Help with Get-ACL

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of TeeStar TeeStar 6 months, 1 week ago.

  • Author
    Posts
  • #41587
    Profile photo of TeeStar
    TeeStar
    Participant

    Hi All

    I am stuck with what I thought was going to be an easy task, I am trying to get a list of all NTFS permissions for shares. It started out pretty easy, I use $ACL = (Get-Acl -Path $Share).Access where $Share is a valid share on the computer. I can write-output $ACL and all looks great, no problem, however if I try to manipulate $ACL all I get back is

    System.Security.AccessControl.FileSystemAccessRule over and over again.

    I have tried all string manipulation tricks that I can think of, however the results are the same.

    Question is, is there anyway to prevent this from happening and just get the proper data or is this not possible with PowerShell?

    Thanks in advance
    Tim

  • #41594
    Profile photo of Liam Kemp
    Liam Kemp
    Participant

    Hi Tim,
    Something like

    $share = '\\myserver\share'
    $acl = (Get-acl -path $share).access
    $acl | select-object -property IdentityReference, FileSystemRights

    Will give you a table like
    IdentityReference FileSystemRights
    ————————– ————————-
    mydom\Administrator FullControl
    NT AUTHORITY\System FullControl

    Is this the sort of thing you're looking for, or something else? Obviously you can enumerate the list of shares and run them through a foreach to go through them all.

    Cheers
    Liam

  • #41609
    Profile photo of TeeStar
    TeeStar
    Participant

    Hi Liam

    Thanks for the help I appreciate it.

    With your code I still get the same error, it seems that $acl is valid, but if you try and manipulate it in any way you get System.Security.AccessControl.FileSystemAccessRule returned

    $Total="These are the ACLs " +$acl
    and
    $Total="These are the ACLs +$acl"

    Both return the System.Security.AccessControl.FileSystemAccessRule

    Also it seems that if I write it to a file, I get the same results.

    I am using Windows 10 with PowerShell 5, is this perhaps a bug in PowerShell?

    I found a module NTFSSecurity that has no issues doing this, however I would prefer to do this manually

    Thanks again
    Tim

  • #41619
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    $acl is an object but not a fine formatted string!
    and you try to 'manipulate' with object concatenating it with string to get a string object representation.

    compare: write-output $acl and write-host $acl
    the first use some technique to get object properties and the second just doing $acl.ToString() just like you 🙂

    Try for example 'total ' + $acl.FileSystemRights and you get what you expect – the string that contains concatenation of all FileSystemRights.

    that happen because FileSystemAccessRule class doesn't have it own .ToString() conversion method. it just inherited from object class

    https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule(v=vs.110).aspx

    if you want to get total count of $acl records – use $acl.Count
    if you want to get all involved security objects – use $acl.IdentityReference.Value
    if you want to get that representation which you seen on screen in string try 'total'+ ($acl | out-string)

    and so on...

    • This reply was modified 6 months, 1 week ago by Profile photo of Max Kozlov Max Kozlov.
  • #41659
    Profile photo of TeeStar
    TeeStar
    Participant

    Hi Max

    Thanks for help, you nailed it with that one. I don't know exactly why it I was having the issues, I will delve more into this weekend for sure. The main thing is that I am over this hurdle and continue on with this script

    Many thanks to all

    Tim

You must be logged in to reply to this topic.