检索安全描述符并获取FileSystemRights的编号 [英] Retrieving security descriptor and getting number for FileSystemRights
问题描述
使用 Get-Acl
我试图获取文件夹的访问权限。问题是,对于某些组,我得到的是数字而不是访问类型。下面的示例:
Using Get-Acl
I am trying to get the access rights on a folder. The thing is, for some groups I get a number instead of a access type. Example below:
get-acl "C:\TestFolder" | % {$_.access}
FileSystemRights : -536805376
AccessControlType : Allow
IdentityReference : TestDomain\Support
IsInherited : False
InheritanceFlags : ObjectInherit
PropagationFlags : InheritOnly
有没有办法将此数字转换回其名称?
Is there any way to translate this number back to its name?
推荐答案
FileSystemRights
属性的值是一个无符号的32位整数,其中每一位表示特定的访问权限。 Win32_ACE $ c中列出了大多数权限$ c>类文档
,但通用权限(第28-31位)和访问SACL的权限(第23位)除外。可以在此处中找到详细信息此处。
The value of the FileSystemRights
property is an unsigned 32-bit integer, where each bit represents a particular access permission. Most of the permissions are listed in the Win32_ACE
class documentation, except for the "generic" permissions (bits 28-31) and the right to access SACLs (bit 23). More details can be found here and here.
如果您想将ACE访问掩码分解为特定的访问权限(俗称扩展权限),则可以执行以下操作:
If you want to break down an ACE access mask into its specific access rights (vulgo "extended permissions") you could do something like this:
$accessMask = [ordered]@{
[uint32]'0x80000000' = 'GenericRead'
[uint32]'0x40000000' = 'GenericWrite'
[uint32]'0x20000000' = 'GenericExecute'
[uint32]'0x10000000' = 'GenericAll'
[uint32]'0x02000000' = 'MaximumAllowed'
[uint32]'0x01000000' = 'AccessSystemSecurity'
[uint32]'0x00100000' = 'Synchronize'
[uint32]'0x00080000' = 'WriteOwner'
[uint32]'0x00040000' = 'WriteDAC'
[uint32]'0x00020000' = 'ReadControl'
[uint32]'0x00010000' = 'Delete'
[uint32]'0x00000100' = 'WriteAttributes'
[uint32]'0x00000080' = 'ReadAttributes'
[uint32]'0x00000040' = 'DeleteChild'
[uint32]'0x00000020' = 'Execute/Traverse'
[uint32]'0x00000010' = 'WriteExtendedAttributes'
[uint32]'0x00000008' = 'ReadExtendedAttributes'
[uint32]'0x00000004' = 'AppendData/AddSubdirectory'
[uint32]'0x00000002' = 'WriteData/AddFile'
[uint32]'0x00000001' = 'ReadData/ListDirectory'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$permissions = $accessMask.Keys |
Where-Object { $fileSystemRights.value__ -band $_ } |
ForEach-Object { $accessMask[$_] }
简单权限 FullControl
,修改
, ReadAndExecute
等只是这些扩展的特定组合权限。例如, ReadAndExecute
是以下扩展权限的组合:
The simple permissions FullControl
, Modify
, ReadAndExecute
etc. are just specific combinations of these extended permissions. ReadAndExecute
for instance is a combination of the following extended permissions:
-
ReadData / ListDirectory
-
执行/遍历
-
ReadAttributes
-
ReadExtendedAttributes
-
ReadControl
ReadData/ListDirectory
Execute/Traverse
ReadAttributes
ReadExtendedAttributes
ReadControl
因此 ReadAndExecute的访问掩码
的值为131241。
so the access mask for ReadAndExecute
would have the value 131241.
如果您希望结果是简单权限和其余扩展权限的组合,则可以执行一些操作像这样:
If you want the result to be a combination of simple permission and the remaining extended permissions, you could do something like this:
$accessMask = [ordered]@{
...
}
$simplePermissions = [ordered]@{
[uint32]'0x1f01ff' = 'FullControl'
[uint32]'0x0301bf' = 'Modify'
[uint32]'0x0200a9' = 'ReadAndExecute'
[uint32]'0x02019f' = 'ReadAndWrite'
[uint32]'0x020089' = 'Read'
[uint32]'0x000116' = 'Write'
}
$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |
Select-Object -Expand Access |
Select-Object -Expand FileSystemRights -First 1
$fsr = $fileSystemRights.value__
$permissions = @()
# get simple permission
$permissions += $simplePermissions.Keys | ForEach-Object {
if (($fsr -band $_) -eq $_) {
$simplePermissions[$_]
$fsr = $fsr -band (-bnot $_)
}
}
# get remaining extended permissions
$permissions += $accessMask.Keys |
Where-Object { $fsr -band $_ } |
ForEach-Object { $accessMask[$_] }
这篇关于检索安全描述符并获取FileSystemRights的编号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!