none
How to check if a user has permissons on a file RRS feed

  • Question

  • Hi,

    I need to create a Powershell script to grant full control to a given file. Ideally I'd be able to check if the user has permissions first before assigning them.

    For example, how can I check of a group called Admins SQL has full control of a file?

    I think I'll be able to create what I need but I just need help on this specific bit.

    Thanks in advance.

    Wednesday, November 16, 2011 1:26 PM

Answers

  • Hi,

    Try something like this:

    $user = "domain\user"
    $Acl = Get-Acl "p:\test.TXT"
    if(-not (($Acl.Access | select -ExpandProperty IdentityReference) -contains $user))
    {
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($user,"FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      $Acl | Set-Acl -path "p:\test.TXT"
    }  
    

     

    • Marked as answer by Chris_cs Wednesday, November 16, 2011 2:50 PM
    Wednesday, November 16, 2011 2:02 PM

All replies

  • $acl = Get-Acl FilePath
    $isExists = $acl.Access | Where {$_.IdentityReference -match "Admins SQL"}
    if (!$isExists)
    {
    	$Allow = "UserName","FullControl","Allow"
    	$AccessRule = New-Object Security.AccessControl.FileSystemAccessRule $Allow
    	$ACL.SetAccessRule($AccessRule)
    	$ACL | Set-Acl FilePath
    }
    


    • Edited by Kazun Wednesday, November 16, 2011 2:06 PM
    Wednesday, November 16, 2011 2:00 PM
  • Hi,

    Try something like this:

    $user = "domain\user"
    $Acl = Get-Acl "p:\test.TXT"
    if(-not (($Acl.Access | select -ExpandProperty IdentityReference) -contains $user))
    {
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($user,"FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      $Acl | Set-Acl -path "p:\test.TXT"
    }  
    

     

    • Marked as answer by Chris_cs Wednesday, November 16, 2011 2:50 PM
    Wednesday, November 16, 2011 2:02 PM
  • Brilliant, thanks for the suggestions.

    I'll give them a go.

    Wednesday, November 16, 2011 2:17 PM
  • If you're checking a lot of files, you may be able to speed up the search by checking the sddl instead of the access list.  To do this you'll need the SID of the group your're testing for.

    $sid = (get-adgroup "<groupname>").sid.value
    
    $regex = "\(A;;FA;;;$sid\)"
    
    get-childitem |
    where {(get-acl $_).sddl -match $regex}
    

    The sddl is the string representation of the native format the ACE's are stored in.  This saves you the overhead of having to do the name resolutions on the ACEs from SID to CN, and the entire ACL is checked in one match operation.

     


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Wednesday, November 16, 2011 2:20 PM
  • To take this a bit further, I want to go through each .mdf file in a directory and add the permissions if they don't exist. This is what I have so far:

    $user = "domain\user"
    
    $fc = new-object -com scripting.filesystemobject
    $path = "D:\Scripts\"
    $folder = $fc.GetFolder($path)
    
    foreach ($f in $folder.files) {
    $file = $path  $f
    $Acl = Get-Acl $file
    if(-not (($Acl.Access | select -ExpandProperty IdentityReference) -contains $user))
    {
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($user,"FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      $Acl | Set-Acl -path $file
    }
    }
    

    This is giving me an error which i think has something to do with the way I'm trying to reference each individual file. The script above doesn't restrict the files to .mdf files only but I'd also like to see how I could do this.

    Thanks again
     

    Wednesday, November 16, 2011 3:31 PM
  • Think I may have this working now:

    $user = "LIBERTY\dbadmin.sn"
    
    get-childitem D:\Scripts -include *.ps1 -recurse | foreach ($_) {
    $Acl = Get-Acl $_.fullname
    if(-not (($Acl.Access | select -ExpandProperty IdentityReference) -contains $user))
    {
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule($user,"FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      $Acl | Set-Acl -path $_.fullname
    }
    }
    

     

    Wednesday, November 16, 2011 3:37 PM