检索安全描述符并获取FileSystemRights的编号

时间:2015-01-19 17:00:30

标签: powershell acl

使用Get-Acl我试图获取文件夹的访问权限。问题是,对于某些组,我得到一个数字而不是访问类型。示例如下:

get-acl "C:\TestFolder" | % {$_.access}
FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : TestDomain\Support
IsInherited       : False
InheritanceFlags  : ObjectInherit
PropagationFlags  : InheritOnly

有没有办法将这个号码翻译成它的名字?

2 个答案:

答案 0 :(得分:10)

FileSystemRights属性的值是无符号的32位整数,其中每个位表示特定的访问权限。除{“通用”权限(位28-31)和访问SACL(位23)的权限外,大多数权限都列在Win32_ACE class documentation中。可以找到更多详细信息herehere

如果您想将ACE访问掩码分解为其特定访问权限(vulgo“扩展权限”),您可以执行以下操作:

$accessMask = [ordered]@{
  [uint32]'0x80000000' = 'GenericRead'
  [uint32]'0x40000000' = 'GenericWrite'
  [uint32]'0x20000000' = 'GenericExecute'
  [uint32]'0x10000000' = 'GenericAll'
  [uint32]'0x02000000' = 'MaximumAllowed'
  [uint32]'0x01000000' = 'AccessSystemSecurity'
  [uint32]'0x00100000' = 'Synchronize'
  [uint32]'0x00080000' = 'WriteOwner'
  [uint32]'0x00040000' = 'WriteDAC'
  [uint32]'0x00020000' = 'ReadControl'
  [uint32]'0x00010000' = 'Delete'
  [uint32]'0x00000100' = 'WriteAttributes'
  [uint32]'0x00000080' = 'ReadAttributes'
  [uint32]'0x00000040' = 'DeleteChild'
  [uint32]'0x00000020' = 'Execute/Traverse'
  [uint32]'0x00000010' = 'WriteExtendedAttributes'
  [uint32]'0x00000008' = 'ReadExtendedAttributes'
  [uint32]'0x00000004' = 'AppendData/AddSubdirectory'
  [uint32]'0x00000002' = 'WriteData/AddFile'
  [uint32]'0x00000001' = 'ReadData/ListDirectory'
}

$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
                    Select-Object -Expand Access |
                    Select-Object -Expand FileSystemRights -First 1

$permissions = $accessMask.Keys |
               Where-Object { $fileSystemRights.value__ -band $_ } |
               ForEach-Object { $accessMask[$_] }

简单权限FullControlModifyReadAndExecute等只是这些扩展权限的特定组合。例如,ReadAndExecute是以下扩展权限的组合:

  • ReadData/ListDirectory
  • Execute/Traverse
  • ReadAttributes
  • ReadExtendedAttributes
  • ReadControl

因此ReadAndExecute的访问掩码的值为131241。

如果您希望结果是简单权限和剩余扩展权限的组合,您可以执行以下操作:

$accessMask = [ordered]@{
  ...
}

$simplePermissions = [ordered]@{
  [uint32]'0x1f01ff' = 'FullControl'
  [uint32]'0x0301bf' = 'Modify'
  [uint32]'0x0200a9' = 'ReadAndExecute'
  [uint32]'0x02019f' = 'ReadAndWrite'
  [uint32]'0x020089' = 'Read'
  [uint32]'0x000116' = 'Write'
}

$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
                    Select-Object -Expand Access |
                    Select-Object -Expand FileSystemRights -First 1

$fsr = $fileSystemRights.value__

$permissions = @()

# get simple permission
$permissions += $simplePermissions.Keys | ForEach-Object {
                  if (($fsr -band $_) -eq $_) {
                    $simplePermissions[$_]
                    $fsr = $fsr -band (-bnot $_)
                  }
                }

# get remaining extended permissions
$permissions += $accessMask.Keys |
                Where-Object { $fsr -band $_ } |
                ForEach-Object { $accessMask[$_] }

答案 1 :(得分:6)

快速而肮脏的翻译:

268435456 - FullControl

-536805376 - 修改,同步

-1610612736 - ReadAndExecute,Synchronize

如果你想了解翻译过程,这是我现在能找到的最好的: Link