Can´t get inheritfrom folder name

This topic contains 7 replies, has 2 voices, and was last updated by  Octavio 2 weeks ago.

  • Author
    Posts
  • #85024

    Octavio
    Participant

    Hello everyone, i need your help regarding to a script i´m building that print the same acl that windows gui shows the security tab.
    The thing is, that i have a scenario where the script doesnt show the "inherited from" directory.
    I have found an example, where a child directory has an applyTo "This folder and subolders", but its parent has "This folder, subfolders and files". And thats why, i get no inherit from.
    But from the windows gui security tab, it shows the inherit from .
    Here is the example, and below the script.

    I will appreciate any help, cause i´ve read a lot and tried everything find a solution but i haven´t found it yet.
    Example:
    Parent Directory : c:\temp
    Child Directory: c:\temp\carpeta3\subCarpeta3 (that inherits from c:\temp)

    Here is my script (Sorry about my english)

    
    function get-FindInheritedLocal{
    
        [CmdLetBinding()]
        param(
            [Parameter(Mandatory=$true)][String]$directory,
            [Parameter(Mandatory=$true)][System.Security.AccessControl.FileSystemAccessRule]$user   
            
        )
    
        BEGIN{
            
            ## I get for only the first time the acl of the user i give as parameter and the directory
            $acc=(get-acl (split-path -Path $directory -Parent)).Access | ? {$_.IdentityReference -eq $user.IdentityReference`
            -and $_.AccessControlType -eq $user.AccessControlType -and $_.InheritanceFlags`
            -eq $user.InheritanceFlags -and $_.FileSystemRights -eq $user.FileSystemRights`
            -and $_.PropagationFlags -eq $user.PropagationFlags}
    
        }
    
        PROCESS{
    
            # While is inherited and it has a parent folder
            while ($acc.IsInherited -eq $true -and (Split-Path -Path $directory -Parent)){
                
                # I assign to $directory, the parent directory
                $directory=Split-Path -Path $directory -Parent
    
                ## Brings the acl of the user  
                $acc=(get-acl -Path $directory).Access | ? {$_.IdentityReference -eq $user.IdentityReference`
                -and $_.AccessControlType -eq $user.AccessControlType -and $_.InheritanceFlags`
                -eq $user.InheritanceFlags -and $_.FileSystemRights -eq $user.FileSystemRights`
                -and $_.PropagationFlags -eq $user.PropagationFlags}
                
                
               
               # If it is not inherited, it found the parent where it inherited from
                
               if($a=$acc | ? {$_.isinherited -eq $false}){
    
                    $prop = @{  Path=$directory
                                Permission=$a.FileSystemRights
                                Identity=$a.IdentityReference
                    }
                    $entity = New-Object -TypeName psobject -Property $prop
                    return $entity
                }
               
                 
            } 
    
    
        }
    
        END{}
    
    }
    
  • #85034

    postanote
    Participant

    Looks like you've done a bit of work here, but you do know, there is module to help with this sort of thing.

    Find-Module -Name '*ntfs*' | Format-Table -Autosize

    Version Name Repository Description
    ——- —- ———- ———–
    4.2.3 NTFSSecurity PSGallery Windows PowerShell Module for managing file and folder security on NTFS volumes
    1.3.0 cNtfsAccessControl PSGallery The cNtfsAccessControl module contains DSC resources for NTFS access control management.
    1.0 NTFSPermissionMigration PSGallery This module is used as a wrapper to the popular icacls utility to save permissions to a file and then resto...

