Author Posts

May 26, 2015 at 8:29 am

Hello,

I'm trying to find a way to list the folders individual access permissions such as

Traverse Folders/execute files
Read attributes

etc...instead of the output I get from doing a get-acl and getting it's filesystem rights listed as something like: Readandexecute.

Is it possible to use get-acl to list the actual folder 'advanced security' options?

May 27, 2015 at 7:52 am

Get-Acl is giving you the same information as the advanced tab, it's just presented in a different way. You can take the access mask it's returning (the FileSystemRights property) and translate it into anything you want. Here's some quick and dirty proof of concept code that won't show any "combined" rights (it omits FullControl, Modify, ReadAndExecute, etc and shows you all of the basic rights):

# First, build a dictionary. To use the example code I'm using later, you'll want one
# with [int] keys and string values. You can build this yourself so that the translated
# rights show up how you want them, or you can do it using the FSR enumeration like
# this:

$Enum = [System.Security.AccessControl.FileSystemRights]
$RightsDictionary = @{}

foreach ($RightName in [enum]::GetNames($Enum)) {
    $NumericValue = $RightName -as $Enum -as [int]

    if ($NumericValue -band ($NumericValue -1)) {
        # This means $NumericValue isn't a power of 2, so it's a combination of rights,
        # and I'm assuming you want to ignore that
        continue
    }

    if (-not $RightsDictionary.ContainsKey($NumericValue)) {
        $RightsDictionary[$NumericValue] = @()
    }

    $RightsDictionary[$NumericValue] += $RightName
}
$SortedRights = $RightsDictionary.GetEnumerator() | sort Name -Descending

# This is a script block that can be used by Add-Member:
$DetailedRightsSb = {
    # This depends on $SortedRights

    $RemainingAccessMask = [int] $this.FileSystemRights
    $DetailedRights = @()
    foreach ($RightEntry in $SortedRights) {
        if ($RemainingAccessMask -eq 0) { break }  # Done looking up rights

        if ($RemainingAccessMask -band $RightEntry.Name) {
            $DetailedRights += $RightEntry.Value -join "/"
            $RemainingAccessMask = $RemainingAccessMask -bxor $RightEntry.Name
        }
    }

    if ($RemainingAccessMask -ne 0) { $DetailedRights += "Unknown ($RemainingAccessMask)" }

    [array]::Reverse($DetailedRights)
    $DetailedRights -join ", "
}

# Finally, you can use all of that above like this, and each of your ACEs will have an
# extra 'DetailedRights' property:
Get-Acl C:\folder | 
    select Path -ExpandProperty Access | 
    Add-Member -MemberType ScriptProperty -Name DetailedRights -Value $DetailedRightsSb -PassThru

If that does what you're looking for, you might also try this module: https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83. If you get version 4.0, you can run this command to do pretty much the same thing as the code above:

Get-PacAccessControlEntry C:\folder -DisplayOptions ShowDetailedRights

If you have any questions about the code above, or if you were trying to do something else, please let me know.

May 27, 2015 at 11:50 am

Hey, thanks! That really looks pretty good and with some slight modification will do just what I needed. Thanks again

May 27, 2015 at 12:20 pm

You're welcome!