Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

re: Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

jrv — Fri, 28 Sep 2012 02:52:25 GMT

@SISI - wow! great idea. Can you post your solution?

Of course you realize that this is a four year old blog post. I don't really think it is relevant anymore. You?

The forum for this blog is here: social.technet.microsoft.com/.../threads

Start a question. I am sure some people will remember those old issues from the last century, decade, millenium.

re: Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

SiSi — Fri, 28 Sep 2012 02:23:55 GMT

This is great! - now how would we exclude certain groups based on 'contains this string' to filter out admin groups say that we dont care about, then go further to list the usernames of each group with what access they have listed next to each user?

re: Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

Cjwdev — Tue, 28 Jun 2011 18:36:08 GMT

The link in my last comment doesn't seem to have pasted properly, here it is again: cjwdev.wordpress.com/.../permissions-not-included-in-net-accessrule-filesystemrights-enum

Hopefully that worked...

re: Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

Cjwdev — Tue, 28 Jun 2011 18:34:07 GMT

The numbers that you see instead of permission descriptions are from files/folders that have had "generic" permissions applied to them. For some reason the .NET team didn't think to handle this scenario when getting the FileSystemRights property of an AccessRule (which seems odd as a lot of the default folders in a fresh Windows build have these generic permissions applied so it is not as if it is uncommon). I've explained how you can work out what these permissions actually are in my blog post here: permissions-not-included-in-net-accessrule-filesystemrights-enum

re: Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

David Homer — Sat, 23 Apr 2011 13:10:38 GMT

Hi,

Yes we are also seeing negative numbers this shows as "Special" in the UI -536805376

Which when you open includes most permissions set to allow however obviously a bitwise AND doesn't return that this as having any allowed permissions.

Very strange, this occurs both using the .NET methods and also using WMI

Thanks,

David

CENTREL Solutions

centrel-solutions.com/xiaconfiguration

re: Hey, Scripting Guy! Can I Determine a Folder's Access Rights and Who Has Them?

Chris_Eaton — Tue, 08 Mar 2011 23:09:30 GMT

Excellent useful script thankyou....does anyone know how to get this to work for recursive paths so I can query an entire logical drive for NTFS permissions (folders only). Im pretty new to powershell and attempted the following

$Folders = Get-ChildItem c:\scripts\test123 -recurse | where-object {$_.PsIsContainer}

foreach ($folder in $folders) {

$acl = get-acl $folder

$acl.Access | select fileSystemRights, IsInherited, IdentityReference | where {$_.IdentityReference -eq 'BUILTIN\users'} |

select Filesystemrights, IsInherited, IdentityReference

}

This is the output you get....seems to replace certain permissions with numbers ?

FileSystemRights IsInherited IdentityReference

---------------- ----------- -----------------

-1610612736 BUILTIN\Users

ReadAndExecute, Synchronize False BUILTIN\Users