Vista - how to list out ntfs permissions

11-15-2007

Hi,

I would like to write a script to list out ntfs permissions. I tried with:

(get-acl -path \\testserver\d$\testdir).accesstostring

I get:

BUILTIN\Administrators Allow FullControl
REDMOND\testuser Allow Write, ReadAndExecute, Synchronize
S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute,
Synchronize
BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl

When I do this from the gui, the
"S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute"
resolves correctly but now from PS. Doe anyone know how I can get around
this?

Thanks in advance,

11-15-2007

Frank wrote:

Quote:

> Hi,
>
> I would like to write a script to list out ntfs permissions. I tried with:
>
> (get-acl -path \\testserver\d$\testdir).accesstostring
>
> I get:
>
> BUILTIN\Administrators Allow FullControl
> REDMOND\testuser Allow Write, ReadAndExecute, Synchronize
> S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute,
> Synchronize
> BUILTIN\Administrators Allow FullControl
> NT AUTHORITY\SYSTEM Allow FullControl
>
> When I do this from the gui, the
> "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute"
> resolves correctly but now from PS. Doe anyone know how I can get around
> this?
>
> Thanks in advance,
>
>

http://www.comptechdoc.org/os/window...rmissions.html

A bit of an assumption here... Since Read and Write each come with the
synchronize permission, it would seem 'Read and Execute' would also have
synchronize (since Read is there).

Synchronize seems to be a hidden permission so PowerShell is actually
more accurate.

You could likely drop the Synchronize when applying the permissions
elsewhere.

Marco

--
Microsoft MVP - Windows PowerShell
http://www.microsoft.com/mvp

PowerGadgets MVP
http://www.powergadgets.com/mvp

Blog:
http://marcoshaw.blogspot.com

11-16-2007

On Nov 15, 2:14 pm, Frank <Fr...@xxxxxx> wrote:

Quote:

> Hi,
>
> I would like to write a script to list out ntfs permissions. I tried with:
>
> (get-acl -path \\testserver\d$\testdir).accesstostring
>
> I get:
>
> BUILTIN\Administrators Allow FullControl
> REDMOND\testuser Allow Write, ReadAndExecute, Synchronize
> S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute,
> Synchronize
> BUILTIN\Administrators Allow FullControl
> NT AUTHORITY\SYSTEM Allow FullControl
>
> When I do this from the gui, the
> "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute"
> resolves correctly but now from PS. Doe anyone know how I can get around
> this?
>
> Thanks in advance,

Hi Frank,

I presume you're talking about the SID not resolving to a domain
\username pair. Just for kicks, try explicitly resolving it in
Powershell:

PS> $sid = new-object security.principal.securityidentifier `
"S-1-5-21-2146773085-903363285-719344707-241418"
PS> $securityidentifier.translate( [security.principal.ntaccount] )

For more on this kind of thing, check out:

http://www.nivot.org/2007/08/20/Conv...owerShell.aspx

Hope this helps,

- Oisin / x0n

p.s. security tip: try to keep your actual SIDs secret in future ;-)

11-16-2007

Quote:

>> When I do this from the gui, the
>> "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute"
>> resolves correctly but now from PS. Doe anyone know how I can get
>> around this?
>> Thanks in advance,

Oops! I read this too quickly. Oisin has the answer...

Marco

11-15-2007	#1 (permalink)
Frank n/a posts	how to list out ntfs permissions Hi, I would like to write a script to list out ntfs permissions. I tried with: (get-acl -path \\testserver\d$\testdir).accesstostring I get: BUILTIN\Administrators Allow FullControl REDMOND\testuser Allow Write, ReadAndExecute, Synchronize S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute, Synchronize BUILTIN\Administrators Allow FullControl NT AUTHORITY\SYSTEM Allow FullControl When I do this from the gui, the "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute" resolves correctly but now from PS. Doe anyone know how I can get around this? Thanks in advance,
My System Specs

11-15-2007	#2 (permalink)
Marco Shaw [MVP] n/a posts	Re: how to list out ntfs permissions Frank wrote: Quote: > Hi, > > I would like to write a script to list out ntfs permissions. I tried with: > > (get-acl -path \\testserver\d$\testdir).accesstostring > > I get: > > BUILTIN\Administrators Allow FullControl > REDMOND\testuser Allow Write, ReadAndExecute, Synchronize > S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute, > Synchronize > BUILTIN\Administrators Allow FullControl > NT AUTHORITY\SYSTEM Allow FullControl > > When I do this from the gui, the > "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute" > resolves correctly but now from PS. Doe anyone know how I can get around > this? > > Thanks in advance, > > http://www.comptechdoc.org/os/window...rmissions.html A bit of an assumption here... Since Read and Write each come with the synchronize permission, it would seem 'Read and Execute' would also have synchronize (since Read is there). Synchronize seems to be a hidden permission so PowerShell is actually more accurate. You could likely drop the Synchronize when applying the permissions elsewhere. Marco -- Microsoft MVP - Windows PowerShell http://www.microsoft.com/mvp PowerGadgets MVP http://www.powergadgets.com/mvp Blog: http://marcoshaw.blogspot.com
My System Specs

11-16-2007	#3 (permalink)
Oisin Grehan n/a posts	Re: how to list out ntfs permissions On Nov 15, 2:14 pm, Frank <Fr...@xxxxxx> wrote: Quote: > Hi, > > I would like to write a script to list out ntfs permissions. I tried with: > > (get-acl -path \\testserver\d$\testdir).accesstostring > > I get: > > BUILTIN\Administrators Allow FullControl > REDMOND\testuser Allow Write, ReadAndExecute, Synchronize > S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute, > Synchronize > BUILTIN\Administrators Allow FullControl > NT AUTHORITY\SYSTEM Allow FullControl > > When I do this from the gui, the > "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute" > resolves correctly but now from PS. Doe anyone know how I can get around > this? > > Thanks in advance, Hi Frank, I presume you're talking about the SID not resolving to a domain \username pair. Just for kicks, try explicitly resolving it in Powershell: PS> $sid = new-object security.principal.securityidentifier ` "S-1-5-21-2146773085-903363285-719344707-241418" PS> $securityidentifier.translate( [security.principal.ntaccount] ) For more on this kind of thing, check out: http://www.nivot.org/2007/08/20/Conv...owerShell.aspx Hope this helps, - Oisin / x0n p.s. security tip: try to keep your actual SIDs secret in future ;-)
My System Specs

11-16-2007	#4 (permalink)
Marco Shaw [MVP] n/a posts	Re: how to list out ntfs permissions Quote: Quote: >> When I do this from the gui, the >> "S-1-5-21-2146773085-903363285-719344707-241418 Allow ReadAndExecute" >> resolves correctly but now from PS. Doe anyone know how I can get >> around this? >> Thanks in advance, Oops! I read this too quickly. Oisin has the answer... Marco
My System Specs

Similar Threads
Thread	Forum
Default NTFS Permissions in Vista	Vista security
Help with permissions (ntfs)	Vista security
copy ntfs permissions	VB Script
NTFS Permissions via VBScripting	VB Script
Copy NTFS permissions	PowerShell