发表新帖
发表新帖

Retrieving security descriptor and getting number for FileSystemRights

前端 未结
关注
2 681
一整个雨季
一整个雨季 2021-01-05 02:36

Using Get-Acl I am trying to get the access rights on a folder. The thing is, for some groups I get a number instead of a access type. Example below:
相关标签:
2条回答
  • 终归单人心
    2021-01-05 02:55

    The value of the FileSystemRights property is an unsigned 32-bit integer, where each bit represents a particular access permission. Most of the permissions are listed in the Win32_ACE class documentation, except for the "generic" permissions (bits 28-31) and the right to access SACLs (bit 23). More details can be found here and here.

    If you want to break down an ACE access mask into its specific access rights (vulgo "extended permissions") you could do something like this:

    $accessMask = [ordered]@{
  [uint32]'0x80000000' = 'GenericRead'
  [uint32]'0x40000000' = 'GenericWrite'
  [uint32]'0x20000000' = 'GenericExecute'
  [uint32]'0x10000000' = 'GenericAll'
  [uint32]'0x02000000' = 'MaximumAllowed'
  [uint32]'0x01000000' = 'AccessSystemSecurity'
  [uint32]'0x00100000' = 'Synchronize'
  [uint32]'0x00080000' = 'WriteOwner'
  [uint32]'0x00040000' = 'WriteDAC'
  [uint32]'0x00020000' = 'ReadControl'
  [uint32]'0x00010000' = 'Delete'
  [uint32]'0x00000100' = 'WriteAttributes'
  [uint32]'0x00000080' = 'ReadAttributes'
  [uint32]'0x00000040' = 'DeleteChild'
  [uint32]'0x00000020' = 'Execute/Traverse'
  [uint32]'0x00000010' = 'WriteExtendedAttributes'
  [uint32]'0x00000008' = 'ReadExtendedAttributes'
  [uint32]'0x00000004' = 'AppendData/AddSubdirectory'
  [uint32]'0x00000002' = 'WriteData/AddFile'
  [uint32]'0x00000001' = 'ReadData/ListDirectory'
}

$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
                    Select-Object -Expand Access |
                    Select-Object -Expand FileSystemRights -First 1

$permissions = $accessMask.Keys |
               Where-Object { $fileSystemRights.value__ -band $_ } |
               ForEach-Object { $accessMask[$_] }

    The simple permissions FullControl, Modify, ReadAndExecute etc. are just specific combinations of these extended permissions. ReadAndExecute for instance is a combination of the following extended permissions:

    • ReadData/ListDirectory
    • Execute/Traverse
    • ReadAttributes
    • ReadExtendedAttributes
    • ReadControl

    so the access mask for ReadAndExecute would have the value 131241.

    If you want the result to be a combination of simple permission and the remaining extended permissions, you could do something like this:

    $accessMask = [ordered]@{
  ...
}

$simplePermissions = [ordered]@{
  [uint32]'0x1f01ff' = 'FullControl'
  [uint32]'0x0301bf' = 'Modify'
  [uint32]'0x0200a9' = 'ReadAndExecute'
  [uint32]'0x02019f' = 'ReadAndWrite'
  [uint32]'0x020089' = 'Read'
  [uint32]'0x000116' = 'Write'
}

$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
                    Select-Object -Expand Access |
                    Select-Object -Expand FileSystemRights -First 1

$fsr = $fileSystemRights.value__

$permissions = @()

# get simple permission
$permissions += $simplePermissions.Keys | ForEach-Object {
                  if (($fsr -band $_) -eq $_) {
                    $simplePermissions[$_]
                    $fsr = $fsr -band (-bnot $_)
                  }
                }

# get remaining extended permissions
$permissions += $accessMask.Keys |
                Where-Object { $fsr -band $_ } |
                ForEach-Object { $accessMask[$_] }
    0 讨论(0)
  • 醉话见心
    2021-01-05 02:58

    Quick and dirty tanslation:

    268435456 - FullControl

    -536805376 - Modify, Synchronize

    -1610612736 - ReadAndExecute, Synchronize

    If you want to learn about the translation process this was the best i could find at the moment: Link

    0 讨论(0)
 看不清?
提交回复
热议问题