locked
Question about PowerShell GET-ACL cmdlet. RRS feed

  • Question

  • I am trying to find out who has what kind of access to shares on my system (and later on to servers in the domain).

    When I do a GET-ACL for a share on my laptop, I get something like the following display:

     

    PS C:\PowerShell> GET-ACL \\MYCOMPUTER\test-share0 |format-list

     

    Path   : Microsoft.PowerShell.Core\FileSystem::\\MYCOMPUTER\test-share0

    Owner  : BH\MyUserID

    Group  : BH\Domain Users

    Access : BUILTIN\Administrators Allow  FullControl

             MyDomain\MyUserID Allow  FullControl

             CREATOR OWNER Allow  FullControl

             NT AUTHORITY\SYSTEM Allow  FullControl

             BUILTIN\Users Allow  ReadAndExecute, Synchronize

    Audit  :

    Sddl   : O:S-1-5-21-1234567890-1234567890-1234567890-96197G:DUD:AI(A;OICIID;FA;;;BA)(A;ID;FA;;;S-1-5-21-1234567890-823518204-1234567890-96197)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)

     

     

    When I want to get the group information, I get the following:

     

    PS C:\PowerShell> GET-ACL \\MYCOMPUTER\test-share0 |format-list -property Group

     

    Group : MyDomain\Domain Users

     

    But, when I want to find out who has access to the share, I get the following:

     

    PS C:\PowerShell> GET-ACL \\MYCOMPUTER\test-share0 |format-list -property Access

     

    Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule...}

     

    Monday, April 6, 2009 6:09 PM

Answers

  • This is what I would do

    This function takes Server as a parameter

    function Get-SharePermission
    {
        Param($Server = $env:ComputerName)
        
        $ShareSecurity = Get-WMIObject win32_LogicalShareSecuritySetting -comp $Server
        
        foreach($Share in $ShareSecurity)
        {
            $ShareName = $Share.Name
            $ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
            foreach($ACL in $ACLS)
            {
                $User = $ACL.Trustee.Name
                switch ($ACL.AccessMask)
                {
                    2032127   {$Perm = "Full Control"}
                    1245631   {$Perm = "Change"}
                    1179817   {$Perm = "Read"}
                }
                $myobj = "" |Select-Object ShareName,User,Permission
                $myobj.ShareName = $ShareName
                $myobj.User = $User
                $myobj.Permission = $Perm
                $myobj
            }
        }
    }

    Brandon Shell [MVP]
    • Proposed as answer by BSonPosh Wednesday, April 8, 2009 2:23 PM
    • Marked as answer by AECanapa Thursday, April 9, 2009 11:26 AM
    Wednesday, April 8, 2009 2:23 PM

All replies

  • What you want is this

    GET-ACL \\$env:Computername\c$ | %{$_.Access}

    but beware... IIRC this is only NTFS persmission and does not take into account share folder permissions.
    Brandon Shell [MVP]
    Monday, April 6, 2009 6:46 PM
  • Hello Brandon,

    Could you please recommend something to get share folder permissions?

    I tried using WMI and invoking the GetAccessMask method from the Win32_Share WMI class and failed...
    I used the call
    (Get-WmiObject -Class Win32_Share -ComputerName . -Filter "Name='NetworkShareName'").InvokeMethod("GetAccessMask", $null)
    
    
    It returned an integer value. Could you please suggest how do I get the value decrypted so that I could understand the nework share ACL?

    Second, if I use the following call

    (Get-WmiObject -List -ComputerName . | Where-Object -FilterScript {$_.Name -eq "Win32_Share"}).InvokeMethod("GetAccessMask",(???))
    
    
    how do I pass the share name to the GetAccessMask method?

    Thank you.
    Wednesday, April 8, 2009 1:45 PM
  • This is what I would do

    This function takes Server as a parameter

    function Get-SharePermission
    {
        Param($Server = $env:ComputerName)
        
        $ShareSecurity = Get-WMIObject win32_LogicalShareSecuritySetting -comp $Server
        
        foreach($Share in $ShareSecurity)
        {
            $ShareName = $Share.Name
            $ACLS = $Share.GetSecurityDescriptor().Descriptor.DACL
            foreach($ACL in $ACLS)
            {
                $User = $ACL.Trustee.Name
                switch ($ACL.AccessMask)
                {
                    2032127   {$Perm = "Full Control"}
                    1245631   {$Perm = "Change"}
                    1179817   {$Perm = "Read"}
                }
                $myobj = "" |Select-Object ShareName,User,Permission
                $myobj.ShareName = $ShareName
                $myobj.User = $User
                $myobj.Permission = $Perm
                $myobj
            }
        }
    }

    Brandon Shell [MVP]
    • Proposed as answer by BSonPosh Wednesday, April 8, 2009 2:23 PM
    • Marked as answer by AECanapa Thursday, April 9, 2009 11:26 AM
    Wednesday, April 8, 2009 2:23 PM
  • Thank you, Brandon.

    But what about doing that for network share permissions? Could you please advise on that? Could you please recommend something? Still can't get the right direction working with the Win32_Share class.
    Friday, April 10, 2009 11:10 AM
  • For a network share you just need to target the device host the share.


    Brandon Shell [MVP]
    Friday, April 10, 2009 5:17 PM
  • Brandon,

    I know this post has been here a while, but I am trying to get your script to run and just don't know how.

    I want to run this against a server on the network and output both the share and ACL information before a migration. Is there a way to set this up as a ps1 file and run it against another computer?

    forgive me if this is a basic question. Very new to ps scripting.

    Thank you in advance.
    Wednesday, September 16, 2009 5:57 PM
  • 1) Copy into a .ps1 file
    2) . source the file (. filepath\filename.ps1)
    3) Then just call the function
    Get-SharePermission <machineName>
    Brandon Shell [MVP]
    Wednesday, September 16, 2009 6:47 PM
  • How would this script look like if you wanted only NTFS  persmission of the network shares ?

    Tuesday, March 23, 2010 12:37 PM
  • Sorry for bringing to life an answered thread, but I simply wanted to see how to add something to this code.

    How would you go about using GCI -recurse to list all permissions for sub-directories. Also, is there an easy way to get the DACL for NTFS share permissions as well?

    Thanks!


    Posting to you from Windows 7!
    Friday, April 30, 2010 5:07 PM
  • To:Brandon

    Great Stuff!  Really Helped Me Out!


    Thursday, June 2, 2011 8:27 PM