GET-ACL and “ReadandExecute” versus List

I find it a lot easier to do virtually all of my work via the keyboard.  Using PS ISE I can essentially make a log of everything I work on during the day. There are a few things where I have to resort to using a GUI but I’m learning how to get around more and more of those.

One of the areas I learned a while back was using GET-ACL in order to find the NTFS security on a shared folder in order to be able to see what AD group a person would need to be in for access. In case you haven’t used that it’s essentially something like this

get-acl $fldrpath | fl AccessToString

It works great – until you hit a situation where the real permission is List. Then it’s confusing:

Everyone Allow ReadAndExecute, Synchronize

Looks just like Read-only access.

After a little searching around I was able to find that there is a way with PowerShell to get the correct List entry – the inheritanceflags on List and Read-Only differ. List has only the inheritance flag “ContainerInherit” while Read has “ContainerInherit,ObjectInherit”. Once I updated my quicky script to include some extra logic to check for that and presto

Everyone ----------------------------------------> Allow -----> ListDirectory

Much better 🙂

Using PowerShell to get a list of shares from a server

This one is relatively easy on first glance.

$shares = Get-WmiObject -ComputerName SERVERNAME -class win32_Share

The win32_Share class gets the shares as listed by WMI. From here normally you can get the permissions fairly easily. Except in a case like this:

Name Path Description
---- ---- -----------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
\\SERVER-MSDTC\M$ M:\ Cluster Default Share
H$ H:\ Default share
IPC$ Remote IPC
\\SERVERSHR-CLS\ClusterStorage$ C:\ClusterStorage Cluster Shared Volumes Default Share
M$ M:\ Default share
\\SERVERSHR-CLS\Q$ Q:\ Cluster Default Share
O$ O:\ Default share
\\SERVERSHR-SQL\F$ F:\ Cluster Default Share
\\SERVERSHR-SQL\FILES F:\files
Q$ Q:\ Default share
\\SERVERSHR-SQL\G$ G:\ Cluster Default Share
\\SERVERSHR-SQL\H$ H:\ Cluster Default Share
LogFiles C:\Program Files\Microsoft SQL Server\MSRS11.RPT\Reporting Services\LogFiles
\\SERVERSHR-SQL\App F:\app
\\SERVERSHR-SQL\bin F:\\bin
\\SERVERSHR-SQL\O$ O:\ Cluster Default Share
\\SERVERSHR-SQL\Files2 F:\Files2
\\SERVERSHR-SQL\Files3 H:\Files3

If we were looping through trying to do something like this on each share

$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $($ServerReportingOn.DNSHostname) -Filter "Name='$sharetocheck'"

We’d get errors that would look like this.

+ ... $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -C ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

The solution is simple. Notice how all the cluster shares start “\\”? In your loop to get the permissions you would check the share name for “\\” and skip that “Get-WmiObject -Class Win32_LogicalShareSecuritySetting” line for any share name starting with it.