Working with Access Rules in PowerShell

Yesterday I posted a function to create a summary report of ACL information using Windows PowerShell. I posted this in response to a question in the Ask Don and Jeff forum at PowerShell.com. I received an appreciative followup. The next step for this IT Pro it seems is to get a detailed list of the user based access control entries. Here is some of my response.

What you are experiencing is both the pleasure and pain of PowerShell. You can get to some amazing information, but sometimes it is buried deeply and takes a little work to unwind. Assuming you have my function loaded in your shell, try this on a small test folder.


dir c:\work -recurse | Where {$_.PSIsContainer} |
get-aclinfo | Where {$_.UserAcl -gt 0} |
ForEach {
$path=$_.Path
$_ | select -expand accessrules |
where {$_.identityreference -notmatch "BUILTIN|NT AUTHORITY|EVERYONE|CREATOR OWNER"} |
Select @{Name="Path";Expression={$Path}},IdentityReference,FileSystemRights
}

The first part command, DIR, gets goes through C:\Work recursively. These objects are piped to Where-Object which only keeps containers, i.e. folders. These folder objects are then piped to my Get-ACLInfo function. Its results are then piped to another Where-Object to filter out anything that doesn’t have a UserACL value greater than 0.

Now it gets a little trickier. I want to display both the file path and get at the underlying, nested access rules. So I’ll pipe each of my aclinfo objects to ForEach-Object. The first thing I do is save the path property from the incoming object. Then I pipe the object to Select-Object, expanding the Accessrules property. Remember, this is a collection of accessrule objects.

These in turn are filtered again to weed out the system accounts. You could also modify the filter to match say on a domain name or specific username. Finally, the filtered results are piped to Select-Object which shows the username, their rights, and a custom property that uses the saved Path variable.

Here’s what the end result looks like:


Path IdentityReference FileSystemRights
---- ----------------- ----------------
C:\work\foo SERENITY\fooby FullControl
C:\work\foo\test SERENITY\fooby FullControl
C:\work\foo\test1 SERENITY\fooby FullControl
C:\work\foo\test2 SERENITY\fooby FullControl
C:\work\foo\test1\foo SERENITY\fooby FullControl
C:\work\foo\test1\foo2 SERENITY\fooby FullControl
C:\work\foo\test1\foo3 SERENITY\fooby FullControl
C:\work\foo\test2\bar SERENITY\fooby FullControl
C:\work\foo\test2\bar2 SERENITY\fooby FullControl

In reality though, you could probably skip my function altogether since all you want are the underlying access rules. Here’s a variation that uses Get-ACL.


dir c:\work -recurse | Where {$_.PSIsContainer} | get-acl |
ForEach {
[regex]$regex="\w:\\\S+"
$path=$regex.match($_.Path).Value
$_ | select -expand access |
where {$_.identityreference -notmatch "BUILTIN|NT AUTHORITY|EVERYONE|CREATOR OWNER"} |
Select @{Name="Path";Expression={$Path}},IdentityReference,FileSystemRights
}

The logic is essentially the same except I threw in my regex code to make the folder path easier to read. Otherwise you get a path value like Microsoft.PowerShell.Core\FileSystem::C:\scripts\. I’ll admit this is a bit much to get your head around, especially for people still starting out in PowerShell. But I hope my logical explanation helps.

Architecting the Right Solution for Strong Authentication

esarssa[1] My first project with RealTime Publishers is now available. I wrote a short 3 part series on strong authentication: Architecting the Right Solution for Strong Authentication sponsored by Imprivata.

Synopsis

“Insufficient security is a hidden problem that many businesses are not fully aware of until it is too late. Weak authentication, silos of compliance reporting, a multitude of management tools, and poor security practices contribute to data breaches and compromised systems and leave organizations vulnerable to other pervasive threats. Fortunately, strong authentication systems can address these issues. A combination of consolidated identity management, single sign-on services, and comprehensive compliance reporting can reduce compliance costs, improve security, and remove significant drag on innovation. The Essentials Series: Architecting the Right Solution for Strong Authentication examines ways in which weak authentication hampers business operations, criteria for selecting a strong authentication system, and tips on how to deploy and manage strong authentication systems to control risks and improve the efficiency of business operations. “

 

You can download the chapters individually or as a zip file.  I hope you’ll take a look.

Waynes World of Tips

I’ve blogged in the past about Wayne Martin and his outstanding list of command line tips. These are one line commands, some complex some simple, that you can use to accomplish a wide range of task. The overall number of tips is to 425 and Wayne recently reorganized them into 7 categories to make it easier for people to digest. There’s very little scripting with any of these commands. Most use native or freely available command line tools. But because they are executed from a command line you could incorporate them into a script. I encourage you to check them out.

The single list:

http://waynes-world-it.blogspot.com/2008/09/useful-command-lines.html

The same commands split into categories:

http://waynes-world-it.blogspot.com/2008/09/useful-active-directory-command-line.html

http://waynes-world-it.blogspot.com/2008/09/useful-dns-dhcp-and-wins-command-line.html

http://waynes-world-it.blogspot.com/2008/09/useful-general-command-line-operations.html

http://waynes-world-it.blogspot.com/2008/09/useful-vmware-esx-and-vc-command-line.html

http://waynes-world-it.blogspot.com/2008/09/useful-windows-mscs-cluster-command.html

http://waynes-world-it.blogspot.com/2008/09/useful-windows-printer-command-line.html

http://waynes-world-it.blogspot.com/2008/09/useful-ntfs-and-security-command-line.html