While working with shared folder permissions, I wanted to document access and permissions of folders in readable format in automation way with PowerShell, You can see the permissions with below command of a folder. Access and permissions are in SDDL format, not in user friendly format to read, it contents SIDs, and permissions in shortform.
Related Articles
The Security Descriptor Definition Language (SDDL) is a format that characterizes a security descriptor as a text string in Windows. It also indicates string elements to explain the data contained within the components of a security descriptor.
$acl = Get-Acl -Path C:\Windows $acl.Sddl O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1301bf;;;BA)(A;OICIIO;GXGR;;;BU)(A;;0x1200a9;;;BU)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)
To convert this SDDL to readable format use below command.
ConvertFrom-SddlString -Sddl $acl.Sddl
Owner : NT SERVICE\TrustedInstaller
Group : NT SERVICE\TrustedInstaller
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute,
GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes,
ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey),
BUILTIN\Administrators: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute,
GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes,
ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey),
BUILTIN\Users: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData,
ReadExtendedAttributes, ReadPermissions, Synchronize), NT SERVICE\TrustedInstaller: AccessAllowed
(AppendData, ChangePermissions, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ExecuteKey,
FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite,
Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions,
Synchronize, TakeOwnership, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)…}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
Although all the readable information is stored inside DiscretionaryAcl property, It is still not much in readable. To make it readable I am using below command.
(ConvertFrom-SddlString -Sddl $acl.Sddl).DiscretionaryAcl | foreach {$_ ; '-'*40}
NT AUTHORITY\SYSTEM: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute, GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
----------------------------------------
BUILTIN\Administrators: AccessAllowed (AppendData, Delete, ExecuteFile, ExecuteKey, GenericExecute, GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
----------------------------------------
BUILTIN\Users: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize)
----------------------------------------
NT SERVICE\TrustedInstaller: AccessAllowed (AppendData, ChangePermissions, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ExecuteKey, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, Modify, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
----------------------------------------
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize)
----------------------------------------
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES: AccessAllowed (ExecuteFile, GenericWrite, Read, ReadAndExecute, ReadAttributes, ReadData, ReadExtendedAttributes, ReadPermissions, Synchronize)
----------------------------------------
Another way of using .net object API with PowerShell to read the Security Descriptor information. In below example I am reading Security winevent from event viewer and converting SDDL to readable format.
PS C:\Users> $eventSDDL = (Get-WinEvent -FilterHashtable @{LogName='Security';Id='4907'})[0].Properties[-3].Value
PS C:\Users>
PS C:\Users> $sddlObj = New-Object -TypeName System.Security.AccessControl.DirectorySecurity
PS C:\Users>
PS C:\Users> $sddlObj.SetSecurityDescriptorSddlForm($eventSDDL) #$sddlObj.GetSecurityDescriptorSddlForm($eventSDDL)
PS C:\Users> $sddlObj.Access
Useful Article
How to Install and Use Microsoft PowerShell on Linux
Configure PowerShell remoting between Windows and Linux
Get-PSRepository WARNING Unable to find module repositories
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send
Creating an internal PowerShell module repository
How to sign PowerShell ps1 scripts
PowerShell Convert MAC address to Link-local address IPv6
PowerShell fix repair The trust relationship between this workstation and the primary domain failed
Resovled issue with PowerShell - Trust relationship Rejoin computers in domain without restart
PowerShell Invoke-WebRequest The request was aborted Could not create SSL TLS secure channel
PowerShell Invoke-WebRequest The underlying connection was closed: Could not establish trust relationship for the SSL TLS secure channel.
This post first appeared on Tales From Real IT System Administrators World And Non-production Environment, please read the originial post: here
