Author Posts

November 27, 2017 at 8:26 pm

Hello everyone, i need your help regarding to a script i´m building that print the same acl that windows gui shows the security tab.
The thing is, that i have a scenario where the script doesnt show the "inherited from" directory.
I have found an example, where a child directory has an applyTo "This folder and subolders", but its parent has "This folder, subfolders and files". And thats why, i get no inherit from.
But from the windows gui security tab, it shows the inherit from .
Here is the example, and below the script.

I will appreciate any help, cause i´ve read a lot and tried everything find a solution but i haven´t found it yet.
Example:
Parent Directory : c:\temp
Child Directory: c:\temp\carpeta3\subCarpeta3 (that inherits from c:\temp)

Here is my script (Sorry about my english)


function get-FindInheritedLocal{

    [CmdLetBinding()]
    param(
        [Parameter(Mandatory=$true)][String]$directory,
        [Parameter(Mandatory=$true)][System.Security.AccessControl.FileSystemAccessRule]$user   
        
    )

    BEGIN{
        
        ## I get for only the first time the acl of the user i give as parameter and the directory
        $acc=(get-acl (split-path -Path $directory -Parent)).Access | ? {$_.IdentityReference -eq $user.IdentityReference`
        -and $_.AccessControlType -eq $user.AccessControlType -and $_.InheritanceFlags`
        -eq $user.InheritanceFlags -and $_.FileSystemRights -eq $user.FileSystemRights`
        -and $_.PropagationFlags -eq $user.PropagationFlags}

    }

    PROCESS{

        # While is inherited and it has a parent folder
        while ($acc.IsInherited -eq $true -and (Split-Path -Path $directory -Parent)){
            
            # I assign to $directory, the parent directory
            $directory=Split-Path -Path $directory -Parent

            ## Brings the acl of the user  
            $acc=(get-acl -Path $directory).Access | ? {$_.IdentityReference -eq $user.IdentityReference`
            -and $_.AccessControlType -eq $user.AccessControlType -and $_.InheritanceFlags`
            -eq $user.InheritanceFlags -and $_.FileSystemRights -eq $user.FileSystemRights`
            -and $_.PropagationFlags -eq $user.PropagationFlags}
            
            
           
           # If it is not inherited, it found the parent where it inherited from
            
           if($a=$acc | ? {$_.isinherited -eq $false}){

                $prop = @{  Path=$directory
                            Permission=$a.FileSystemRights
                            Identity=$a.IdentityReference
                }
                $entity = New-Object -TypeName psobject -Property $prop
                return $entity
            }
           
             
        } 


    }

    END{}

}

November 28, 2017 at 6:15 am

Looks like you've done a bit of work here, but you do know, there is module to help with this sort of thing.

Find-Module -Name '*ntfs*' | Format-Table -Autosize

Version Name Repository Description
——- —- ———- ———–
4.2.3 NTFSSecurity PSGallery Windows PowerShell Module for managing file and folder security on NTFS volumes
1.3.0 cNtfsAccessControl PSGallery The cNtfsAccessControl module contains DSC resources for NTFS access control management.
1.0 NTFSPermissionMigration PSGallery This module is used as a wrapper to the popular icacls utility to save permissions to a file and then resto...

See these to articles:

Weekend Scripter: Use PowerShell to Get, Add, and Remove NTFS Permissions
This post introduces the NTFSSecurity module, which provides a bunch of cmdlets for managing permissions on NTFS drives.
'blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions'

Weekend Scripter: Manage NTFS Inheritance and Use Privileges
Determine inheritance settings
To determine if a file or folder inherits from its parent, use the Get-NTFSAccessInheritance cmdlet (there is also a Get-NTFSAuditInheritance cmdlet). There are two ways to specify the file or folder: You can use the Path parameter or pipe the file or folder object to Get-NTFSAccessInheritance:
'blogs.technet.microsoft.com/heyscriptingguy/2014/11/23/weekend-scripter-manage-ntfs-inheritance-and-use-privileges'

November 28, 2017 at 1:52 pm

Thanks mate. I´ve found it before, but i want to create mine so i can then make changes and modify the output.
I think i´m very close, but maybe i am wrong in the way i serach which is the parent who is inheriting from.
Is there a way to view the source code of Get-NTFSAccessInheritance?. Maybe, looking in there it will give me a clue to solve it.

November 28, 2017 at 2:23 pm

Debuging the script, i´ve found the problem:
When i walk backwards from child to parent : "Subcarpeta3 -> Carpeta3 -> Temp -> c:\" in the while loop, when it reachs the "temp" folder,

while ($acc.IsInherited -eq $true -and (Split-Path -Path $directory -Parent)){
            
            $directory=Split-Path -Path $directory -Parent
 
            $acc=(get-acl -Path $directory).Access | ? {$_.IdentityReference -eq $user.IdentityReference`
            -and $_.AccessControlType -eq $user.AccessControlType -and $_.InheritanceFlags`
            -eq $user.InheritanceFlags -and $_.FileSystemRights -eq $user.FileSystemRights`
            -and $_.PropagationFlags -eq $user.PropagationFlags}

Which suppose to be the parent from which subcarpeta3 inherits (is is shows in the image), the $acc variable it suppose to store the ACE

But the $acc doesn´t found anything, and i think the KEY is here:
$acc doesn´t store anyhing because the parent folder "c:\temp" has the ace "this folder ,subfolders and files"

And the inherited child "subCarpeta3" has the ACE "this folder and subfolders"
So, it will never found the parent where the child inherits from.

But i have any clue about how to solve this.

November 29, 2017 at 12:22 am

As for...
'Is there a way to view the source code of Get-NTFSAccessInheritance?.'
As long as it is not obfuscated, sure.

For example to view say some of the default PowerShell functions. In the PowerShell_ISE, you could do this:

${function:Clear-Host} | Out-String | Out-GridView

Or

${function:Clear-Host} | clip # to paste into the ISE, VSCode or your editor of choice to review

For full source decompile, then you are looking at leveraging things like the following:

Net Reflector
'red-gate.com/products/dotnet-development/reflector'
Example: 'nivot.org/post/2008/10/30/ATrickToJumpDirectlyToACmdletsImplementationInReflector'

ILSpy
'wiki.sharpdevelop.net/ILSpy.ashx'

dotPeek
'jetbrains.com/decompiler'

JustDecompile
'telerik.com/products/decompiler.aspx'

DisSharper
'netdecompiler.com'

Mono Cecil
'mono-project.com/Cecil'

Kaliro
'sites.google.com/site/kalirosupport/home'

Dotnet IL Editor (DILE)
'sourceforge.net/projects/dile'

Common Compiler Infrastructure
'cciast.codeplex.com'

November 29, 2017 at 12:40 am

I guess an option is just to check to see what folder do or do not have inheritance enabled and extrapolate from there.

I just remembered where the sorces were...
'github.com/raandree/NTFSSecurity'

Specifically...
'github.com/raandree/NTFSSecurity/tree/master/NTFSSecurity'

One more item:
'github.com/Jackbennett/powershell'

Specifically...
'github.com/Jackbennett/powershell/tree/master/NTFSSecurity'

Might be worth a look as well.

November 29, 2017 at 3:18 pm

Thansk Postanote for the tools.
I´ve used 'Net Reflector', but i have seen ILSpy is better, and also, it´s free !!! (thanks for that).

November 29, 2017 at 3:23 pm

Hello postanote, i´ve read the source on ILSPy, but it´s in C#.
I was hoping i could do it with a powershell script, and i thinks im so close.