none
get-acl for a particular user

    Question

  • I thought about creating a script to search a drive for All files that have write or execute permissions for a particular user.

    My theory;

    1.  get-childitem c:\ -recurse

    2.  get-acl

    3.  where object user -eq a particular user

    4.  Where object permission -eq write or execute

    5.  Display path, permission in table

    Any ideas, am I on the right track, any help would be greatly appreciated.

    Friday, September 2, 2011 9:37 AM

Answers

  • $filteracl = {$_.IdentityReference -match "UserName" -and ($_.FileSystemRights -band 131241 -or $_.FileSystemRights -band 278)}
    $objects = Get-ChildItem C:\ -Recurse -Force
    foreach ($i in $objects)
    {
    $i.GetAccessControl().Access | Where $filteracl  | Select `
                                    @{n="Path";e={$i.fullname}},
                                    @{n="User";e={$_.IdentityReference}},
                                    @{n="Permission";e={$_.FileSystemRights}}
    }
    



    Friday, September 2, 2011 10:14 AM

All replies

  • $filteracl = {$_.IdentityReference -match "UserName" -and ($_.FileSystemRights -band 131241 -or $_.FileSystemRights -band 278)}
    $objects = Get-ChildItem C:\ -Recurse -Force
    foreach ($i in $objects)
    {
    $i.GetAccessControl().Access | Where $filteracl  | Select `
                                    @{n="Path";e={$i.fullname}},
                                    @{n="User";e={$_.IdentityReference}},
                                    @{n="Permission";e={$_.FileSystemRights}}
    }
    



    Friday, September 2, 2011 10:14 AM
  • If it's a large data structure you can speed that up by doing a couple of things:

    1. Use the legacy dir to get the file paths.  It's substantially faster than an recursive gci, especially for large directory structures:

    2. Start by doing a -match on the sddl using the user's SID as the match pattern.  This will tell you if there are any ACE's for that user on the file, using a simple string match without having to resolve the user names of all the ACE's.

    cmd /c dir <path> /b /s /a-d |
    foreach {
        get-acl $_ |
            where {$_.sddl -match "<user SID>"}
         }
    


    Then get the access list of the one's that match and check the for the permissions you're looking for.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Friday, September 2, 2011 10:54 AM
  • That worked a treat, however just to make things harder for myself I want to incorporate these results and another set into the same table.

    What I have for the other command is

    get-childitem c:\ -filter *.exe -recurse|convert-path|test-applockerpolicy c:\temp\applocker.xml -User Everyone|select-object PolicyDecision,FilePath,MatchingRule

     

    Essentialy I want to list in the same table the results for a specific user for get-acl and test-applockerpolicy.

    Not to sure if its possible??

    Friday, September 2, 2011 11:33 AM