NTFS Reporting via Powershell

Question

I want to report user permissions on folder objects (not files). I'm trying to use the get-acl powershell cmdlet in order to accomplish this however I've ran into an issue where I'm noticing that my code isn't correctly getting all of the permissions. I also have it to where I'm going down one level when checking user permissions and want to get exceptions to when user permissions may change one folder down.

if ($ComputerName -eq '.'){
$Path = $Folder
}

else {
$Path = "\\$ComputerName\$Folder"
}ls

if ($OutputFile){
gci c:\|%{if($_.PSIsContainer){GCI $_.FullName|get-acl};$_|get-acl}| Select-Object @{Name="Path";Expression={$_.PSPath.Substring($_.PSPath.IndexOf(":")+2) }},@{Name="Type";Expression={$_.GetType()}},Owner -ExpandProperty Access | sort PSParentPath|Export-CSV $OutputFile -NoType
}

else{
gci c:\|%{if($_.PSIsContainer){GCI $_.FullName|get-acl};$_|get-acl}| Select-Object @{Name="Path";Expression={$_.PSPath.Substring($_.PSPath.IndexOf(":")+2) }},@{Name="Type";Expression={$_.GetType()}},Owner -ExpandProperty Access | sort PSParentPath|FT -Auto
}

Random folders are reporting numbers rather than giving me the FileSystemRights. Is there something wrong in my code?

Answer 1

I'll differ from ManyRootsofAllEvil here... you do not want to just filter them out. The numeric results are due to specific rights being applied in an ACE instead of grouped rights such as Read, Write, or Full Control. Please read the MSDN FileSystemRights Enumeration page for all of the details, but that number represents a culmination of all specific rights assigned. For example, the general Read access group shows as follows:

Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.

Yes, if somebody has full control then drilling down to specific rights may not matter, but it may very well matter as those may be the rights that are propagated to sub-folders and files.

So if somebody has Read access you will see Read. If somebody has only ReadData, ReadExtendedAttributes, and ReadAttributes (but not ReadPermissions) it will result in a numeric response.

How Bitwise flags work is (example only, not actual values!): 0 - None 1 - ReadData 2 - ReadExtededAttributes 5 - ReadAttributes 9 - ReadPermissions

You figure out what they have, add the numbers associated with it, and that is the bitwise response. So if they have ReadData (1) and ReadPermissions (9) the response is 10 (1+9). If they have ReadData (1), ReadExtendedAttributes (2), and ReadAttributes (5) you get 8 (1+2+5). Numbers get big quickly because no single item can have a number that is any combination of pervious items added together, that way any number of items will create a unique number when added together.

What you are going to end up having to do is look at inheritance and propagation types to see where they start to differ as to where exceptions are.

Answer 2

There is nothing wrong with your script

Have a look at this link for an explanation.

In short:

BUILTIN\Administrators Allow FullControl

BUILTIN\Administrators Allow 268435456

You should be able to just filter them out