Retrieving security descriptor and getting number for FileSystemRights
Using Get-Acl I am trying to get the access rights on a folder. The thing is, for some groups I get a number instead of a access type. Example below:
get-acl "C:\TestFolder" | % {$_.access}
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : TestDomain\Support
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
Is there any way to translate this number back to its name?
Answer
The value of the FileSystemRights property is an unsigned 32-bit integer, where each bit represents a particular access permission. Most of the permissions are listed in the Win32_ACE class documentation, except for the "generic" permissions (bits 28-31) and the right to access SACLs (bit 23). More details can be found here and here.
If you want to break down an ACE access mask into its specific access rights (vulgo "extended permissions") you could do something like this:
$accessMask = [ordered]@{
[uint32]'0x80000000' = 'GenericRead'
[uint32]'0x40000000' = 'GenericWrite'
[uint32]'0x20000000' = 'GenericExecute'
[uint32]'0x10000000' = 'GenericAll'
[uint32]'0x02000000' = 'MaximumAllowed'
[uint32]'0x01000000' = 'AccessSystemSecurity'
[uint32]'0x00100000' = 'Synchronize'
[uint32]'0x00080000' = 'WriteOwner'
[uint32]'0x00040000' = 'WriteDAC'
[uint32]'0x00020000' = 'ReadControl'
[uint32]'0x00010000' = 'Delete'
[uint32]'0x00000100' = 'WriteAttributes'
[uint32]'0x00000080' = 'ReadAttributes'
[uint32]'0x00000040' = 'DeleteChild'
[uint32]'0x00000020' = 'Execute/Traverse'
[uint32]'0x00000010' = 'WriteExtendedAttributes'
[uint32]'0x00000008' = 'ReadExtendedAttributes'
[uint32]'0x00000004' = 'AppendData/AddSubdirectory'
[uint32]'0x00000002' = 'WriteData/AddFile'
[uint32]'0x00000001' = 'ReadData/ListDirectory'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$permissions = $accessMask.Keys |
Where-Object { $fileSystemRights.value__ -band $_ } |
ForEach-Object { $accessMask[$_] }
The simple permissions FullControl, Modify, ReadAndExecute etc. are just specific combinations of these extended permissions. ReadAndExecute for instance is a combination of the following extended permissions:
ReadData/ListDirectoryExecute/TraverseReadAttributesReadExtendedAttributesReadControl
so the access mask for ReadAndExecute would have the value 131241.
If you want the result to be a combination of simple permission and the remaining extended permissions, you could do something like this:
$accessMask = [ordered]@{
...
}
$simplePermissions = [ordered]@{
[uint32]'0x1f01ff' = 'FullControl'
[uint32]'0x0301bf' = 'Modify'
[uint32]'0x0200a9' = 'ReadAndExecute'
[uint32]'0x02019f' = 'ReadAndWrite'
[uint32]'0x020089' = 'Read'
[uint32]'0x000116' = 'Write'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$fsr = $fileSystemRights.value__
$permissions = @()
# get simple permission
$permissions += $simplePermissions.Keys | ForEach-Object {
if (($fsr -band $_) -eq $_) {
$simplePermissions[$_]
$fsr = $fsr -band (-bnot $_)
}
}
# get remaining extended permissions
$permissions += $accessMask.Keys |
Where-Object { $fsr -band $_ } |
ForEach-Object { $accessMask[$_] }