GET-ACL and “ReadandExecute” versus List

I find it a lot easier to do virtually all of my work via the keyboard.  Using PS ISE I can essentially make a log of everything I work on during the day. There are a few things where I have to resort to using a GUI but I’m learning how to get around more and more of those.

One of the areas I learned a while back was using GET-ACL in order to find the NTFS security on a shared folder in order to be able to see what AD group a person would need to be in for access. In case you haven’t used that it’s essentially something like this

get-acl $fldrpath | fl AccessToString

It works great – until you hit a situation where the real permission is List. Then it’s confusing:

Everyone Allow ReadAndExecute, Synchronize

Looks just like Read-only access.

After a little searching around I was able to find that there is a way with PowerShell to get the correct List entry – the inheritanceflags on List and Read-Only differ. List has only the inheritance flag “ContainerInherit” while Read has “ContainerInherit,ObjectInherit”. Once I updated my quicky script to include some extra logic to check for that and presto

Everyone ----------------------------------------> Allow -----> ListDirectory

Much better 🙂

Using PowerShell to get a list of shares from a server

This one is relatively easy on first glance.

$shares = Get-WmiObject -ComputerName SERVERNAME -class win32_Share

The win32_Share class gets the shares as listed by WMI. From here normally you can get the permissions fairly easily. Except in a case like this:

Name Path Description
---- ---- -----------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
\\SERVER-MSDTC\M$ M:\ Cluster Default Share
H$ H:\ Default share
IPC$ Remote IPC
\\SERVERSHR-CLS\ClusterStorage$ C:\ClusterStorage Cluster Shared Volumes Default Share
M$ M:\ Default share
\\SERVERSHR-CLS\Q$ Q:\ Cluster Default Share
O$ O:\ Default share
\\SERVERSHR-SQL\F$ F:\ Cluster Default Share
Q$ Q:\ Default share
\\SERVERSHR-SQL\G$ G:\ Cluster Default Share
\\SERVERSHR-SQL\H$ H:\ Cluster Default Share
LogFiles C:\Program Files\Microsoft SQL Server\MSRS11.RPT\Reporting Services\LogFiles
\\SERVERSHR-SQL\bin F:\\bin
\\SERVERSHR-SQL\O$ O:\ Cluster Default Share
\\SERVERSHR-SQL\Files2 F:\Files2
\\SERVERSHR-SQL\Files3 H:\Files3

If we were looping through trying to do something like this on each share

$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $($ServerReportingOn.DNSHostname) -Filter "Name='$sharetocheck'"

We’d get errors that would look like this.

+ ... $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -C ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

The solution is simple. Notice how all the cluster shares start “\\”? In your loop to get the permissions you would check the share name for “\\” and skip that “Get-WmiObject -Class Win32_LogicalShareSecuritySetting” line for any share name starting with it.

Okay – just ran across something VERY annoying with Win10

I could not get into my laptop’s BIOS or boot menu.

Not even from a power off.

Thanks Microsoft. Yes, they did it. And here’s how to undo it.

1] On the Start Menu go to Settings.
2] Go to System
3] Go to Power & sleep
4] On the right side, at the bottom, click Additional Power Settings.
5] Click Choose what the power buttons do on the left pane
6] Click Change settings that are currently unavailable, then scroll to the bottom and UNCHECK Turn on fast startup

Save your changes and you’ll be able to get to your BIOS and boot menu a=on the next reboot.

Comments Off on Okay – just ran across something VERY annoying with Win10 Posted in Uncategorized Tagged

Just upgraded to Windows 10 on my personal laptop.

I was sort of leery of doing this given the media reports of the multiple locations where Microsoft decided to be helpful with people’s data, notably the telemetry that sends portions of file contents back to Microsoft.

That said, I decided to go ahead and bite the bullet and upgrade.

First thing I did though was blast my personal Lenovo G570 back to the factory image. I figured that would be the safest bet given I had installed and removed some software I wanted the cleanest image possible. After downloading a mere 3 GIG of patches to Windows 7 I was finally at a fully patched level. At this point I took the plunge.

So far it has been a fairly pleasant experience. I am already at this point looking at Windows 8/8.1 as more akin to Windows 95 with the fixed and polished Windows 10 being like Win98.

Indeed, the only thing I have run into hat was a problem was my sound disappeared, even with the drive and hardware saying everything was cool. I wound up having to Google the answer, which was on an MS forum. Short answer to the problem : Right click the speaker in the tray->Playback devices->Click your speaker->Click Properties->Click Enhancements tab->Tick ‘Disable all enhancements’

Just had something weird happen – and the fix wasn’t obvious

This morning when Outlook 2013 loaded on my work PC the Outlook Social Connector got disabled because it was taking too long to load.

So I did the normal routine – Go to the FILE tab, then Options, then to Add-ins in the Options window, selecting Disabled Items from the Manage list at the bottom of the window and clicking Go. I then selected the Social Connector addin and clicked the enable button. After a restart of Outlook the Social Connector was still disabled.

The solution was to go into the registry. The path in question (for 32-bit Office on 64 bit Windows) is


The LoadBehavior REG_DWORD was still at value 2. Using the value listing from this page I closed Outlook again and updated LoadBehavior to 3. Restarting Outlook I now have my Social Connector and People Pane back.

Sony, you need to fire the whole IT security department

I’ve read some stories on the Sony hack today that are disturbing.

47000+ SSNs of current and former employees, including celebs like Sylvester Stallone, were breached.


That was the disturbing part. Now comes the mind-numbingly stupid part. Some of the data breached was passwords.

Not a few either.





Sony, a word of advice – Fire your whole IT security department. Now. They are obviously grossly incompetent or they would have at least used something like KeePass to somewhat safely vault them. They have made life hell for thousands of current and former Sony staff, wrecked the security of all your data and systems, and destroyed your corporate reputation. It will take years to recover from this.