    See these to articles:

    Weekend Scripter: Use PowerShell to Get, Add, and Remove NTFS Permissions
    This post introduces the NTFSSecurity module, which provides a bunch of cmdlets for managing permissions on NTFS drives.
    'blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions'

    Weekend Scripter: Manage NTFS Inheritance and Use Privileges
    Determine inheritance settings
    To determine if a file or folder inherits from its parent, use the Get-NTFSAccessInheritance cmdlet (there is also a Get-NTFSAuditInheritance cmdlet). There are two ways to specify the file or folder: You can use the Path parameter or pipe the file or folder object to Get-NTFSAccessInheritance:
    'blogs.technet.microsoft.com/heyscriptingguy/2014/11/23/weekend-scripter-manage-ntfs-inheritance-and-use-privileges'

    • #85055

      Octavio
      Participant

      Thanks mate. I´ve found it before, but i want to create mine so i can then make changes and modify the output.
      I think i´m very close, but maybe i am wrong in the way i serach which is the parent who is inheriting from.
      Is there a way to view the source code of Get-NTFSAccessInheritance?. Maybe, looking in there it will give me a clue to solve it.

    • #85120

      postanote
      Participant

      As for...
      'Is there a way to view the source code of Get-NTFSAccessInheritance?.'
      As long as it is not obfuscated, sure.

      For example to view say some of the default PowerShell functions. In the PowerShell_ISE, you could do this:

      ${function:Clear-Host} | Out-String | Out-GridView

      Or

      ${function:Clear-Host} | clip # to paste into the ISE, VSCode or your editor of choice to review

      For full source decompile, then you are looking at leveraging things like the following:

      Net Reflector
      'red-gate.com/products/dotnet-development/reflector'
      Example: 'nivot.org/post/2008/10/30/ATrickToJumpDirectlyToACmdletsImplementationInReflector'

      ILSpy
      'wiki.sharpdevelop.net/ILSpy.ashx'

      dotPeek
      'jetbrains.com/decompiler'

      JustDecompile
      'telerik.com/products/decompiler.aspx'

      DisSharper
      'netdecompiler.com'

      Mono Cecil
      'mono-project.com/Cecil'

      Kaliro
      'sites.google.com/site/kalirosupport/home'

      Dotnet IL Editor (DILE)
      'sourceforge.net/projects/dile'

      Common Compiler Infrastructure
      'cciast.codeplex.com'

    • #85159

      Octavio
      Participant

      Thansk Postanote for the tools.
      I´ve used 'Net Reflector', but i have seen ILSpy is better, and also, it´s free !!! (thanks for that).

  • #85058

    Octavio
    Participant

    Debuging the script, i´ve found the problem:
    When i walk backwards from child to parent : "Subcarpeta3 -> Carpeta3 -> Temp -> c:\" in the while loop, when it reachs the "temp" folder,

    while ($acc.IsInherited -eq $true -and (Split-Path -Path $directory -Parent)){
                
                $directory=Split-Path -Path $directory -Parent
     
                $acc=(get-acl -Path $directory).Access | ? {$_.IdentityReference -eq $user.IdentityReference`
                -and $_.AccessControlType -eq $user.AccessControlType -and $_.InheritanceFlags`
                -eq $user.InheritanceFlags -and $_.FileSystemRights -eq $user.FileSystemRights`
                -and $_.PropagationFlags -eq $user.PropagationFlags}
    

    Which suppose to be the parent from which subcarpeta3 inherits (is is shows in the image), the $acc variable it suppose to store the ACE

    But the $acc doesn´t found anything, and i think the KEY is here:
    $acc doesn´t store anyhing because the parent folder "c:\temp" has the ace "this folder ,subfolders and files"

    And the inherited child "subCarpeta3" has the ACE "this folder and subfolders"
    So, it will never found the parent where the child inherits from.

    But i have any clue about how to solve this.

  • #85123

    postanote
    Participant

    I guess an option is just to check to see what folder do or do not have inheritance enabled and extrapolate from there.

    I just remembered where the sorces were...
    'github.com/raandree/NTFSSecurity'

    Specifically...
    'github.com/raandree/NTFSSecurity/tree/master/NTFSSecurity'

    One more item:
    'github.com/Jackbennett/powershell'

    Specifically...
    'github.com/Jackbennett/powershell/tree/master/NTFSSecurity'

    Might be worth a look as well.

    • #85162

      Octavio
      Participant

      Hello postanote, i´ve read the source on ILSPy, but it´s in C#.
      I was hoping i could do it with a powershell script, and i thinks im so close.

You must be logged in to reply to this topic.