我正在尝试获取有关文件夹安全性的简单报告,我必须在官方文档中使用该报告,对于非技术人员而言,该报告必须易于理解。
我已经找到并修改了一些代码,但是通用访问权限显示为数字,因此完全不容易解释和报告
Function Get-Folder($initialDirectory)
{
[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms")|Out-Null
$foldername = New-Object System.Windows.Forms.FolderBrowserDialog
$foldername.Description = "Select a folder"
$foldername.rootfolder = "MyComputer"
if($foldername.ShowDialog() -eq "OK")
{
$folder += $foldername.SelectedPath
}
return $folder
}
$IntPath = Get-Folder
$FolderPath = dir -Directory -Path $IntPath -Recurse -Force
$FolderName = Get-Item -Path $IntPath | Select-Object -ExpandProperty Name
$date = Get-Date -UFormat %Y%m%d_%H%M%S
$Report = @()
Foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
$Properties = [ordered]@{'FolderName'=$Folder.FullName;'AD Group or User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Report += New-Object -TypeName PSObject -Property $Properties
}
}
$Report | Export-Csv -path $env:USERPROFILE\Desktop\"$FolderName"_"$date".csv
# 268435456 --> FullControl
# -536805376 --> Modify, Synchronize
# -1610612736 --> ReadAndExecute, Synchronize
我会找到一种解决方案,该解决方案将最终CSV中的数字转换为留言中的数字。
答案 0 :(得分:1)
按如下所示更改您的代码对我而言适用(Windows 10 Pro的PS版本5.1):
function Get-Folder($initialDirectory) {
# [System.Reflection.Assembly]::LoadWithPartialName() is deprecated
Add-Type -AssemblyName System.Windows.Forms
$dialog = New-Object System.Windows.Forms.FolderBrowserDialog
$dialog.Description = "Select a folder"
$dialog.rootfolder = "MyComputer"
if($dialog.ShowDialog() -eq "OK") {
$folder += $dialog.SelectedPath
}
$dialog.Dispose()
return $folder
}
$SelectedPath = Get-Folder
$FolderName = Get-Item -Path $SelectedPath | Select-Object -ExpandProperty Name
$FolderPath = Get-ChildItem -Directory -Path $SelectedPath -Recurse -Force
$date = '{0:yyyyMMdd_HHmmss}' -f (Get-Date)
$outputFile = "$env:USERPROFILE\Desktop\$FolderName_$date.csv"
# collect the objects returned
$Report = foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access) {
[PSCustomObject]@{
'FolderName' = $Folder.FullName
'AD Group or User' = $Access.IdentityReference
'Permissions' = $Access.FileSystemRights.ToString()
'Inherited' = $Access.IsInherited
}
}
}
# output on screen
$Report | Format-Table -AutoSize
# export to csv file
$Report | Export-Csv -Path $outputFile -NoTypeInformation
如果出于某种原因,FileSystemRights仍然获得数字值而不是字符串,则可以使用类似这样的开关将数字转换为描述性字符串:
# collect the objects returned
$Report = foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access) {
# see https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights
$permissions = switch($Access.FileSystemRights.value__) {
2032127 { 'FullControl '; break}
1179785 { 'Read '; break}
1180063 { 'Read, Write '; break}
1179817 { 'ReadAndExecute '; break}
1245631 { 'ReadAndExecute, Modify, Write '; break}
1180095 { 'ReadAndExecute, Write '; break}
268435456 { 'FullControl (Sub Only) '; break}
-1610612736 { 'ReadAndExecute, Synchronize '; break}
-536805376 { 'Modify, Synchronize '; break}
default { $Access.FileSystemRights.ToString()}
}
[PSCustomObject]@{
'FolderName' = $Folder.FullName
'AD Group or User' = $Access.IdentityReference
'Permissions' = $permissions
'Inherited' = $Access.IsInherited
}
}
}
上面列出了最常见的文件权限。文件对象可以在Access Mask Format标志值中设置更多的权限值。
System.Security.AccessControl.FileSystemRights枚举存储这些值,将最常见的值映射到人类可读的单词:
Name Value ---- ----- ListDirectory 1 ReadData 1 WriteData 2 CreateFiles 2 CreateDirectories 4 AppendData 4 ReadExtendedAttributes 8 WriteExtendedAttributes 16 Traverse 32 ExecuteFile 32 DeleteSubdirectoriesAndFiles 64 ReadAttributes 128 WriteAttributes 256 Write 278 Delete 65536 ReadPermissions 131072 Read 131209 ReadAndExecute 131241 Modify 197055 ChangePermissions 262144 TakeOwnership 524288 Synchronize 1048576 FullControl 2032127
查看上面的链接中的AccessMask,您可能会遇到不在此枚举中的值,并且为了将所有这些都转换为单词,可以尝试以下操作。
它使用System.Security.AccessControl.FileSystemRights枚举,该枚举按反向顺序按Value进行排序,并存储在变量$FileSystemRights中。
变量$value是您从$Access.FileSystemRights.value__获得的数值。
$PermsList = [System.Collections.Generic.List[string]]::new()
#if ($value -band 0xF1000000) {
# Generic access rights (bits 24..31)
if ($value -band 0x80000000) { [void]$PermsList.AddRange([string[]]('Read', 'ReadAttributes', 'ReadExtendedAttributes', 'Synchronize'))} # GENERIC_READ
if ($value -band 0x40000000) { [void]$PermsList.AddRange([string[]]('Write', 'WriteAttributes', 'WriteExtendedAttributes', 'Synchronize'))} # GENERIC_WRITE
if ($value -band 0x20000000) { [void]$PermsList.AddRange([string[]]('ReadAndExecute', 'ReadAttributes', 'ReadPermissions'))} # GENERIC_EXECUTE
if ($value -band 0x10000000) { [void]$PermsList.Add('FullControl')} # GENERIC_All
if ($value -band 0x1000000) { [void]$PermsList.Add('ChangePermissions')} # Right to access SACL
#}
# Standard access and Object specific rights (bits 0..23)
$value = $value -band 0xFFFFFF
$FileSystemRights | ForEach-Object {
if (($value -band $_.Value)) { [void]$PermsList.Add($_.Name) }
}
($PermsList.ToArray() | Select-Object -Unique) -join ', '
您在评论中提及的值将返回:
-2147483648 --> 'Read, ReadAttributes, ReadExtendedAttributes, Synchronize'
-268435456 --> 'Read, ReadAttributes, ReadExtendedAttributes, Synchronize, Write, WriteAttributes, WriteExtendedAttributes, ReadAndExecute, ReadPermissions, FullControl'
-1073741760 --> 'Read, ReadAttributes, ReadExtendedAttributes, Synchronize, Write, WriteAttributes, WriteExtendedAttributes, FullControl, DeleteSubdirectoriesAndFiles'
希望这会进一步说明不同的文件对象权限。