Reputation: 929
PowerShell get-acl List folder contents vs ReadAndExecute
This is a simple question yet I could not find an answer on Google or here yet:
By using PowerShell or cmd (no third party stuff), how can I retrieve folder permissions in a way that allows me to differ between "List Folder Contents" and "ReadAndExecute"?
Right now when I execute Get-Acl on a folder, it returns the same permission level when a group grants only list access or read and execute. If I right click and go to Security tab, one group has "List folder contents" checked and another has "Read & Execute" checked, but both return "ReadAndExecute" with Get-Acl.
Pictures below:
Powershell just returns "ReadAndExecute" for both:
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : group1
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : group2
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
Upvotes: 3
Views: 7304
Answers (3)
Reputation: 929
I was able to find a viable solution to this by myself after a while.
Even though PowerShell (or CMD or C#) always returns "ReadAndExecute" for both ListDirectory or actual ReadAndExecute permissions, the "InheritanceFlag" will always be "ContainerInherit" only when the permission is "ListDirectory". As such, checking this flag, you may find out which group grants only list permissions instead of read and execute.
I have implemented this check in PowerShell, which is working for all test cases so far:
foreach($access in (Get-Acl 'C:\test').Access) {
$filerights = $access.FileSystemRights.ToString();
$inheritanceFlg = $access.InheritanceFlags.ToString();
if($inheritanceFlg -eq 'ContainerInherit') {
$filerights = $filerights.replace('ReadAndExecute','ListDirectory');
}
$output = $access.IdentityReference.ToString() + ';' + $filerights;
$output
}
Upvotes: 3
Reputation: 21
your answer is great but have just a little mistake. You're getting the wrong parameter at $inheritanceFlags variable at line 3. The below is correct:
foreach($access in (Get-Acl 'C:\Test').Access) {
$filerights = $access.FileSystemRights.ToString();
$inheritanceFlg = $access.InheritanceFlags.ToString();
if($inheritanceFlg -eq 'ContainerInherit') {
$filerights = $filerights.replace('ReadAndExecute','ListDirectory');
}
$output = $access.IdentityReference.ToString() + ';' + $filerights;
$output
}
Upvotes: 2
Reputation: 99
(get-Acl 'C:\Temp').Access
returns collection of System.Security.AccessControl.FileSystemAccessRule objects.
It has a FileSystemRights property of type System.Security.AccessControl.FileSystemRights. This is an enumeration and it can be checked for individual rights. For example (checking first access rule below):
((Get-Acl 'C:\Temp').Access[0].FileSystemRights -band
[System.Security.AccessControl.FileSystemRights]::ExecuteFile) -eq
[System.Security.AccessControl.FileSystemRights]::ExecuteFile
ListDirectory, ExecuteFile, Read is what you may check to catch the difference in permissions.
Upvotes: 1
Related Questions
- Powershell Get-Acl for folders without access permissions
- How to Combine Two Powershell Commands for Listing Folders and ACLs
- PowerShell GetAccessControl returns inconsistent results
- powershell ACLs Apply to this folder only
- SET-ACL folder permissions not applying correctly with my PowerShell script
- Define where permissions apply with Set-Acl
- PowerShell Set/Get-ACL Special Permissions - This Folder Only setting
- PowerShell Get ACL For Folders In A Text File
- Using Get-ACL to get file share permissions
- GetAccessControl() on a directory using Powershell returns no data