List individual Access Permissions

This topic contains 3 replies, has 2 voices, and was last updated by  Rohn Edwards 2 years, 4 months ago.

  • Author
    Posts
  • #25626

    ertuu85
    Participant

    Hello,

    I'm trying to find a way to list the folders individual access permissions such as

    Traverse Folders/execute files
    Read attributes

    etc...instead of the output I get from doing a get-acl and getting it's filesystem rights listed as something like: Readandexecute.

    Is it possible to use get-acl to list the actual folder 'advanced security' options?

  • #25673

    Rohn Edwards
    Participant

    Get-Acl is giving you the same information as the advanced tab, it's just presented in a different way. You can take the access mask it's returning (the FileSystemRights property) and translate it into anything you want. Here's some quick and dirty proof of concept code that won't show any "combined" rights (it omits FullControl, Modify, ReadAndExecute, etc and shows you all of the basic rights):

    # First, build a dictionary. To use the example code I'm using later, you'll want one
    # with [int] keys and string values. You can build this yourself so that the translated
    # rights show up how you want them, or you can do it using the FSR enumeration like
    # this:
    
    $Enum = [System.Security.AccessControl.FileSystemRights]
    $RightsDictionary = @{}
    
    foreach ($RightName in [enum]::GetNames($Enum)) {
        $NumericValue = $RightName -as $Enum -as [int]
    
        if ($NumericValue -band ($NumericValue -1)) {
            # This means $NumericValue isn't a power of 2, so it's a combination of rights,
            # and I'm assuming you want to ignore that
            continue
        }
    
        if (-not $RightsDictionary.ContainsKey($NumericValue)) {
            $RightsDictionary[$NumericValue] = @()
        }
    
        $RightsDictionary[$NumericValue] += $RightName
    }
    $SortedRights = $RightsDictionary.GetEnumerator() | sort Name -Descending
    
    # This is a script block that can be used by Add-Member:
    $DetailedRightsSb = {
        # This depends on $SortedRights
    
        $RemainingAccessMask = [int] $this.FileSystemRights
        $DetailedRights = @()
        foreach ($RightEntry in $SortedRights) {
            if ($RemainingAccessMask -eq 0) { break }  # Done looking up rights
    
            if ($RemainingAccessMask -band $RightEntry.Name) {
                $DetailedRights += $RightEntry.Value -join "/"
                $RemainingAccessMask = $RemainingAccessMask -bxor $RightEntry.Name
            }
        }
    
        if ($RemainingAccessMask -ne 0) { $DetailedRights += "Unknown ($RemainingAccessMask)" }
    
        [array]::Reverse($DetailedRights)
        $DetailedRights -join ", "
    }
    
    # Finally, you can use all of that above like this, and each of your ACEs will have an
    # extra 'DetailedRights' property:
    Get-Acl C:\folder | 
        select Path -ExpandProperty Access | 
        Add-Member -MemberType ScriptProperty -Name DetailedRights -Value $DetailedRightsSb -PassThru
    
    

    If that does what you're looking for, you might also try this module: https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83. If you get version 4.0, you can run this command to do pretty much the same thing as the code above:

    Get-PacAccessControlEntry C:\folder -DisplayOptions ShowDetailedRights
    

    If you have any questions about the code above, or if you were trying to do something else, please let me know.

  • #25687

    ertuu85
    Participant

    Hey, thanks! That really looks pretty good and with some slight modification will do just what I needed. Thanks again

  • #25690

    Rohn Edwards
    Participant

    You're welcome!

You must be logged in to reply to this topic.