds to Create Folders / Append Data permissions in Windows UI
 if($fileSystemRights -band 0x4) { $permissions += "FILE_APPEND_DATA" }
 if($fileSystemRights -band 0x4) { $permissions += "FILE_ADD_SUBDIRECTORY" }
 
#  permission to write data to file or create file in directory
#  corresponds to Create Files / Write Data permissions in Windows UI
 if($fileSystemRights -band 0x2) { $permissions += "FILE_WRITE_DATA" }
 if($fileSystemRights -band 0x2) { $permissions += "FILE_ADD_FILE" }
 
#  permission to read data from file or list contents of directory
#  corresponds to List Folder / Read Data permissions in Windows UI
 if($fileSystemRights -band 0x1) { $permissions += "FILE_READ_DATA" }
 if($fileSystemRights -band 0x1) { $permissions += "FILE_LIST_DIRECTORY" }

 return $permissions
}

$uncPath = "\\server.ad.mycompany.local\share\directory"
#$uncPath = "\\server.ad.mycompany.local\share\directory\file.txt"
if(Test-Path -path $uncPath) {
 Write-Host $uncPath -foregroundColor Yellow
 $acl = Get-Acl -path $uncPath 
 $aces = $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])
 foreach($ace in $aces) {
  $identityReference = $ace.IdentityReference.Value
  Write-Host $identityReference -foregroundColor Green
  $permissions = Get-Permissions $ace.FileSystemRights
  foreach($permission in $permissions) {
   Write-Host "`t$permission"
  }
  Write-Host ("-" * 70)
 }
}