GET-ACL and “ReadandExecute” versus List

I find it a lot easier to do virtually all of my work via the keyboard.  Using PS ISE I can essentially make a log of everything I work on during the day. There are a few things where I have to resort to using a GUI but I’m learning how to get around more and more of those.

One of the areas I learned a while back was using GET-ACL in order to find the NTFS security on a shared folder in order to be able to see what AD group a person would need to be in for access. In case you haven’t used that it’s essentially something like this

get-acl $fldrpath | fl AccessToString

It works great – until you hit a situation where the real permission is List. Then it’s confusing:

Everyone Allow ReadAndExecute, Synchronize

Looks just like Read-only access.

After a little searching around I was able to find that there is a way with PowerShell to get the correct List entry – the inheritanceflags on List and Read-Only differ. List has only the inheritance flag “ContainerInherit” while Read has “ContainerInherit,ObjectInherit”. Once I updated my quicky script to include some extra logic to check for that and presto

Everyone ----------------------------------------> Allow -----> ListDirectory

Much better 🙂

Advertisements

Using PowerShell to get a list of shares from a server

This one is relatively easy on first glance.

$shares = Get-WmiObject -ComputerName SERVERNAME -class win32_Share

The win32_Share class gets the shares as listed by WMI. From here normally you can get the permissions fairly easily. Except in a case like this:

Name Path Description
---- ---- -----------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
\\SERVER-MSDTC\M$ M:\ Cluster Default Share
H$ H:\ Default share
IPC$ Remote IPC
\\SERVERSHR-CLS\ClusterStorage$ C:\ClusterStorage Cluster Shared Volumes Default Share
M$ M:\ Default share
\\SERVERSHR-CLS\Q$ Q:\ Cluster Default Share
O$ O:\ Default share
\\SERVERSHR-SQL\F$ F:\ Cluster Default Share
\\SERVERSHR-SQL\FILES F:\files
Q$ Q:\ Default share
\\SERVERSHR-SQL\G$ G:\ Cluster Default Share
\\SERVERSHR-SQL\H$ H:\ Cluster Default Share
LogFiles C:\Program Files\Microsoft SQL Server\MSRS11.RPT\Reporting Services\LogFiles
\\SERVERSHR-SQL\App F:\app
\\SERVERSHR-SQL\bin F:\\bin
\\SERVERSHR-SQL\O$ O:\ Cluster Default Share
\\SERVERSHR-SQL\Files2 F:\Files2
\\SERVERSHR-SQL\Files3 H:\Files3

If we were looping through trying to do something like this on each share

$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $($ServerReportingOn.DNSHostname) -Filter "Name='$sharetocheck'"

We’d get errors that would look like this.

+ ... $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -C ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

The solution is simple. Notice how all the cluster shares start “\\”? In your loop to get the permissions you would check the share name for “\\” and skip that “Get-WmiObject -Class Win32_LogicalShareSecuritySetting” line for any share name starting with it.

Just upgraded to Windows 10 on my personal laptop.

I was sort of leery of doing this given the media reports of the multiple locations where Microsoft decided to be helpful with people’s data, notably the telemetry that sends portions of file contents back to Microsoft.

That said, I decided to go ahead and bite the bullet and upgrade.

First thing I did though was blast my personal Lenovo G570 back to the factory image. I figured that would be the safest bet given I had installed and removed some software I wanted the cleanest image possible. After downloading a mere 3 GIG of patches to Windows 7 I was finally at a fully patched level. At this point I took the plunge.

So far it has been a fairly pleasant experience. I am already at this point looking at Windows 8/8.1 as more akin to Windows 95 with the fixed and polished Windows 10 being like Win98.

Indeed, the only thing I have run into hat was a problem was my sound disappeared, even with the drive and hardware saying everything was cool. I wound up having to Google the answer, which was on an MS forum. Short answer to the problem : Right click the speaker in the tray->Playback devices->Click your speaker->Click Properties->Click Enhancements tab->Tick ‘Disable all enhancements’

Just had something weird happen – and the fix wasn’t obvious

This morning when Outlook 2013 loaded on my work PC the Outlook Social Connector got disabled because it was taking too long to load.

So I did the normal routine – Go to the FILE tab, then Options, then to Add-ins in the Options window, selecting Disabled Items from the Manage list at the bottom of the window and clicking Go. I then selected the Social Connector addin and clicked the enable button. After a restart of Outlook the Social Connector was still disabled.

The solution was to go into the registry. The path in question (for 32-bit Office on 64 bit Windows) is

HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office\Outlook\Addins\OscAddin.Connect

The LoadBehavior REG_DWORD was still at value 2. Using the value listing from this page I closed Outlook again and updated LoadBehavior to 3. Restarting Outlook I now have my Social Connector and People Pane back.

Sony, you need to fire the whole IT security department

I’ve read some stories on the Sony hack today that are disturbing.

47000+ SSNs of current and former employees, including celebs like Sylvester Stallone, were breached.

OUCH!

That was the disturbing part. Now comes the mind-numbingly stupid part. Some of the data breached was passwords.

Not a few either.

THOUSANDS.

FOR EVERYTHING FROM FACEBOOK ACCOUNTS TO LEXIS/NEXIS TO AMEX TO FIDELITY!

STORED IN PLAIN TEXT!!

stupid-burns

Sony, a word of advice – Fire your whole IT security department. Now. They are obviously grossly incompetent or they would have at least used something like KeePass to somewhat safely vault them. They have made life hell for thousands of current and former Sony staff, wrecked the security of all your data and systems, and destroyed your corporate reputation. It will take years to recover from this.

http://gizmodo.com/sony-pictures-hack-keeps-getting-worse-thousands-of-pa-1666761704

http://www.buzzfeed.com/charliewarzel/it-gets-worse-the-newest-sony-data-breach-exposes-thousands

SUBINACL – and needing to migrate ACLs for a foreign forest

So here I was today working an a folder a server in a foreign forest, trying to duplicate the ACLs of the source forest to the target forest. Both forests contained groups with the same RDNs and SAM account names.

My first choice was the obvious and trusty SUBINACL. So I entered the command below expecting it to start chugging away.

subinacl /subdirectories "x:\foldertochange\*.*" /migratetodomain=source=target

Instead of the nice chug of folders being modified I got an error saying the syntax was wrong. Quick check – Yep, using an elevated prompt. Spelling good – check. Trust between the forest was still going. Switching the command to verbose mode I got a different result:

subinacl /verbose=1 /subdirectories "x:\foldertochange\*.*" /migratetodomain=source=target

1722 Unexpected error  NetUserModalsGet on server \\DC-IN-TARGET
Error finding domain name : 1722 The RPC server is unavailable

The fix is simple. On the source data server I opened the HOSTS file and added an entry for the target DC it was trying to talk to. Re-ran the command and 211,000+ objects later everything was golden.