CODEWITHSUNDEEP
powershellaclfile-sharing
user3443419
user3443419

Reputation: 3

Wrong ACL information in PowerShell

I have a trouble with getting access list for shared folders (not NTFS permissions!) through PowerShell in Windows7. I shared a folder for a list of users, but for one of they (us10151) i deny access through File-Sharing Dialog and Allow Access through NTFS Permissions Dialog window. User can't open this folder, it's ok. But when i tried to read permission for this folder, i didn't find any records with deny access. So, look for this (I have a screenshot too, but can't add it):

**icacls.exe \\pc00001\intel**
\\pc00001\intel NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                tstdmn\us00001:(OI)(CI)(RX)
                tstdmn\Domain Users:(OI)(CI)(M)
                tstdmn\us10151:(OI)(CI)(RX)
                tstdmn\us00002:(OI)(CI)(F)
                BUILTIN\Administrators:(OI)(CI)(F)

**cacls.exe \\pc00001\intel**
 c:\Intel NT AUTHORITY\SYSTEM:(OI)(CI)F 
          tstdmn\us00001:(OI)(CI)R 
          tstdmn\Domain Users:(OI)(CI)C 
          tstdmn\us10151:(OI)(CI)R 
          tstdmn\us00002:(OI)(CI)F 
          BUILTIN\Administrators:(OI)(CI)F

**Get-Acl \\pc00001\intel**
Path   : Microsoft.PowerShell.Core\FileSystem::\\pc00001\intel
Owner  : BUILTIN\Administrators
Group  : pc00001\None
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         tstdmn\Domain Users Allow  Modify, Synchronize
         tstdmn\us00001 Allow  ReadAndExecute, Synchronize
         tstdmn\us10151 Allow  ReadAndExecute, Synchronize
         tstdmn\us00002 Allow  FullControl
Audit  : 
Sddl   : <...>

What's wrong?

Upvotes: 0

Views: 567

Answers (2)

Ansgar Wiechers
Ansgar Wiechers

Reputation: 200483

Share ACLs are defined on the share, not on the folder. icacls, cacls and Get-Acl return permissions on the latter. Use WMI for enumerating share permissions:

$permissions = @{
  2032127 = 'F'
  1245631 = 'M'
  1179817 = 'RX'
}

$type = @{
  0 = 'Allow'
  1 = 'Deny'
  2 = 'Audit'
}

gwmi Win32_Share -Filter 'Type=0' | % {
  "{0}:`t{1}" -f $_.Name, $_.Path
  gwmi Win32_LogicalShareSecuritySetting -Filter "Name='$($_.Name)'" | % {
    $_.GetSecurityDescriptor().Descriptor.DACL | % {
      "`t{0} {1} {2}" -f $_.Trustee.Name, $type[[int]$_.AceType],
        $permissions[[int]$_.AccessMask]
    }
  }
}

The filter Type=0 suppresses administratives shares.

Upvotes: 1

Peter Hahndorf
Peter Hahndorf

Reputation: 11222

All three commands show you the NTFS permissions of the file location the share points to, you need a tool to show you the ACL of the share itself.

SubinACL is one such tool.

.\subinacl.exe /share \\pc00001\intel /display

Upvotes: 0

Related Questions