Author Posts

June 3, 2016 at 2:33 am

Hi All

I am stuck with what I thought was going to be an easy task, I am trying to get a list of all NTFS permissions for shares. It started out pretty easy, I use $ACL = (Get-Acl -Path $Share).Access where $Share is a valid share on the computer. I can write-output $ACL and all looks great, no problem, however if I try to manipulate $ACL all I get back is

System.Security.AccessControl.FileSystemAccessRule over and over again.

I have tried all string manipulation tricks that I can think of, however the results are the same.

Question is, is there anyway to prevent this from happening and just get the proper data or is this not possible with PowerShell?

Thanks in advance
Tim

June 3, 2016 at 4:21 am

Hi Tim,
Something like

$share = '\\myserver\share'
$acl = (Get-acl -path $share).access
$acl | select-object -property IdentityReference, FileSystemRights

Will give you a table like
IdentityReference FileSystemRights
————————– ————————-
mydom\Administrator FullControl
NT AUTHORITY\System FullControl

Is this the sort of thing you're looking for, or something else? Obviously you can enumerate the list of shares and run them through a foreach to go through them all.

Cheers
Liam

June 3, 2016 at 6:08 am

Hi Liam

Thanks for the help I appreciate it.

With your code I still get the same error, it seems that $acl is valid, but if you try and manipulate it in any way you get System.Security.AccessControl.FileSystemAccessRule returned

$Total="These are the ACLs " +$acl
and
$Total="These are the ACLs +$acl"

Both return the System.Security.AccessControl.FileSystemAccessRule

Also it seems that if I write it to a file, I get the same results.

I am using Windows 10 with PowerShell 5, is this perhaps a bug in PowerShell?

I found a module NTFSSecurity that has no issues doing this, however I would prefer to do this manually

Thanks again
Tim

June 3, 2016 at 9:31 am

$acl is an object but not a fine formatted string!
and you try to 'manipulate' with object concatenating it with string to get a string object representation.

compare: write-output $acl and write-host $acl
the first use some technique to get object properties and the second just doing $acl.ToString() just like you 🙂

Try for example 'total ' + $acl.FileSystemRights and you get what you expect – the string that contains concatenation of all FileSystemRights.

that happen because FileSystemAccessRule class doesn't have it own .ToString() conversion method. it just inherited from object class

https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx

if you want to get total count of $acl records – use $acl.Count
if you want to get all involved security objects – use $acl.IdentityReference.Value
if you want to get that representation which you seen on screen in string try 'total'+ ($acl | out-string)

and so on...

  • This reply was modified 2 years, 4 months ago by  Max Kozlov.

June 3, 2016 at 3:36 pm

Hi Max

Thanks for help, you nailed it with that one. I don't know exactly why it I was having the issues, I will delve more into this weekend for sure. The main thing is that I am over this hurdle and continue on with this script

Many thanks to all

Tim